HEX
Server: Apache
System: Linux dinesh8189 5.15.98-grsec-sharedvalley-2.lc.el8.x86_64 #1 SMP Thu Mar 9 09:07:30 -03 2023 x86_64
User: cgmgerenciamento1 (814285)
PHP: 8.1.26
Disabled: apache_child_terminate,dl,escapeshellarg,escapeshellcmd,exec,link,mail,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_check_syntax,php_strip_whitespace,popen,proc_close,proc_open,shell_exec,symlink,system
$ pwd: /usr/local/modsecurity-crs/rules/
Upload Files
File: //usr/local/modsecurity-crs/rules/web-shells-asp.data
# This list contains patterns of various web shells, backdoors and similar
# software written in ASP language. There is no way how to automatically update
# this list, so it must be done by hand. Here is a recommended way how to add
# new malicious software:
# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
#     software (ideally in an isolated environment) and catch the output.
# 2.) In the output, search for static pattern unique enough to match only
#     the software in question and to not do any FPs. The best pick is usually
#     a part of HTML code with software name.
# 3.) Include software name and URL (if available) in the comment above
#     the pattern.
#
# Data comes from multiple places of which some doesn't work anymore. Few are
# listed below:
# - https://www.localroot.net/
# - Google search (keywords like webshells, asp backdoor and similar)

# Akmal archtte id ASPX shell
<title>Webshell Akmal archtte id</title>
# ASPYDrv shell
<html><title>ASPYDrvsInfo</title>
# RHTOOLS shell
<html><head><title>RHTOOLS
@ Telegram