HEX
Server: Apache/2.4.57 (Unix) OpenSSL/1.1.1k
System: Linux server.eshhar.net 4.18.0-553.89.1.el8_10.x86_64 #1 SMP Mon Dec 8 03:53:08 EST 2025 x86_64
User: xdas (1048)
PHP: 7.4.33
Disabled: mail,sendmail
$ pwd: /usr/local/apache/modsecurity-cwaf/rules/
Upload Files
File: //usr/local/apache/modsecurity-cwaf/rules/06_Global_Backdoor.conf
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_HEADERS_NAMES "x_(?:file|key)\b" \
	"id:214100,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule REQUEST_FILENAME "root\.exe" \
	"id:214110,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule RESPONSE_BODY "(?:\b(?:aventgrup\.<br>|drwxr|(?:c99shell|php(?: shell|konsole)|(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:haxplor|www\.sanalteror\.org - indexer and read)er)\b)|<title>[^<]{0,}?(?:\b(?:imhabirligi phpftp|(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b)|\.::(?: rhtools\b|news remote php shell injection::\.)|myshell|ph(?:p(?:remoteview|(?: commander|-terminal)\b)|vayv)|(?:aventis klasvayv|r(?:57shell|emote explorer)|zehir)\b))" \
	"id:214120,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:4,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Backdoor'"
@ Telegram