JFIFXX    $.' ",#(7),01444'9=82<.342  2!!22222222222222222222222222222222222222222222222222"4 ,PG"Z_4˷kjزZ,F+_z,© zh6٨icfu#ډb_N?wQ5-~I8TK<5oIv-k_U_~bMdӜUHh?]EwQk{_}qFW7HTՑYF?_'ϔ_Ջt=||I 6έ"D/[k9Y8ds|\Ҿp6Ҵ].6znopM[mei$[soᘨ˸ nɜG-ĨUycP3.DBli;hjx7Z^NhN3u{:jx힞#M&jL P@_ P&o89@Sz6t7#Oߋ s}YfTlmrZ)'Nk۞pw\Tȯ?8`Oi{wﭹW[r Q4F׊3m&L=h3z~#\l :F,j@ ʱwQT8"kJO6֚l}R>ډK]y&p}b;N1mr$|7>e@BTM*-iHgD) Em|ؘbҗaҾt4oG*oCNrPQ@z,|?W[0:n,jWiEW$~/hp\?{(0+Y8rΟ+>S-SVN;}s?. w9˟<Mq4Wv'{)01mBVW[8/< %wT^5b)iM pgN&ݝVO~qu9 !J27$O-! :%H ـyΠM=t{!S oK8txA& j0 vF Y|y ~6@c1vOpIg4lODL Rcj_uX63?nkWyf;^*B @~a`Eu+6L.ü>}y}_O6͐:YrGXkGl^w~㒶syIu! W XN7BVO!X2wvGRfT#t/?%8^WaTGcLMI(J1~8?aT ]ASE(*E} 2#I/׍qz^t̔bYz4xt){ OH+(EA&NXTo"XC')}Jzp ~5}^+6wcQ|LpdH}(.|kc4^"Z?ȕ a<L!039C EuCFEwç ;n?*oB8bʝ'#RqfM}7]s2tcS{\icTx;\7KPʇ Z O-~c>"?PEO8@8GQgaՎ󁶠䧘_%#r>1zaebqcPѵn#L =׀t L7`VA{C:ge@w1 Xp3c3ġpM"'-@n4fGB3DJ8[JoߐgK)ƛ$ 83+ 6ʻ SkI*KZlT _`?KQKdB`s}>`*>,*@JdoF*弝O}ks]yߘc1GV<=776qPTtXԀ!9*44Tހ3XΛex46YD  BdemDa\_l,G/֌7Y](xTt^%GE4}bTڹ;Y)BQu>J/J ⮶.XԄjݳ+Ed r5_D1 o Bx΢#<W8R6@gM. drD>(otU@x=~v2 ӣdoBd3eO6㣷ݜ66YQz`S{\P~z m5{J/L1xO\ZFu>ck#&:`$ai>2ΔloF[hlEܺΠk:)` $[69kOw\|8}ބ:񶐕IA1/=2[,!.}gN#ub ~݊}34qdELc$"[qU硬g^%B zrpJru%v\h1Yne`ǥ:gpQM~^Xi `S:V29.PV?Bk AEvw%_9CQwKekPؠ\;Io d{ ߞoc1eP\ `E=@KIRYK2NPlLɀ)&eB+ь( JTx_?EZ }@ 6U뙢طzdWIn` D噥[uV"G&Ú2g}&m?ċ"Om# {ON"SXNeysQ@FnVgdX~nj]J58up~.`r\O,ư0oS _Ml4kv\JSdxSW<AeIX$Iw:Sy›R9Q[,5;@]%u@ *rolbI  +%m:͇ZVủθau,RW33 dJeTYE.Mϧ-oj3+yy^cVO9NV\nd1 !͕_)av;թMlWR1)ElP;yوÏu 3k5Pr6<⒲l!˞*u־n!l:UNW %Chx8vL'X@*)̮ˍ D-M+JUkvK+x8cY?Ԡ~3mo|u@[XeYC\Kpx8oCC&N~3-H MXsu<`~"WL$8ξ3a)|:@m\^`@ҷ)5p+6p%i)P Mngc#0AruzRL+xSS?ʮ}()#tmˇ!0}}y$6Lt;$ʳ{^6{v6ķܰgVcnn ~zx«,2u?cE+ȘH؎%Za)X>uWTzNyosFQƤ$*&LLXL)1" LeOɟ9=:tZcŽY?ӭVwv~,Yrۗ|yGaFC.+ v1fήJ]STBn5sW}y$~z'c 8  ,! pVNSNNqy8z˱A4*'2n<s^ǧ˭PJޮɏUGLJ*#i}K%,)[z21z ?Nin1?TIR#m-1lA`fT5+ܐcq՝ʐ,3f2Uեmab#ŠdQy>\)SLYw#.ʑf ,"+w~N'cO3FN<)j&,- љ֊_zSTǦw>?nU仆Ve0$CdrP m׈eXmVu L.bֹ [Դaզ*\y8Է:Ez\0KqC b̘cөQ=0YsNS.3.Oo:#v7[#߫ 5܎LEr49nCOWlG^0k%;YߝZǓ:S#|}y,/kLd TA(AI$+I3;Y*Z}|ӧOdv..#:nf>>ȶITX 8y"dR|)0=n46ⲑ+ra ~]R̲c?6(q;5% |uj~z8R=XIV=|{vGj\gcqz؋%Mߍ1y#@f^^>N#x#۹6Y~?dfPO{P4Vu1E1J *|%JN`eWuzk M6q t[ gGvWIGu_ft5j"Y:Tɐ*; e54q$C2d} _SL#mYpO.C;cHi#֩%+) ӍƲVSYźg |tj38r|V1#;.SQA[S#`n+$$I P\[@s(EDzP])8G#0B[ىXIIq<9~[Z멜Z⊔IWU&A>P~#dp]9 "cP Md?