/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_METHOD "POST" "id:77350271,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Block known DB infection (23311)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS "@rx (?:<a\s*href[\s=]+['\x22]https?:\/\/[^'\x22]+['\x22]>slot\d*\b[^<]*<\/a>\s*){2,9}" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "chain,id:77350280,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Block known DB infection (16270)||WPU:%{TX.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|REQUEST_BODY "@rx <(script)[^>]{0,40}>\s*atOptions\s*=\s*\{[^(]{1,290}\};\s*document\.write\(\x5C?['\x22]<[^>]{1,150}\/\w{32}\/invoke\.js\x5C?['\x22][^\)]{0,25}\);\s*<\/script>" "t:none,t:urlDecode" SecRule REQUEST_METHOD "POST" "chain,id:77350281,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Block known DB infection (16402)||WPU:%{TX.wp_user}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS "@rx <(script)[^>\.:]{1,99}\bsrc\s*=\s*['\x22][^'\x22]{1,60}\/(?:\w{2}\/){3}\w{32}\.js['\x22]><\/script>" "t:none,t:urlDecode" SecRule ARGS:z0 "@rx ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" "id:77350313,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Block by malicious argument z0||Value:%{TX.1}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx POST" "id:77310031,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Arbitrary file upload in FCKEditor||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx \/fckeditor\/editor\/filemanager\/(?:upload|connectors)\/php\/upload.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule FILES|FILES_NAMES "@rx (?i)(?:ph(?:p|tml|t)|txt|asp|pl|py|exe|cgi|php[0-9])" "t:none" SecRule &ARGS:a "@eq 1" "id:77350001,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: AnonymousFox shell interaction block||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &ARGS:c "@eq 1" "chain,t:none" SecRule &ARGS:p1 "@eq 1" "chain,t:none" SecRule &ARGS:p2 "@eq 1" "chain,t:none" SecRule &ARGS:p3 "@eq 1" "chain,t:none" SecRule &ARGS:charset "@eq 1" "t:none" SecRule REQUEST_FILENAME "@pm /Fox-C/ /Fox-C404/ /Fox-CCFS/ /Fox-SS/" "id:77350002,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: Prevent sensitive data exposure by AnonymousFox||Path:%{REQUEST_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /panels.txt" "id:77350004,block,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Prevent data leakage to AnonymousFox servers||Path:%{REQUEST_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith /wp-content/plugins/wp-user-avatar/changelog.txt" "id:77350185,pass,nolog,auditlog,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Probing vulnerable ProfilePress WordPress plugin||Path:%{REQUEST_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx POST" "id:77350272,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Possible AnonymousFox webshell login attempt||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx ^\/(wp-includes|wp-content)\/(images|widgets|plugins|themes)\/include.php" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_METHOD "@pm POST GET PUT HEAD" "id:77350296,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Block access to the shell||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx (^\/\.images|\/(?:confcom|mar|\.wp-back|gel4y|bala))\.php\d{0,2}|(\/r5[78](shell|eng|priv|_\w{3,8})?|\/(wp-|sh(ell-?)?)?ws[o0](shell|php)?(\d{1,6})?|\/(\d{4,10}_){0,2}c99(shell|madshell)?|\/(\w{0,6}-backdoor)|\/(alfa|xleet|\d{4,5})-shell|\/pr1v(shell)?|\/xl(eet)?(\d{4})?|\/ak47shell|\/v3n0m)\.php[57]?$" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_FILENAME "@rx ^\/\.[0-9a-zA-Z]{10}\.php\d?$" "id:77350297,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Block malware interaction requests (SMW-BLKH-1666099)||MVN:%{MATCHED_VAR_NAME}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@rx ^\/\.(prospectus|tgitconfig|bithoundrc|restrictor|identcache|phpversion|luacheckrc|gitmodules|Xresources|deployment|capistrano|foodcritic|subversion|deercache4|4352213546|dockerfile|LSOverride)\.php\d?$" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350300,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Access to the malicious WordPress plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx \/(plugins|themes)\/[a-z\d]{8}\/\w{1,200}\.js\.php" "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350306,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Access to suspicious double extension endpoint||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx \.[^\.]{2,4}\.php$" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "!@rx (?:guest\.vary\.php$|\.ajax\.php$)" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq POST" "id:77350690,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious PHP requests in RevSlider||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_plugin_revslider'" SecRule REQUEST_URI "@contains /wp-content/plugins/revslider/" "chain,t:none,t:normalizePath" SecRule REQUEST_FILENAME "@rx \.(?:php[\ds]?|pht(?:ml)?|phar)$" "t:none,t:normalizePath,t:lowercase" SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@rx (?i)rajagacor" "id:77748908,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,msg:'IM360 WAF: RAJAGACOR gambling SEO spam campaign||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit