is there any option available in modsecurity to write custom rule to block php script which contains hack script having common pattern.
I am facing an issue of compromised cms softwares in my server are frequently uploading php scripts with same hack code in it. All the code contains a common pattern as follows.
$z26="jmiO@sxhFnD>J\r/u+RcHz3}g\nd{^8 ?eVwl_T\\\t|N5q)LobU]40!p%,rC-97k<'y=W:P\$1BI&S6\"E(K`Y~.Q;f[v2a#X*ZAGtM";
Is there any way to specify it in modsec and instruct it to block any php scripts upload or execution in server which contains the above pattern or portion of above pattern?.
Do you have in mind any way how this script gets written to your files? I've had a similar problem because the use of FTP and because I was saving passwords inside Windows Commander. I had to clear a lot of files and it was a script similar to yours.
I don't know if this will really do the job, but it can at least keep you a bit safer so take a look at php-firewall.