# WAF Rule ID 391111  

***  

**Alert message:** Atomicorp.com WAF Rules: Cryptomalware attack blocked 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:**  

**Action:** pass 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: Cryptomalware attack blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390145  

***  

**Alert message:** Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 11 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390902  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Unauthorized Download Client 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Unauthorized Download Client

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 318812  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in images directory 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects an attempt to access a PHP file in the /images/stories/ directory. This directory is used by several CMS', including Joomla, to store image files. Attackers also use this directory to hide shells and other malicious files as this directory is typically used to allow users to upload images associated with comments and articles. Not all CMS' check to ensure that a file uploaded to this directory is not malicious. PHP files should never be found in this directory, as these CMS' will never install or use PHP files in these directories.

Some attack tools are known to blindly look for installed shells in these directories. Therefore, the fact that this rule is triggered does not mean that a malicious file has been installed on the system.

If your system is being targeted with this tool we do not recommend you disable this rule, even if you do not have Joomla installed. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.


**Troubleshooting:**

**False Positives:**

If your CMS is known to use this directory for PHP files, and is known to securely prevent users from uploading PHP files to this directory then this may be a false positive. Please check with your web application vendor to determine if this is true.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 318814  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

- removeWhitespace

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 318912  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340153  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 342153  

***  

**Alert message:** Atomicorp.com WAF Rules: Attempt to inject code into wordpress 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Attempt to inject code into wordpress

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 342154  

***  

**Alert message:** Atomicorp.com WAF Rules: Known vBulletin backdoor 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Known vBulletin backdoor

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 318813  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340033  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible attempt to run malware 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible attempt to run malware

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 392146  

***  

**Alert message:** Atomicorp.com WAF Rules: Backdoor or shell access blocked 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:**  

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Backdoor or shell access blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 391150  

***  

**Alert message:** Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 6 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 391158  

***  

**Alert message:** Atomicorp.com WAF Rules: PHP c99 webshell 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Alert (HIDS: 10)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340004  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible cloaked Solarwinds malware on system 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 393150  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible cloaked malware on system 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible cloaked malware on system

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 393151  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible cloaked malware on system 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible cloaked malware on system

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 393152  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible web shell blocked on system 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible web shell blocked on system

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390150  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible spamtool installed on system 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** pass 

**Transforms:** 

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390900  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 12 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390149  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible remote shell or bot access denied 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 57 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 392149  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible compromised website detected and 404 sent to user 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 4 

**HTTP Status:** 404 

**Action:** deny 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390801  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390803  

***  

**Alert message:** Atomicorp.com WAF Rules: Known Wormsign 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Known Wormsign

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390810  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- hexDecode

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390811  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- base64Decode

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390802  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 500 

**Action:** deny 

**Transforms:** 

- cmdLine

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390903  

***  

**Alert message:** Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 3 

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390904  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Shell Command Attempt 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 15 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- cmdLine

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Shell Command Attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390905  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 318811  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 316812  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory 

**Rule Class:** Generic Attack Ruleset (50_asl_rootkits.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 404 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- urlDecodeUni

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

