I am having an issue with rule 390149 triggering on completely innocent words in the response body: "php shell". It is not php being executed, but just those 2 words when they appear as part of text that my apache sends back to the browser. What makes the words "php shell" a rootkit?
Quote:
[Mon Jun 11 12:29:55 2012] [error] [client xx.xx.xx.xx] ModSecurity: [file "/etc/httpd/modsecurity.d/50_asl_rootkits.conf"] [line "119"] [id "390149"] [rev "31"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Possible remote shell or bot access denied"] [data "php shell"] [severity "CRITICAL"] Access denied with code 404 (phase 4). Pattern match "(?:(?:<title>*?(?:\\\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell|networkfilemanagerphp)\\\\b|imhabirligi phpftp)|alucar shell|(?:r(?:emote explorer|57 ?shell)|aventis klasvayv|zehir)\\\\b|\\\\.::(?:news remote php shell injection::\\\\.| rhtools\\\\b)|ph(?:p ..." at RESPONSE_BODY. [hostname "www2.xxxxx"] [uri "/ircops/logs/ircops/index.php"] [unique_id "sq6X90VANPMAADhYRvkAAAAB"]
Login
Register
FAQ
Search