٥Ifتuk/F9c*9Ǎ:ØFzn*@|Iށ9N3{'['ͬҲ4#}!V Fu,,mTIkv C7vB6kT91*l '~ƞFlU'M ][ΩũJ_{iIn$L jOdxkza۪#EClx˘oVɞljr)/,߬hL#^Lф,íMƁe̩NBLiLq}(q6IçJ$WE$:=#(KBzђ xlx?>Պ+>W,Ly!_DŌlQ![ SJ1ƐY}b,+Loxɓ)=yoh@꥟/Iѭ=Py9 ۍYӘe+pJnϱ?V\SO%(t =?MR[Șd/ nlB7j !;ӥ/[-A>dNsLj ,ɪv=1c.SQO3UƀܽE̻9GϷD7(}Ävӌ\y_0[w <΍>a_[0+LF.޺f>oNTq;y\bՃyjH<|q-eɏ_?_9+PHp$[uxK wMwNی'$Y2=qKBP~Yul:[<F12O5=d]Ysw:ϮEj,_QXz`H1,#II dwrP˂@ZJVy$\y{}^~[:NߌUOdؾe${p>G3cĖlʌ ת[`ϱ-WdgIig2 }s ؤ(%#sS@~3XnRG~\jc3vӍLM[JBTs3}jNʖW;7ç?=XF=-=qߚ#='c7ڑWI(O+=:uxqe2zi+kuGR0&eniT^J~\jyp'dtGsO39* b#Ɋ p[BwsT>d4ۧsnvnU_~,vƜJ1s QIz)(lv8MU=;56Gs#KMP=LvyGd}VwWBF'à ?MHUg2 !p7Qjڴ=ju JnA suMeƆҔ!)'8Ϣٔޝ(Vpצ֖d=ICJǠ{qkԭ߸i@Ku|p=..*+xz[Aqġ#s2aƊRR)*HRsi~a &fMP-KL@ZXy'x{}Zm+:)) IJ-iu ܒH'L(7yGӜq j 6ߌg1go,kرtY?W,pefOQS!K۟cҒA|սj>=⬒˧L[ ߿2JaB~Ru:Q] 0H~]7ƼI(}cq 'ήETq?fabӥvr )o-Q_'ᴎoK;Vo%~OK *bf:-ťIR`B5!RB@ï u ̯e\_U_ gES3QTaxU<~c?*#]MW,[8Oax]1bC|踤Plw5V%){t<d50iXSUm:Z┵i"1^B-PhJ&)O*DcWvM)}Pܗ-q\mmζZ-l@}aE6F@&Sg@ݚM ȹ 4#p\HdYDoH"\..RBHz_/5˘6KhJRPmƶim3,#ccoqa)*PtRmk7xDE\Y閣_X<~)c[[BP6YqS0%_;Àv~| VS؇ 'O0F0\U-d@7SJ*z3nyPOm~P3|Yʉr#CSN@ ƮRN)r"C:: #qbY. 6[2K2uǦHYRQMV G$Q+.>nNHq^ qmMVD+-#*U̒ p욳u:IBmPV@Or[b= 1UE_NmyKbNOU}the`|6֮P>\2PVIDiPO;9rmAHGWS]J*_G+kP2KaZH'KxWMZ%OYDRc+o?qGhmdSoh\D|:WUAQc yTq~^H/#pCZTI1ӏT4"ČZ}`w#*,ʹ 0i課Om*da^gJ݅{le9uF#Tֲ̲ٞC"qߍ ոޑo#XZTp@ o8(jdxw],f`~|,s^f1t|m򸄭/ctr5s79Q4H1꠲BB@l9@C+wpxu£Yc9?`@#omHs2)=2.ljg9$YS%*LRY7Z,*=䷘$armoϰUW.|rufIGwtZwo~5 YյhO+=8fF)W7L9lM̘·Y֘YLf큹pRF99.A "wz=E\Z'a 2Ǚ#;'}G*l^"q+2FQ hjkŦ${ޮ-T٭cf|3#~RJt$b(R(rdx >U b&9,>%E\ Άe$'q't*אެb-|dSBOO$R+H)܎K1m`;J2Y~9Og8=vqD`K[F)k[1m޼cn]skz$@)!I x՝"v9=ZA=`Ɠi :E)`7vI}dYI_ o:obo 3Q&D&2= Ά;>hy.*ⅥSӬ+q&j|UƧ}J0WW< ۋS)jQRjƯrN)Gű4Ѷ(S)Ǣ8iW52No˓ ۍ%5brOnL;n\G=^UdI8$&h'+(cȁ߫klS^cƗjԌEꭔgFȒ@}O*;evWVYJ\]X'5ղkFb 6Ro՜mi Ni>J?lPmU}>_Z&KKqrIDՉ~q3fL:Se>E-G{L6pe,8QIhaXaUA'ʂs+טIjP-y8ۈZ?J$WP Rs]|l(ԓsƊio(S0Y 8T97.WiLc~dxcE|2!XKƘਫ਼$((6~|d9u+qd^389Y6L.I?iIq9)O/뚅OXXVZF[یgQLK1RҖr@v#XlFНyS87kF!AsM^rkpjPDyS$Nqnxҍ!Uf!ehi2m`YI9r6 TFC}/y^Η5d'9A-J>{_l+`A['յϛ#w:݅%X}&PStQ"-\縵/$ƗhXb*yBS;Wջ_mcvt?2}1;qSdd~u:2k52R~z+|HE!)