npm - @abtnode/router-provider - Versions diffs - 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8 - Mend

@abtnode/router-provider 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/lib/nginx/includes/security/crs4/rules/web-shells-php.data ADDED Viewed

@@ -0,0 +1,167 @@
+# This list contains patterns of various web shells, backdoors and similar
+# software written in PHP language. There is no way how to automatically update
+# this list, so it must be done by hand. Here is a recommended way how to add
+# new malicious software:
+# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
+#     software (ideally in an isolated environment) and catch the output.
+# 2.) In the output, search for static pattern unique enough to match only
+#     the software in question and to not do any FPs. The best pick is usually
+#     a part of HTML code with software name.
+# 3.) Include software name and URL (if available) in the comment above
+#     the pattern.
+#
+# Data comes from multiple places of which some doesn't work anymore. Few are
+# listed below:
+# - https://github.com/JohnTroony/php-webshells/tree/master/Collection
+# - https://www.localroot.net/
+# - Google search (keywords like webshells, php backdoor and similar)
+# 1n73ction web shell
+<title>=[ 1n73ct10n privat shell ]=</title>
+# Ajax/PHP Command Shell web shell
+>Ajax/PHP Command Shell<
+# AK-74 Security Team Web-shell
+.:: :[ AK-74 Security Team Web-shell ]: ::.
+# ALFA-SHELL web shell (deprecated, https://github.com/solevisible)
+~ ALFA TEaM Shell -
+# Andela Yuwono Priv8 Shell web shell
+<title>--==[[ Andela Yuwono Priv8 Shell ]]==--</title>
+# Ani-Shell web shell (https://ani-shell.sourceforge.net/)
+<title>Ani-Shell | India</title>
+# AnonymousFox PHP web shell
+<input type='submit' value='file' /></form>AnonymousFox
+# Antichat Shell web shell
+- Antichat Shell</title>
+# AYT web shell
+Ayyildiz Tim  | AYT
+# b374k web shell (https://github.com/b374k/b374k)
+<link rel='SHORTCUT ICON' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoV2luZG93cykiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6MkRFNDY2MDQ4MDgyMTFFM0FDRDdBN0MzOTAxNzZFQUYiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6MkRFNDY2MDU4MDgyMTFFM0FDRDdBN0MzOTAxNzZFQUYiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDoyREU0NjYwMjgwODIxMUUzQUNEN0E3QzM5MDE3NkVBRiIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDoyREU0NjYwMzgwODIxMUUzQUNEN0E3QzM5MDE3NkVBRiIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pu6UWJYAAAKySURBVHjafFNdSJNhFH7e/fhDkrm2i03QphsxhYSgMIUgIeiiK6/SCAKTKNlFoEtBRfEvXYhM+0GQMtMUL7qSgqS0QCNKTDS6cJWGi6n577Zv3/e+b+934ZgxPfDBd3jP85xznnOOzufz4SCr7R7knKOg4eaVd9WPBgsZY/3NZcWJ0TGaaKeuZzgz2ueMgFF+p6WnL0OAjzMK+f8k+wg4xXxN91D5ns8ok8CRH5S2GogS8HBKk1xud+uBBIwpm5zyRvW/+sHAJuM8nsrMIElHi0/aHAmFl/OI2WRyOevrK/YwJFoD0ecFkfWthpDNRH1Cct4ZOzRaglX/DsY+TcNqTUd2phEjo1OiWg5KKUhJTbua6XTT7SKvSlLpGWB6DUjuWQeW/m4iJIWho8DvBT+2tgOwpZsxM/tm/sn9Trsar2OMq6rOV3X19wncJUNSEsnKSsWifx0BKYTgdhDxiENBfjZCuxJejX0W4frZiAZNZUVxVKYfmcyuKTI15ZxKw4IA74aCCIiMeqZDptWIuV8+hAkXOlFo9eaLNyrvOfdp4Gp/FjKlpMSbLMlY2dhCaCcEnUJgt5sF4QqkkIKsDAtGXn9QSThlMmFCg8gUmELpkXg99FoNwgEJ2jBBWpoBP/8sC7AMi/EY/EvLUBQJCpOMT921hDG5JkIglPd8/7EIFpShCQMnrAYsrW0gLERUwTNfv2FyaloddWmvu25NxTzvaG6MELRVXK/SgL8fHZ9AjsMCKUzFqBhSjQZAkrC6viqyy+ILdxU775bH3APVblW3j3POzuc4bGIHNPgyM4dAcFdtslT07OWcvhRVJIvVtg0/9nhJrGMqqWzpFb1eFYuiVfdbACcGOlvzYx0cOewaVStyuiY5U3JFVbahhx3eQ48plr3obDtHqSxTRZ6K9f5PgAEAm/hvADIkGOQAAAAASUVORK5CYII='>
+# BloodSecurity Hackers Shell web shell
+<title>BloodSecurity Hackers Shell</title>
+# Bypass Attack Shell web shell
+<font color='red' size='6px' face='Fredericka the Great'> Bypass Attack Shell </font>
+# c0derz shell web shell
+title='.::[c0derz shell]::.'>
+# C99Shell + N3tShell web shell
+<font face=Webdings size=6><b>!</b></font>
+# Con7ext Shell V.2 web shell
+<title>Con7ext Shell V.2</title>
+# Crystal shell web shell
+<font face="Wingdings 3" size="5">y</font><b>Crystal shell v.
