HEX
Server: Apache/2
System: Linux nexus-01 4.18.0-553.120.1.el8_10.x86_64 #1 SMP Mon Apr 20 18:04:27 EDT 2026 x86_64
User: aglcoke (1118)
PHP: 8.2.31
Disabled: mail,exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
$ pwd: /usr/local/cwaf/rules/
Upload Files
File: //usr/local/cwaf/rules/06_Global_Backdoor.conf
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_HEADERS_NAMES "x_(?:file|key)\b" \
	"id:214100,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule REQUEST_FILENAME "root\.exe" \
	"id:214110,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule RESPONSE_BODY "(?:\b(?:aventgrup\.<br>|drwxr|(?:c99shell|php(?: shell|konsole)|(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:haxplor|www\.sanalteror\.org - indexer and read)er)\b)|<title>[^<]{0,}?(?:\b(?:imhabirligi phpftp|(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b)|\.::(?: rhtools\b|news remote php shell injection::\.)|myshell|ph(?:p(?:remoteview|(?: commander|-terminal)\b)|vayv)|(?:aventis klasvayv|r(?:57shell|emote explorer)|zehir)\b))" \
	"id:214120,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:4,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Backdoor'"
@ Telegram