Ǟl7`0<,2*Hl-x^'_TVgZA'j ^2ΪN7t?w x1fIzC-ȖK^q;-WDvT78Z hK(P:Q- 8nZ܃e貾<1YT<,"6{/ ?͟|1:#gW>$dJdB=jf[%rE^il:BxSּ1հ,=*7 fcG#q eh?27,!7x6nLC4x},GeǝtC.vS F43zz\;QYC,6~;RYS/6|25vTimlv& nRh^ejRLGf? ۉҬܦƩ|Ȱ>3!viʯ>vオX3e_1zKȗ\qHS,EW[㺨uch⍸O}a>q6n6N6qN ! 1AQaq0@"2BRb#Pr3C`Scst$4D%Td ?Na3mCwxAmqmm$4n淿t'C"wzU=D\R+wp+YT&պ@ƃ3ޯ?AﶂaŘ@-Q=9Dռѻ@MVP܅G5fY6# ?0UQ,IX(6ڵ[DIMNލc&υj\XR|,4 jThAe^db#$]wOӪ1y%LYm뭛CUƃߜ}Cy1XνmF8jI]HۺиE@Ii;r8ӭVFՇ| &?3|xBMuSGe=Ӕ#BE5GY!z_eqр/W>|-Ci߇t1ޯќdR3ug=0 5[?#͏qcfH{ ?u=??ǯ}ZzhmΔBFTWPxs}G93 )gGR<>r h$'nchPBjJҧH -N1N?~}-q!=_2hcMlvY%UE@|vM2.Y[|y"EïKZF,ɯ?,q?vM 80jx";9vk+ ֧ ȺU?%vcVmA6Qg^MA}3nl QRNl8kkn'(M7m9وq%ޟ*h$Zk"$9: ?U8Sl,,|ɒxH(ѷGn/Q4PG%Ա8N! &7;eKM749R/%lc>x;>C:th?aKXbheᜋ^$Iհ hr7%F$EFdt5+(M6tÜUU|zW=aTsTgdqPQb'm1{|YXNb P~F^F:k6"j! Ir`1&-$Bevk:y#ywI0x=D4tUPZHڠ底taP6b>xaQ# WeFŮNjpJ* mQN*I-*ȩFg3 5Vʊɮa5FO@{NX?H]31Ri_uѕ 0 F~:60p͈SqX#a5>`o&+<2D: ڝ$nP*)N|yEjF5ټeihyZ >kbHavh-#!Po=@k̆IEN@}Ll?jO߭ʞQ|A07xwt!xfI2?Z<ץTcUj]陎Ltl }5ϓ$,Omˊ;@OjEj(ا,LXLOЦ90O .anA7j4 W_ٓzWjcBy՗+EM)dNg6y1_xp$Lv:9"zpʙ$^JԼ*ϭo=xLj6Ju82AH3$ٕ@=Vv]'qEz;I˼)=ɯx /W(Vp$ mu񶤑OqˎTr㠚xsrGCbypG1ߠw e8$⿄/M{*}W]˷.CK\ުx/$WPwr |i&}{X >$-l?-zglΆ(FhvS*b߲ڡn,|)mrH[a3ר[13o_U3TC$(=)0kgP u^=4 WYCҸ:vQרXàtkm,t*^,}D* "(I9R>``[~Q]#afi6l86:,ssN6j"A4IuQ6E,GnHzSHOuk5$I4ؤQ9@CwpBGv[]uOv0I4\yQѸ~>Z8Taqޣ;za/SI:ܫ_|>=Z8:SUIJ"IY8%b8H:QO6;7ISJҌAά3>cE+&jf$eC+z;V rʺmyeaQf&6ND.:NTvm<- uǝ\MvZYNNT-A>jr!SnO 13Ns%3D@`ܟ 1^c< aɽ̲Xë#w|ycW=9I*H8p^(4՗karOcWtO\ƍR8'KIQ?5>[}yUײ -h=% qThG2)"ו3]!kB*pFDlA,eEiHfPs5H:Փ~H0DتDIhF3c2E9H5zԑʚiX=:mxghd(v׊9iSOd@0ڽ:p5h-t&Xqӕ,ie|7A2O%PEhtjY1wЃ!  ࢽMy7\a@ţJ 4ȻF@o̒?4wx)]P~u57X 9^ܩU;Iꭆ 5 eK27({|Y׎ V\"Z1 Z}(Ǝ"1S_vE30>p; ΝD%xW?W?vo^Vidr[/&>~`9Why;R ;;ɮT?r$g1KACcKl:'3 cﳯ*"t8~l)m+U,z`(>yJ?h>]vЍG*{`;y]IT ;cNUfo¾h/$|NS1S"HVT4uhǜ]v;5͠x'C\SBplh}N ABx%ޭl/Twʽ]D=Kžr㻠l4SO?=k M: cCa#ha)ѐxcsgPiG{+xQI= zԫ+ 8"kñj=|c yCF/*9жh{ ?4o kmQNx;Y4膚aw?6>e]Qr:g,i"ԩA*M7qB?ӕFhV25r[7 Y }LR}*sg+xr2U=*'WSZDW]WǞ<叓{$9Ou4y90-1'*D`c^o?(9uݐ'PI& fJݮ:wSjfP1F:X H9dԯ˝[_54 }*;@ܨ ðynT?ןd#4rGͨH1|-#MrS3G3).᧏3vz֑r$G"`j 1tx0<ƆWh6y6,œGagAyb)hDß_mü gG;evݝnQ C-*oyaMI><]obD":GA-\%LT8c)+y76oQ#*{(F⽕y=rW\p۩cA^e6KʐcVf5$'->ՉN"F"UQ@fGb~#&M=8טJNu9D[̤so~ G9TtW^g5y$bY'سǴ=U-2 #MCt(i lj@Q 5̣i*OsxKf}\M{EV{υƇ);HIfeLȣr2>WIȂ6ik 5YOxȺ>Yf5'|H+98pjn.OyjY~iw'l;s2Y:'lgꥴ)o#'SaaKZ m}`169n"xI *+ }FP"l45'ZgE8?