+# Unknown (probably private) web shell
+<title>CUPLIS BYPASSS SHELL</title>
+# CWShell web shell
+~ CWShell ~</font></a>
+# dC3 Security Crew web shell
+&dir&pic=o.b height= width=>
+# Defacing Tool Pro web shell
+<b>[ Defacing Tool Pro v
+# Dive Shell web shell
+<title>Dive Shell - Emperor Hacking Team</title>
+# easy simple php web shell
+<script>document.getElementById("cmd").focus();</script>
+# ex0 shell web shell
+color=DeepSkyBlue   size=6>    ## ex0 shell
+# FaTaLSheLL web shell
+<p align="center" class="style4">FaTaLSheLL v
+# G-Security Webshell
+<title>G-Security Webshell</title>
+# Gecko web shell
+<title>Gecko [
+# h4ntu shell web shell
+<title>h4ntu shell [powered by tsoi]</title>
+# IDBTEAM SHELLS file manager
+<H1><center>-=[+] IDBTEAM SHELLS
+# IndoXploit web shell
+<title>IndoXploit</title>
+# KA_uShell web shell
+<KAdot Universal Shell>     |
+## Laudanum PHP Web Shells (http://sourceforge.net/projects/laudanum)
+# Laudanum dns.php
+<title>Laudanum PHP DNS Access</title>
+# Laudanum file.php
+<title>Laudanum PHP File Browser</title>
+# Laudanum host.php
+<title>Laudanum PHP Hostname by IP Lookup</title>
+# Laudanum proxy.php
+<title>Laudanum PHP Proxy</title>
+# Laudanum shell.php
+<title>Laudanum PHP Shell Access</title>
+## Laudanum WordPress Plugin settings.php
+<h2>Laudanum Tools</h2>
+# Lifka Shell web shell
+>LIFKA SHELL</span></big></big></big></a>
+# Loader'z web shell
+<title>Loader'z WEB shell</title>
+# Locus7Shell web shell
+b>--[ x2300 Locus7Shell v.
+# Lolipop web shell
+<title>Lolipop.php - Edited By KingDefacer -
+# MARIJUANA web shell (https://0x5a455553.github.io/MARIJUANA/)
+<link rel="icon" href="//0x5a455553.github.io/MARIJUANA/icon.png" />
+# Matamu Mat web shell
+<title> Matamu Mat </title>
+# MyShell web shell
+<b>MyShell</b> &copy;2001 Digitart Producciones</a>
+# NCC Shell web shell
+<h1>.:NCC:. Shell v
+# PHPShell by Macker web shell
+<font size=3>PHPShell by Macker - Version
+# PHPShell by MAX666 web shell
+PHPShell by MAX666, Private Exploit, For Server Hacking
+# qsd web shell
+<form action="" METHOD="GET" >Execute Shell Command (safe mode is off): <input type="text" name="c"><input type="submit" value="Go"></form>
+# Rootshell web shell
+<p align="center"><font face="Verdana" size="2">Rootshell v
+# rusuh web shell
+<font color=lime>./rusuh</font>
+# Safe0ver web shell
+<font color="navy"><strong>##Safe0ver##</strong></font>
+# Shany's web shell
+<center><h1>Watch Your system Shany was here.</h1></center><center><h1>Linux Shells</h1></center><hr><hr>
+# Simple PHP backdoor web shell
+<!-- Simple PHP backdoor by DK
+# SimShell web shell
+<title>SimShell - Simorgh Security MGZ</title>
+# Sincap web shell
+<title>:: AventGrup ::.. - Sincap
+# Small Shell file manager
+<title>Small Shell - Edited By KingDefacer</title>
+# Small Web Shell
+<title>small web shell by zaco
+# SoldiersofAllah Private Shell web shell
+<title>SoldiersofAllah Private Shell |
+# Sosyete web shell
