# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_URI "@rx (?i)^/\x22https?:/+" "id:77556973,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Malformed URI Open Redirect Probe Detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "@rx (?i)(?:\W(?:or|and)\s+\d+\s?=\(select\s+\d+\s+from\s+pg_sleep\(\d+\))|(?:^'?;sleep\(\d+[\+\*\-\/]+\d+\);#?$)|(?:concat\(\d+\)\s\(require[\s\x22\x5c']+socket[\s\x5c\x22']+Socket\.gethostbyname\()|(?:if\(now\(\)=sysdate\(\),sleep\(\d+)|(?:=\{pbohome\/Indexot:if\([\(\d])|(?:select\(\d+\)from\(select\(sleep\(\d+)|(?:\((?:AND|OR)\)\s+\(SELECT \d+ FROM \(SELECT\(SLEEP\(\d+\)\))|(?:\.gethostbyname\(lc\([^\x28]chr\(hex\()|(?:\{pboot:if\([^\x7d]+(?:runtime\/cache\/[^\.]+\.php|\.\w+\.php)[\x22\x5c])|(?:\$\{@print\(md5\()|(?:sleep\(\d+\*\d+\)\x2a)" "id:77556974,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: The Malicious Referrer is detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:\W(?:or|and)\s+\d+\s?=\(select\s+\d+\s+from\s+pg_sleep\(\d+\))|(?:^'?;sleep\(\d+[\+\*\-\/]+\d+\);#?$)|(?:concat\(\d+\)\s\(require[\s\x22\x5c']+socket[\s\x5c\x22']+Socket\.gethostbyname\()|(?:if\(now\(\)=sysdate\(\),sleep\(\d+)|(?:=\{pbohome\/Indexot:if\([\(\d])|(?:select\(\d+\)from\(select\(sleep\(\d+)|(?:\((?:AND|OR)\)\s+\(SELECT \d+ FROM \(SELECT\(SLEEP\(\d+\)\))|(?:\.gethostbyname\(lc\([^\x28]chr\(hex\()|(?:\{pboot:if\([^\x7d]+(?:runtime\/cache\/[^\.]+\.php|\.\w+\.php)[\x22\x5c])|(?:\$\{@print\(md5\()|(?:sleep\(\d+\*\d+\)\x2a)" "id:77556975,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: The Malicious URI is detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer|REQUEST_URI "@pm if( now() sleep( .gethostbyname(lc( print(md5" "id:77556976,pass,nolog,auditlog,severity:5,phase:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: Malformed URI Open Redirect Probe Detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:[;|\x60\x24({]|\|\||&&)[\s+]{0,100}(?:wget|curl|fetch|nslookup|ping|dig)[\s+]{0,100}[^\x20\x22\x27]{0,50}\.(?:oast|interact|burpcollaborator|canarytokens|dnslog|ceye|webhook|requestbin|pipedream)\." "id:77350901,pass,nolog,auditlog,severity:5,phase:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: Command injection with OAST callback||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)&[a-z_]{2,20}=[^\x20\x22\x27]{0,100}\.(?:oast|interact|burpcollaborator|canarytokens|dnslog|ceye|webhook|requestbin|pipedream)\." "id:77350933,pass,nolog,auditlog,severity:5,phase:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: SSRF fuzzing with OAST callback||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@rx (?i)(?:\.oast\.|\.interact\.sh|\.burpcollaborator\.|\.canarytokens\.|\.dnslog\.|\.ceye\.|\.requestbin\.|\.pipedream\.)" "id:77350907,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: OAST callback pattern detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)[?&=]file:(?:%2f%2f|//)(?:etc/|windows/|boot\.|win\.|c:/windows|/proc/|/root/|/var/|\.aws/|c:\x5c\x5c|%2f)" "id:77350910,pass,nolog,auditlog,severity:5,phase:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: file:// protocol handler targeting system files||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:\?|&)(?:cmd|command|exec|shell|run)=(?:cat|type|ls|dir|id|whoami|uname|pwd|echo)[\s+]{1,50}(?:/etc/|c:\x5c\x5c|%2f)" "id:77350911,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Direct command execution parameter||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:pi\(print|system\([^\)]{0,5}['\x22\\]|exec\([^\)]{0,5}['\x22\x5c]|shell_exec\([^\)]{0,5}['\x22\x5c]|passthru\([^\)]{0,5}['\x22\x5c]|proc_open\([^\)]{0,5}['\x22\x5c]|popen\([^\)]{0,5}['\x22\x5c]).{0,100}(?:\bcat\b|wget|curl|chmod|/etc/)" "id:77350912,pass,nolog,auditlog,severity:5,phase:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: PHP code execution attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx ^/oputilsServlet\?action=getAPIKey" "id:77350913,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,msg:'IM360 WAF: ManageEngine OpUtils vulnerability probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /cgi-bin/DownloadCfg/RouterCf[mg]\.cfg" "id:77350914,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,msg:'IM360 WAF: Zyxel router config download attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)^/fuel/pages/select/.{0,100}[?&]filter=.{0,100}(?:system|exec|passthru|shell_exec|pi\(print)" "id:77350915,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: FuelCMS RCE attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)^/[^/]+\.jsp\?(?:cmd|command)=(?:cat|type|whoami|id)\s" "id:77350916,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: JSP webshell probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@rx /(?:[a-z]{10,}|administrator|sessionexpired|statistics|departmental|vaccinator|acegilogin|registration|teamschedule|teamresults|searchresults|newsletter|volleyball|fontawesome|sweetalert2|loadtopimg|keywordsearch|cubacarrental)\.jsp(?:$|\?)" "id:77350917,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,chain,msg:'IM360 WAF: Suspicious JSP file access||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /[a-z0-9]{10,}\.jsp(?:$|\?)" "t:none,t:normalizePath" SecRule REQUEST_URI "@rx (?i)/backupmgt/.