[X7(.Q-*ތL@̲v.5[=t\+CNܛ,gSQnH}*FG16&:t4ُ"Ạ$b |#rsaT ]ӽDP7ո0y)e$ٕvIh'QEAm*HRI=: 4牢) %_iNݧl] NtGHL ɱg<1V,J~ٹ"KQ 9HS9?@kr;we݁]I!{ @G["`J:n]{cAEVʆ#U96j#Ym\qe4hB7Cdv\MNgmAyQL4uLjj9#44tl^}LnR!t±]rh6ٍ>yҏNfU  Fm@8}/ujb9he:AyծwGpΧh5l}3p468)Udc;Us/֔YX1O2uqs`hwgr~{ RmhN؎*q 42*th>#E#HvOq}6e\,Wk#Xb>p}դ3T5†6[@Py*n|'f֧>lư΂̺SU'*qp_SM 'c6m ySʨ;MrƋmKxo,GmPAG:iw9}M(^V$ǒѽ9| aJSQarB;}ٻ֢2%Uc#gNaݕ'v[OY'3L3;,p]@S{lsX'cjwk'a.}}& dP*bK=ɍ!;3ngΊUߴmt'*{,=SzfD Ako~Gaoq_mi}#mPXhύmxǍ΂巿zfQc|kc?WY$_Lvl߶c`?ljݲˏ!V6UЂ(A4y)HpZ_x>eR$/`^'3qˏ-&Q=?CFVR DfV9{8gnh(P"6[D< E~0<@`G6Hгcc cK.5DdB`?XQ2ٿyqo&+1^ DW0ꊩG#QnL3c/x 11[yxპCWCcUĨ80me4.{muI=f0QRls9f9~fǨa"@8ȁQ#cicG$Gr/$W(WV"m7[mAmboD j۳ l^kh׽ # iXnveTka^Y4BNĕ0 !01@Q"2AaPq3BR?@4QT3,㺠W[=JKϞ2r^7vc:9 EߴwS#dIxu:Hp9E! V 2;73|F9Y*ʬFDu&y؟^EAA(ɩ^GV:ݜDy`Jr29ܾ㝉[E;FzxYGUeYC v-txIsםĘqEb+P\ :>iC';k|zرny]#ǿbQw(r|ӹs[D2v-%@;8<a[\o[ϧwI!*0krs)[J9^ʜp1) "/_>o<1AEy^C`x1'ܣnps`lfQ):lb>MejH^?kl3(z:1ŠK&?Q~{ٺhy/[V|6}KbXmn[-75q94dmc^h X5G-}دBޟ |rtMV+]c?-#ڛ^ǂ}LkrOu>-Dry D?:ޞUǜ7V?瓮"#rչģVR;n/_ ؉vݶe5db9/O009G5nWJpA*r9>1.[tsFnQ V 77R]ɫ8_0<՜IFu(v4Fk3E)N:yڮeP`1}$WSJSQNjٺ޵#lј(5=5lǏmoWv-1v,Wmn߀$x_DȬ0¤#QR[Vkzmw"9ZG7'[=Qj8R?zf\a=OU*oBA|G254 p.w7  &ξxGHp B%$gtЏ򤵍zHNuЯ-'40;_3 !01"@AQa2Pq#3BR?ʩcaen^8F<7;EA{EÖ1U/#d1an.1ě0ʾRh|RAo3m3 % 28Q yφHTo7lW>#i`qca m,B-j݋'mR1Ήt>Vps0IbIC.1Rea]H64B>o]($Bma!=?B KǾ+Ծ"nK*+[T#{EJSQs5:U\wĐf3܆&)IԆwE TlrTf6Q|Rh:[K zc֧GC%\_a84HcObiؖV7H )*ģK~Xhչ04?0 E<}3#u? |gS6ꊤ|I#Hڛ աwX97Ŀ%SLy6č|Fa 8b$sקhb9RAu7˨pČ_\*w묦F 4D~f|("mNKiS>$d7SlA/²SL|6N}S˯g]6; #. 403WebShell
403Webshell
Server IP : 173.199.190.172  /  Your IP : 216.73.216.167
Web Server : Apache
System : Linux chs1.nescrow.com.ng 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User : oysipaoygov ( 1026)
PHP Version : 5.6.40
Disable Function : exec,passthru,shell_exec,system
MySQL : ON  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /etc/apache2/conf.d/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /etc/apache2/conf.d/modsec2.liquidweb.conf
### EA4 Modsec2 rules v0.7-12 ###
#RRosson / Secteam 18 Feb 2022