+<title>Sosyete Safe Mode Bypass Shell -
+# STNC WebShell
+&nbsp;&nbsp;STNC&nbsp;WebShell&nbsp;
+# StresBypass shell web shell
+<font face="Wingdings 3" size="5">y</font><b>StresBypass<span lang="en-us">v
+# SyRiAn Sh3ll web shell
+<title>SyRiAn Sh3ll ~
+# Tiny File Manager
+<title>Tiny File Manager</title>
+# Turk Shell web shell
+<head><title>Wardom | Ne Mutlu T
+# Unknown web shell
+<hr>to browse go to http://?d=[directory here]
+# Ustadcage48 Filemanager
+<font color="red">USTADCAGE_48</font> <font color="dodgerblue">FILE MANAGER</font>
+# WebRoot Hack Tools shell
+<title>WebRoot Hack Tools</title>
+# web shell by BLaSTER
+<div align="center"><span class="style6">By BLaSTER</span><br />
+# WinX Shell web shell
+<head><title>-:[GreenwooD]:- WinX Shell</title>
+# wwwolf web shell
+<sup><a href="#" onclick="cmd.value=''; cmd.focus(); return false;">Clear cmd</a></sup>
+# Yourman.sh Mini Shell web shell
+<title>Yourman.sh Mini Shell</title>
+# Zerion Mini Shell web shell
+</div><center><br />Zerion Mini Shell <font color=
+# Zero Byte Mini Shell V2 web shell
+<title>0byt3m1n1-V2</title>
+# Zerostore web shell
+<title>ZEROSHELL | ZEROSTORE</title>
+# Unknown web shell
+<input type=submit name=find value='find writeable'>

package/lib/nginx/includes/security/crs4/rules/windows-powershell-commands.data ADDED Viewed

@@ -0,0 +1,425 @@
+# Sources:
+# Microsoft PowerShell Docs: https://github.com/MicrosoftDocs/PowerShell-Docs
+# - curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/MicrosoftDocs/PowerShell-Docs/git/trees/main\?recursive\=1 | jq -r '.tree[] .path | capture("reference/\\d.\\d/(.*)/(?<fn>[A-Z]\\w+-\\w+).md") | .fn' | sort | uniq
+powershell
+Add-Computer
+Add-Content
+Add-History
+Add-JobTrigger
+Add-LocalGroupMember
+Add-Member
+Add-PSSnapin
+Add-Type
+Checkpoint-Computer
+Clear-Content
+Clear-EventLog
+Clear-History
+Clear-Host
+Clear-Item
+Clear-ItemProperty
+Clear-RecycleBin
+Clear-Variable
+Compare-Object
+Complete-Transaction
+Compress-Archive
+Connect-PSSession
+Connect-WSMan
+Convert-Path
+Convert-String
+ConvertFrom-Csv
+ConvertFrom-Json
+ConvertFrom-Markdown
+ConvertFrom-SddlString
+ConvertFrom-SecureString
+ConvertFrom-String
+ConvertFrom-StringData
+ConvertTo-Csv
+ConvertTo-Html
+ConvertTo-Json
+ConvertTo-SecureString
+ConvertTo-Xml
+Copy-Item
+Copy-ItemProperty
+Debug-Job
+Debug-Process
+Debug-Runspace
+Disable-ComputerRestore
+Disable-ExperimentalFeature
+Disable-JobTrigger
+Disable-LocalUser
+Disable-PSBreakpoint
+Disable-PSRemoting
+Disable-PSSessionConfiguration
+Disable-PSTrace
+Disable-PSWSManCombinedTrace
+Disable-RunspaceDebug
+Disable-ScheduledJob
+Disable-WSManCredSSP
+Disable-WSManTrace
+Disconnect-PSSession
+Disconnect-WSMan
+Enable-ComputerRestore
+Enable-ExperimentalFeature
+Enable-JobTrigger
+Enable-LocalUser
+Enable-PSBreakpoint
+Enable-PSRemoting
+Enable-PSSessionConfiguration
+Enable-PSTrace
+Enable-PSWSManCombinedTrace
+Enable-RunspaceDebug
+Enable-ScheduledJob
+Enable-WSManCredSSP
+Enable-WSManTrace
