KALI's SHELL

~ K A L I ~

UNAME : Linux web65.extendcp.co.uk 4.18.0-553.56.1.el8_10.x86_64 #1 SMP Tue Jun 10 05:00:59 EDT 2025 x86_64
SERVER IP : 10.0.187.65 -________- CLIENT IP : 216.73.216.230

PATH :/etc/httpd/conf.d/

MINI SHELL D ZAB '

Current File : //etc/httpd/conf.d/block_attack_request.conf

## We use mod_rewrite to block evil. Let Lloyd know if this causes any problems.
RewriteEngine On
## RewriteOptions Inherit exists in each vhost conf.
## This ensures my rules are matched before any customers.

## Block GET to any PHP files with attack-like query strings
## Used to be just: (online.php|404.php|b63214.php|qqmuch.php|bind.php|wp-conf.php|brak.php|ud.php|ssr.php)
RewriteCond %{REQUEST_URI}  .*\.php
RewriteCond %{QUERY_STRING} .*act(ion)?=.*&host=.* [OR]
RewriteCond %{QUERY_STRING} .*target=.*&method=.* [OR]
RewriteCond %{QUERY_STRING} .*host=.*&time.* [OR]
RewriteCond %{QUERY_STRING} .*mode=.*&address.*&second.* [OR]
RewriteCond %{QUERY_STRING} .*t7542n=.* [OR]
RewriteCond %{QUERY_STRING} .*ho=.*&po=.* [OR]
RewriteCond %{QUERY_STRING} .*d=.*&p=.*&z=.*&reg=.*
RewriteRule . - [R=403,E=suspicious]

## Joomla SQLi vulnerability 3.2.x - 3.4.5
RewriteCond %{REQUEST_URI}  (index\.php|/)$
RewriteCond %{QUERY_STRING} .*option=com_content(history)?&.*
RewriteCond %{QUERY_STRING} .*(layout|view)=(modal|history).*
RewriteCond %{QUERY_STRING} .*list(\[|%5B)select(\]|%5D).*
RewriteRule . - [R=403,E=suspicious]

## XML RPC Requests without a UA can FO.
RewriteCond %{REQUEST_URI} xmlrpc.php
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule . - [R=403,E=suspicious]

## Apparently a botnet pretending to be MSIE 7.0 hates trackback.
RewriteCond %{REQUEST_URI} trackback
RewriteCond %{HTTP_USER_AGENT} "MSIE 7\." [NC]
RewriteRule . - [R=403,E=suspicious]

# Block anything that isn't GET to PHP files in suspicious locations
RewriteCond %{REQUEST_URI} /(tmp|images|dvmessages|css)/(.*)\.php
RewriteCond %{REQUEST_METHOD} !GET [NC]
RewriteRule . - [R=403,E=suspicious]

# Block any access (at all) for requests that matches the below file names (or hidden PHP files)
RewriteCond %{REQUEST_URI} (7c32.php|0ri9mz.php|dvmessages.php|gacl_db.php|r57.php|c99.php) [OR]
RewriteCond %{REQUEST_URI} ^/(images|templates)/\.(.*)\.php
RewriteRule . - [R=403,E=suspicious]

# Attack log - Only works on Shared 2.0, has to exist in each vhost on old-shared.
CustomLog logs/attack_log combined env=suspicious

Coded by KALI :v Greetz to DR HARD ../ kali.zbi@hotmail.com