## DO NOT MAKE DIRECT MODIFICATIONS TO THIS FILE.
# Changes to this file may be over-written by future upgrades to mod_security rules.
# If you need to whitelist rules, please use /etc/apache2/conf.d/modsec2/whitelist.conf
# Custom additional rules may be added to /etc/apache2/conf.d/modsec2/custom.conf
# As of mod_security 2.7, all custom rules must include a numeric ID.
# custom.conf and whitelist.conf will not be over-written by future updates to this ruleset.
# Feel free to contact Liquidweb support for assistance with any necessary whitelisting.

# PCRE can be set here, since nobody should have a version prior to modsec2.5 on EA4
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp

SecRequestBodyAccess On

## Included configs ##
Include "/etc/apache2/conf.d/modsec2/custom.conf"
Include "/etc/apache2/conf.d/modsec2/rootkits.conf"

#--------------------------------
# notes
#--------------------------------
# Rules work with modsecurity 2.0 and above only

#--------------------------------
#start rules
#--------------------------------

###BLACKLIST###
SecRule REQBODY_PROCESSOR_ERROR_MSG "Generic blacklisted items." "t:lowercase,id:5000001"
SecRule REQUEST_URI "/bin/sh" "id:2000002"
SecRule REQUEST_URI "/bin/bash" "id:2000003"
SecRule REQUEST_URI "/var/spool" "id:2000007"
SecRule REQUEST_URI "/dev/shm" "id:2000008"
SecRule REQUEST_URI "/var/tmp" "id:2000009"
SecRule REQUEST_URI "/bin/ps" "id:2000010"
SecRule REQUEST_URI "udp\.pl" "id:2000012"
SecRule REQUEST_URI "pbsync" "id:2000014"
SecRule REQUEST_URI "psybnc" "id:2000016"
SecRule REQUEST_URI "myshell\.php" "id:2000018"
SecRule REQUEST_URI "msshell\.php" "id:2000019"
SecRule REQUEST_URI "phpshell" "id:2000020"
SecRule REQUEST_URI "php-shell" "id:2000021"
SecRule REQUEST_URI "r57shell" "id:2000022"
SecRule REQUEST_URI "r57\.txt" "id:2000023"
SecRule REQUEST_URI "c99shell" "id:2000024"
SecRule REQUEST_URI "a\.out" "id:2000025"
SecRule REQUEST_URI "dc\.pl" "id:2000026"
SecRule REQUEST_URI "bdpl" "id:2000032"

# Process this first due to frequency of hits.
# xmlrpc with both no UA and no referrer. This can be whitelisted but it will remove some DoS protections.
# It's Better to have the customer POST to xmlrpc with a referrer or user agent.
# Even dummy characters in one of those HTTP headers will get them past this rule.
SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000228,chain,msg:'xmlrpc DoS attempt'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

### User-Agent Rules ##

#Comment spam header line
SecRule REQUEST_HEADERS "x-aaaaaa" "id:2000035"
SecRule REQUEST_BODY "X-AAAAAA" "id:2000036"

#check for bad meta characters in User-Agent field
#SecRule HTTP_User-Agent ".*\'"

#XSS in the UA field
SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" "id:2000037"

#PHP code injection attack
SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" "id:2000038"

#recursion attack in UA field
SecRule HTTP_User-Agent "/\.\./" "id:2000040"