+Enter-PSHostProcess
+Enter-PSSession
+Exit-PSHostProcess
+Exit-PSSession
+Expand-Archive
+Export-Alias
+Export-BinaryMiLog
+Export-Clixml
+Export-Console
+Export-Counter
+Export-Csv
+Export-FormatData
+Export-ModuleMember
+Export-ODataEndpointProxy
+Export-PSSession
+Find-Command
+Find-DscResource
+Find-Module
+Find-Package
+Find-PackageProvider
+Find-RoleCapability
+Find-Script
+ForEach-Object
+Format-Custom
+Format-Hex
+Format-List
+Format-Table
+Format-Wide
+Get-Acl
+Get-Alias
+Get-AuthenticodeSignature
+Get-ChildItem
+Get-CimAssociatedInstance
+Get-CimClass
+Get-CimInstance
+Get-CimSession
+Get-Clipboard
+Get-CmsMessage
+Get-Command
+Get-ComputerInfo
+Get-ComputerRestorePoint
+Get-Content
+Get-ControlPanelItem
+Get-Counter
+Get-Credential
+Get-Culture
+Get-Date
+Get-Error
+Get-Event
+Get-EventLog
+Get-EventSubscriber
+Get-ExecutionPolicy
+Get-ExperimentalFeature
+Get-FileHash
+Get-FormatData
+Get-Help
+Get-History
+Get-Host
+Get-HotFix
+Get-InstalledModule
+Get-InstalledScript
+Get-IseSnippet
+Get-Item
+Get-ItemProperty
+Get-ItemPropertyValue
+Get-Job
+Get-JobTrigger
+Get-LocalGroup
+Get-LocalGroupMember
+Get-LocalUser
+Get-Location
+Get-LogProperties
+Get-MarkdownOption
+Get-Member
+Get-Module
+Get-OperationValidation
+Get-PSBreakpoint
+Get-PSCallStack
+Get-PSDrive
+Get-PSHostProcessInfo
+Get-PSProvider
+Get-PSReadLineKeyHandler
+Get-PSReadLineOption
+Get-PSRepository
+Get-PSSession
+Get-PSSessionCapability
+Get-PSSessionConfiguration
+Get-PSSnapin
+Get-PSSubsystem
+Get-Package
+Get-PackageProvider
+Get-PackageSource
+Get-PfxCertificate
+Get-Process
+Get-Random
+Get-Runspace
+Get-RunspaceDebug
+Get-ScheduledJob
+Get-ScheduledJobOption
+Get-Service
+Get-TimeZone
+Get-TraceSource
+Get-Transaction
+Get-TypeData
+Get-UICulture
+Get-Unique
+Get-Uptime
+Get-Variable
+Get-Verb
+Get-WSManCredSSP
+Get-WSManInstance
+Get-WinEvent
+Get-WmiObject
+Group-Object
+Import-Alias
+Import-BinaryMiLog
+Import-Clixml
+Import-Counter
+Import-Csv
+Import-IseSnippet
+Import-LocalizedData
+Import-Module
+Import-PSSession
+Import-PackageProvider
+Import-PowerShellDataFile
+Install-Module
+Install-Package
+Install-PackageProvider
+Install-Script
+Invoke-AsWorkflow
+Invoke-CimMethod
+Invoke-Command
+Invoke-Expression
+Invoke-History
+Invoke-Item
+Invoke-OperationValidation
+Invoke-RestMethod
+Invoke-WSManAction
+Invoke-WebRequest
+Invoke-WmiMethod
+Join-Path
+Join-String
+Limit-EventLog
+Measure-Command
+Measure-Object
+Move-Item
+Move-ItemProperty
+New-Alias
+New-CimInstance
+New-CimSession
+New-CimSessionOption
+New-Event
+New-EventLog
+New-FileCatalog
+New-Guid
+New-IseSnippet
+New-Item
+New-ItemProperty
+New-JobTrigger
+New-LocalGroup
+New-LocalUser
+New-Module
+New-ModuleManifest
+New-Object
+New-PSDrive
+New-PSRoleCapabilityFile
+New-PSSession
+New-PSSessionConfigurationFile
+New-PSSessionOption
+New-PSTransportOption
+New-PSWorkflowExecutionOption
+New-PSWorkflowSession
+New-ScheduledJobOption
+New-ScriptFileInfo
+New-Service
+New-TemporaryFile