{0,100}(?:;|&&|\|\|)[^\x20]{0,10}(?:wget|curl|bash|sh)" "id:77350918,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Backup management endpoint exploit||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:(?:[;|\x60]|\$\(|\|\|)\s{0,250}(?:echo|eval)\s+[a-zA-Z0-9+/=]{20,}|base64\s+(?:-d|--decode)|base64_decode\s{1,25}\([^)]{0,25}[a-zA-Z0-9+/=]{20,})" "id:77350919,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Base64 encoded payload detected||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:waitfor[\s+]{1,50}delay|pg_sleep\(|sleep\([\d]+\)|benchmark\()" "id:77350920,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Time-based blind SQL injection||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)union[\s+]{1,256}(?:all[\s+]{1,64})?select[\s+]{1,50}(?:null[\s]{0,10},[\s]{0,10}){1,20}null" "id:77350921,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: UNION-based SQL injection||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)concat(?:_ws)?\((?:0x[0-9a-f]{1,64}|[\x22\x27].{0,100}[\x22\x27]).{0,100}(?:user\(\)|database\(\)|version\(\)|md5\()" "id:77350922,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: SQL injection with CONCAT function||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:\$\{|%24%7[bB]).{0,100}(?:java\.lang\.(?:ProcessBuilder|Runtime)|xwork\.MethodAccessor|opensymphony\.xwork2)" "id:77350923,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Apache Struts OGNL injection||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)eval\(compile\(.{0,100}__import__.{0,100}(?:subprocess|os\.|system|popen)" "id:77350924,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Python eval() RCE attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /javax\.faces\.resource\..{0,100}[?&]ln=\.\." "id:77350925,block,nolog,auditlog,severity:2,phase:1,t:none,msg:'IM360 WAF: JSF path traversal (CVE-2020-6950)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx ^/solr/admin/" "id:77350927,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,msg:'IM360 WAF: Apache Solr admin panel probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx ^/(?:jira/)?secure/Dashboard\.jspa" "id:77350928,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,msg:'IM360 WAF: Jira Dashboard probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?:/scp/login\.php:[^?/&]+:|/scp/login\.php\.(?:php|txt)|/scp/login\.php\?.*oauth2|/(?:\.well-known|comments/feed|build/[^/]+|people/[^/]+|cgi-sys/suspendedpage\.cgi)/.*scp/login\.php)" "id:77350929,pass,nolog,auditlog,severity:5,phase:5,t:none,t:normalizePath,msg:'IM360 WAF: osTicket malicious login probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx ^/reports/rwservlet" "id:77350930,block,nolog,auditlog,severity:2,phase:1,t:none,t:normalizePath,msg:'IM360 WAF: Oracle Reports servlet probe||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS "@rx (?:<\?(?:php)?[\s=]|\?>)" "id:77350934,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: PHP code tags in HTTP headers||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS "@rx (?i)(?:file_(?:get|put)_contents|(?:f|p)?open|readfile|unlink|eval|exec|system|passthru|shell_exec|proc_open|assert|create_function|include(?:_once)?|require(?:_once)?)\s{0,10}\(" "id:77350935,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Dangerous PHP functions in HTTP headers||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Referer "@rx (?i)\$_(?:SERVER|GET|POST|REQUEST|COOKIE|FILES|ENV|SESSION)\[" "id:77350936,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: PHP superglobals in HTTP headers||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS "@rx (?i)(?:file_get_contents|fopen|readfile|curl_exec)\s{0,10}\(\s{0,10}[\x22\x27]https?://" "id:77350937,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Remote file inclusion in HTTP headers||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:%3c%3f(?:php)?|<\?(?:php)?\s{0,10}(?:file_|eval|exec|system|\$_|echo\s{0,5}(?:md5|shell_exec|system|passthru|file_put_contents|file_get_contents|base64_decode|unlink|phpinfo|chr)\s{0,3}\())" "id:77350941,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: PHP code tags in REQUEST_URI||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:=|&)[^\x26]{0,100}(?:file_(?:get|put)_contents|eval|exec|passthru|shell_exec|proc_open|assert|base64_decode|gzinflate|str_rot13)\s{0,10}\(" "id:77350942,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: Dangerous PHP functions in REQUEST_URI||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:=|&)[^\x26]{0,100}\$_(?:SERVER|GET|POST|REQUEST|COOKIE|FILES|ENV|SESSION)\[" "id:77350943,chain,block,nolog,auditlog,severity:2,phase:1,t:none,t:urlDecodeUni,msg:'IM360 WAF: PHP superglobals in REQUEST_URI||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx (?i)(?:eval|assert|file_put_contents|fopen|system|exec|passthru|shell_exec|base64_decode|@ini_set|proc_open|popen|unlink|mail)\s{0,10}\(" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@rx (?i)/plugins/wp2epub/myphp/epub\.php" "id:77350939,chain,block,nolog,auditlog,severity:2,phase:2,t:none,t:normalizePath,msg:'IM360 WAF: wp2epub vulnerable plugin endpoint||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_wp2epub'" SecRule ARGS:abspath "@rx ^\.\./\.\./" "chain,t:none" SecRule ARGS:epub "@pm file_put_contents($_SERVER['DOCUMENT_ROOT'] if(md5($_COOKIE[" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:abspath "@rx \.\./" "id:77987060,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Generic Arbitrary File Write attempt (abspath + PHP injection)||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS "@pm file_put_contents($_SERVER['DOCUMENT_ROOT'] if(md5($_COOKIE[" "t:none,t:urlDecodeUni,t:lowercase"