#May cause false positives with some software, comment out if it does
#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'"
#SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$"

#A friendly little exploit banner for a WP vuln
SecRule HTTP_User-Agent "Wordpress Hash Grabber" "id:2000050"

#Blocks scripts
SecRule HTTP_User-Agent "lwp" "id:2000051"

#Web leaches
SecRule HTTP_User-Agent "Web Downloader" "id:2000052"
SecRule HTTP_User-Agent "WebZIP" "id:2000053"
SecRule HTTP_User-Agent "WebCopier" "id:2000054"
SecRule HTTP_User-Agent "Webster" "id:2000055"
SecRule HTTP_User-Agent "WebStripper" "id:2000057"
SecRule HTTP_User-Agent "Black Hole" "id:2000060"
SecRule HTTP_User-Agent "SiteSnagger"  "id:2000061"
SecRule HTTP_User-Agent "CheeseBot" "id:2000063"

#Bogus Mozilla UA lines
SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$" "id:2000064"

#Bogus IE UA line
SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$" "id:2000066"

#Nessus Vuln scanner UA
SecRule HTTP_User-Agent "Mozilla.*Nessus" "id:2000068"

#Nikto vuln scanner UA
SecRule HTTP_User-Agent "nikto" "id:2000069,t:lowercase"

#BAd/Bogus UAs
SecRule HTTP_User-Agent "Indy Library" "id:2000070"
SecRule HTTP_User-Agent "Faxobot" "id:2000071"
SecRule HTTP_User-Agent "SAFEXPLORER TL" "id:2000072"

#Spam spinder UAs
SecRule HTTP_User-Agent "fantomBrowser" "id:2000073"
SecRule HTTP_User-Agent "fantomCrew Browser" "id:2000074"

#e-mail collectors and spammers
SecRule HTTP_User-Agent "WebEMailExtractor" "id:2000081"
SecRule HTTP_User-Agent "Advanced Email Extractor" "id:2000084"
SecRule HTTP_User-Agent "EmailSiphon" "id:2000085"
SecRule HTTP_User-Agent "Extractorpro" "id:2000086"
SecRule HTTP_User-Agent "webbandit" "id:2000087"
SecRule HTTP_User-Agent "EmailCollector" "id:2000088"
SecRule HTTP_User-Agent "EmailWolf" "id:2000090"

#collectors
SecRule HTTP_User-Agent  "autoemailspider" "id:2000096"
SecRule HTTP_User-Agent  "grub crawler" "id:2000098"

#spam bots
SecRule HTTP_User-Agent  "DTS Agent" "id:2000100"
SecRule HTTP_User-Agent  "POE-Component-Client" "id:2000101"
SecRule HTTP_User-Agent  "WISEbot" "id:2000102"
SecRule HTTP_User-Agent  "^Shockwave Flash" "id:1000001"

#comment spam sign
SecRule HTTP_User-Agent  "compatible \; MSIE" "id:2000104"

#Some regexps to catch silly bots
SecRule REQUEST_URI "!/ps(zones\|comp).txt1" "chain,id:2000105"
SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"

SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" "id:2000269"
SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$" "id:2000270"

#bogus amiga UA
SecRule HTTP_User-Agent "Amiga-AWeb/3\.4" "id:2000109"
#recently caught sending spam referrals, from their actual crawler IP
SecRule HTTP_User-Agent "BecomeBot" "id:2000112"

#WebvulnScan
SecRule HTTP_User-Agent "WebVulnScan" "id:2000116"
#broken spam tool
SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" "id:2000117"
#fake UA
SecRule HTTP_User-Agent "Windows-Update-Agent" "id:2000119"
# Bad Spider
SecRule HTTP_User-Agent "hl_ftien_spider" "id:2000121"
# PMAFind
SecRule HTTP_User-Agent "PMAFind" "id:2000122"
# Web Scanners
SecRule HTTP_User-Agent "Morfeus Fucking Scanner" "id:2000124"

# Configure for your site
# Transformatoins in default action are deprecated as of modsec 2.7.0. Lowercase is set by default according to modsec docs.
# SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecDefaultAction "log,deny,phase:2,status:500"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"

#deny TRACE method
SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"

#XSS insertion into headers
SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"


#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"

##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "/\.\./" "t:urldecode"
#Ban same path BS
SecRule REQUEST_URI "/forum/\./" "id:1110001"

#Generic remote include Injection.
SecRule REQUEST_URI "\.php\?.*option=(http|https|ftp)\:\/" "id:2000129"
SecRule REQUEST_URI "\.php\?.*ROOTDIR=(http|https|ftp)\:\/" "id:2000132"
SecRule REQUEST_URI "\.php\?.*Config_absolute_path=(http|https|ftp)\:\/" "id:2000133"
SecRule REQUEST_URI "\.php\?.*baseDir=(http|https|ftp)\:\/" "id:2000137"
SecRule REQUEST_URI "\.php\?.*config\[root_dir\]=(http|https|ftp)\:\/" "id:2000139"

