In terms of telling you how to detect md5sum, I'd need an example of what exactly you're looking to detect. But to block 403 pages is easy. Something like 'SecRule RESPONSE_STATUS "^403$" "id:1,deny"' might do the trick. You should of course also be fixing outdated wordpress installs :) .
Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Andrei Sent: Saturday, June 27, 2015 4:57 PM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] CRYPTOPHP DETECTED Hi all, Could anyone know, how can I detect (i.e. md5sum) and block (i.e. 403 error page) files like social.png, which are crypted for botnet. Wordpress CMS example: ----------------- domain.ru/wp-content/plugins/revslider/images/social.png: CRYPTOPHP DETECTED! ----------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=o5OP1b5s0lihsWy1_FrpB5cLZkKiX_4qvl2m88ApVA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