+New-TimeSpan
+New-Variable
+New-WSManInstance
+New-WSManSessionOption
+New-WebServiceProxy
+New-WinEvent
+Out-Default
+Out-File
+Out-GridView
+Out-Host
+Out-Null
+Out-Printer
+Out-String
+Pop-Location
+Protect-CmsMessage
+Publish-Module
+Publish-Script
+Push-Location
+Read-Host
+Receive-Job
+Receive-PSSession
+Register-ArgumentCompleter
+Register-CimIndicationEvent
+Register-EngineEvent
+Register-ObjectEvent
+Register-PSRepository
+Register-PSSessionConfiguration
+Register-PackageSource
+Register-ScheduledJob
+Register-WmiEvent
+Remove-Alias
+Remove-CimInstance
+Remove-CimSession
+Remove-Computer
+Remove-Event
+Remove-EventLog
+Remove-Item
+Remove-ItemProperty
+Remove-Job
+Remove-JobTrigger
+Remove-LocalGroup
+Remove-LocalGroupMember
+Remove-LocalUser
+Remove-Module
+Remove-PSBreakpoint
+Remove-PSDrive
+Remove-PSReadLineKeyHandler
+Remove-PSSession
+Remove-PSSnapin
+Remove-Service
+Remove-TypeData
+Remove-Variable
+Remove-WSManInstance
+Remove-WmiObject
+Rename-Computer
+Rename-Item
+Rename-ItemProperty
+Rename-LocalGroup
+Rename-LocalUser
+Reset-ComputerMachinePassword
+Resolve-Path
+Restart-Computer
+Restart-Service
+Restore-Computer
+Resume-Job
+Resume-Service
+Save-Help
+Save-Module
+Save-Package
+Save-Script
+Select-Object
+Select-String
+Select-Xml
+Send-MailMessage
+Set-Acl
+Set-Alias
+Set-AuthenticodeSignature
+Set-CimInstance
+Set-Clipboard
+Set-Content
+Set-Date
+Set-ExecutionPolicy
+Set-Item
+Set-ItemProperty
+Set-JobTrigger
+Set-LocalGroup
+Set-LocalUser
+Set-Location
+Set-LogProperties
+Set-MarkdownOption
+Set-PSBreakpoint
+Set-PSDebug
+Set-PSReadLineKeyHandler
+Set-PSReadLineOption
+Set-PSRepository
+Set-PSSessionConfiguration
+Set-PackageSource
+Set-ScheduledJob
+Set-ScheduledJobOption
+Set-Service
+Set-StrictMode
+Set-TimeZone
+Set-TraceSource
+Set-Variable
+Set-WSManInstance
+Set-WSManQuickConfig
+Set-WmiInstance
+Show-Command
+Show-ControlPanelItem
+Show-EventLog
+Show-Markdown
+Sort-Object
+Split-Path
+Start-Job
+Start-Process
+Start-Service
+Start-Sleep
+Start-ThreadJob
+Start-Trace
+Start-Transaction
+Start-Transcript
+Stop-Computer
+Stop-Job
+Stop-Process
+Stop-Service
+Stop-Trace
+Stop-Transcript
+Suspend-Job
+Suspend-Service
+Switch-Process
+Tee-Object
+Test-ComputerSecureChannel
+Test-Connection
+Test-FileCatalog
+Test-Json
+Test-ModuleManifest
+Test-PSSessionConfigurationFile
+Test-Path
+Test-ScriptFileInfo
+Test-WSMan
+Trace-Command
+Unblock-File
+Undo-Transaction
+Uninstall-Module
+Uninstall-Package
+Uninstall-Script
+Unprotect-CmsMessage
+Unregister-Event
+Unregister-PSRepository
+Unregister-PSSessionConfiguration
+Unregister-PackageSource
+Unregister-ScheduledJob
+Update-FormatData
+Update-Help
+Update-List
+Update-Module
+Update-ModuleManifest
+Update-Script
+Update-ScriptFileInfo
+Update-TypeData
+Use-Transaction
+Wait-Debugger
+Wait-Event
+Wait-Job
+Wait-Process
+Where-Object
+Write-Debug
+Write-Error
+Write-EventLog
+Write-Host
+Write-Information
+Write-Output
+Write-Progress
+Write-Verbose
+Write-Warning