#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "t:urldecode,id:300006,rev:1,severity:2,msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#generic XSS PHP attack types
SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'"
SecRule REQUEST_BODY|REQUEST_URI  "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body\.innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)"


#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection in cookie'"

#Prevent command injection through cookies
SecRule REQUEST_COOKIES "\; cmd=" "id:2000143,t:lowercase"

#Prevent SQL injection in UA
SecRule HTTP_USER-AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|union select.*\'.*\'.*,[0-9].*into.*from)" "id:300012,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"

#Generic SQL sigs
SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,t:lowercase,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)"

#Generic SQL sigs
SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Generic SQL sigs
SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Meta character SQL injection
SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,t:lowercase,severity:2,msg:'Generic SQL metacharacter URI injection protection'"

#Generic command line attack filter
#Too Generic, Removed.
#SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecRule ARGS compress\.zlib:  "id:2000144"

#Generic XSS filter
#please report false positives
SecRule REQUEST_URI "!/mt\.cgi" "chain,id:2000145,rev:1,severity:2,msg:'xss'"
SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Als test XSS rule
SecRule REQUEST_URI "!/mt\.cgi" "chain,id:2000146,rev:1,severity:2,msg:'xss'"
SecRule REQUEST_URI|REQUEST_BODY "<*(script|about|applet|activex|chrome)[[:space:]]*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER-AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" "id:2000147"

#Extra of the above with whitespace moved
SecRule HTTP_REFERER|HTTP_USER-AGENT "<*(script|about|applet|activex|chrome)[[:space:]]*>.*(script|about|applet|activex|chrome)[[:space:]]*>" "id:2100147"

#PHP Injection Attack generic signature
SecRule REQUEST_URI  "\.php" "chain,id:2000148"
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" "chain,id:2000150"
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" "chain,id:2000151"
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" "chain,id:2000152"
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" "chain,id:2000153"
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/" "id:2000154"

#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" "id:2000155"

#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" "chain,id:2000156"
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" "chain,id:2000157"
SecRule ARGS "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" "id:2000158"

#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" "id:2000159"

#Bogus file extensions generic signature
SecRule REQUEST_URI  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" "id:2000160"

#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" "id:2000161"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/" "id:2000162"

#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" "id:2000163,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" "chain,id:2000164,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "\x20-a"

#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)" "id:2000264,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow" "id:2000166"

# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps" "id:2000167"

# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" "chain,id:2000171,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" "chain,id:2000173,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "x20-o"

# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" "chain,id:2000178,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl" "id:2000183,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" "chain,id:2000187,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf" "id:2000189"

# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd" "id:2000190"

# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf" "id:2000191"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" "id:2000192"

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" "id:2000193"

# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" "chain,id:2000196,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "\x20-l"

# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" "id:2000197"

#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB=" "id:2000198"

#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" "chain,id:2000200,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" "id:2000201"

#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)" "id:2000202"

#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" "id:2000203"

#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" "id:2000204"

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000307,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000208"

#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000209"

#Commands, also need a major rework, these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" "id:2000210,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" "id:2000215,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI "cd \.\." "id:2000216"
SecRule REQUEST_LINE "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" "id:2000217"

#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" "chain,id:2000218"
SecRule REQUEST_URI "fopen"

#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr\(([0-9]{1,3})\)" "id:2000219"
SecRule ARGS_NAMES "^php:/" "id:2000220"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=" "id:2000223"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" "id:2000233"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\(" "id:2000234"

#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" "id:2000235"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" "chain,id:2000236,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#Apache /server-info accessible
SecRule REQUEST_URI   "/server-info" "chain,id:2000237"
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" "chain,id:2000238"
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/" "id:2000239"

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" "chain,id:2000240"
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\,\'\'\)\)\;" "id:2000241"
SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;" "id:2000242"

#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" "id:2000246"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" "id:2000247"
SecRule REQUEST_URI "/index\.php\?libDir=http://" "id:2000248"

#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" "id:2000252"

#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY "<\?php" "chain,id:2000254"
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)"

#HTTP header PHP code injection attacks
SecRule HTTP_CLIENT_IP|HTTP_USER-AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" "id:2000256"

#Generic PHP avatar upload exploits
SecRule REQUEST_URI "\.php" "chain,id:2000260"
SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecRule REQUEST_BODY "\<\?php" chain
SecRule REQUEST_BODY "\?>"

#Fake image file shell attack
SecRule REQUEST_BODY "chr\(" "id:2000262"

#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" "chain,id:2000263"
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" "id:2000265"

#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" "id:2000266"

#flashchat vulnerability
SecRule REQUEST_URI "\.php\?dir\[inc\]=http\:/" "id:5000204,msg:'flashchat vuln. patch'"

#Joomla rules
SecRule REQUEST_URI "controller=" "chain,id:5000205"
SecRule REQUEST_URI "(/tmp|/proc|/dev)"

#More Joomla rules, eval code in HTTP user agent or referring URL
SecRule HTTP_REFERER "eval\(base64.*" "id:5000206,t:lowercase,msg:'eval(base64 code in HTTP Referer'"
SecRule HTTP_User-Agent "eval\(base64.*" "id:5000207,t:lowercase,msg:'eval(base64 code in user agent field'"

#Timthumb!
SecRule REQUEST_URI "/(timthumb|thumb|_tbs)\.php\?src=.*(flickr|staticflickr|picasa|img\.youtube|upload\.wikimedia|photobucket|imgur|imageshack|tinypic)\.(com|org|us)\..*\.(com|ca|com\.au|org|net|jp|gov|info|us|co\.uk)/.*\.(txt|php|php3|php4|php5)" "id:5000200,t:lowercase,msg:'Timthumb Exlpoit Attempt Detected'"

#Symlinks
SecRule REQUEST_URI "/sym/(root|.*txt)" "id:5000201,msg:'Symlink Exlpoit Attempt Detected'"
SecRule REQUEST_URI "/sym/.*/home/" "id:5000202,msg:'Symlink Exlpoit Attempt Detected'"

#zencart
SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php\?action=insert.*" "id:5000203,msg:'Zencart Exlpoit Attempt Detected'"

# Fix duo sec WP logins
SecRule REQUEST_BODY "duo_wordpress|sig_response" "t:lowercase,id:5100214,pass,phase:2,skip:2"

# Fix onelogin.com WP logins
SecRule REQUEST_HEADERS:Referer "onelogin.com" "t:lowercase,id:5200214,pass,phase:2,skip:1"

# Reject WP logins when wp-submit and action are both null.
SecRule REQUEST_FILENAME "wp-login\.php" "phase:2,deny,log,status:402,t:lowercase,chain,id:5000214"
SecRule REQUEST_METHOD "^post$" chain,t:lowercase
SecRule &ARGS:wp-submit "@eq 0" chain,t:urlDecodeUni,t:lowercase
SecRule &ARGS:action "@eq 0" t:urlDecodeUni,t:lowercase

#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

<IfModule !ruid2_module>
<IfModule !mpm_itk_module>
# Put DBM rules here (ones that use initcol/collections and setvar/counter functions).
# Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule REQUEST_METHOD "POST" "chain"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
</IfModule>
</IfModule>
# End DBM rules

#Block WP theme edits with no referring URL
<Locationmatch "/theme-editor.php">
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000140,chain,msg:'No UA, No referer'"
SecRule &HTTP_User-Agent "@eq 0"
</Locationmatch>

<Locationmatch "/plugin-editor.php">
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000141,chain,msg:'No UA, No referer'"
SecRule &HTTP_User-Agent "@eq 0"
</Locationmatch>

#Joomla malicous code execution. Dvmessages should not have a c_id parameter.
<Locationmatch "/dvmessages.php">
SecRule QUERY_STRING "c_id" "deny,status:500,id:5000217,msg:'dvmessages code exec'"
</Locationmatch>

#Joomla com_jce exploit
SecRule HTTP_User-Agent "BOT for JCE" "deny,status:500,id:5000218,msg:'Joomla com_jce code exec'"

#Joomla com_jce exploit
SecRule REQUEST_URI "/images/stories/.+\.php" "deny,status:500,id:5000219,msg:'Joomla com_jce code exec'"

#http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html
SecRule REQUEST_URI "/images_(comingsoon|lncthumbs|optbuttons)/.+\.php" "deny,status:500,id:5000220,msg:'optimizepress vuln'"

#Fix for Joomla com_jnews, http://www.securityfocus.com/bid/37314/exploit
SecRule REQUEST_URI "ofc_upload_image.php" "id:5000221,chain"
SecRule QUERY_STRING "name=.*\.php" "t:lowercase"

#Deny POST to / with no referrer, safe for cust use. OK to whitelist if needed, but whitelisting this will remove certain DoS protections.
#Revised to allow PayPal IPN user agent.
SecRule REQUEST_URI "^\/$" "deny,status:401,id:5000222,chain,msg:'/ POST blocked, no referer'"
SecRule REQUEST_METHOD "POST"  "chain"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule HTTP_User-Agent "!paypal ipn" "t:lowercase"

# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

# Fake Joomla Plugin, stop scans / DoS attacks
SecRule REQUEST_URI "mod_araticlhess" "deny,id:5000225,t:lowercase,msg:'Access to fake plugin, if this plugin actually exists the site is hacked.'"

# JOOMLA Virtual patch for:
# trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
SecRule QUERY_STRING "com_contenthistory" "t:lowercase,t:urldecode,deny,status:406,id:5001225,chain"
SecRule QUERY_STRING "(select.+from|list.select)" "t:lowercase,t:urldecode"

# Additional Joomla patch based on https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
SecRule REQUEST_BODY "com_contenthistory" "chain,t:lowercase,deny,status:406,id:5001226"
SecRule REQUEST_BODY "(select.+from|list.select)" "t:lowercase"

# CGI-BIN PHP code exec scans
SecRule QUERY_STRING "safe_mode=off" "deny,id:5000226,t:urldecode,msg:'blocked generic PHP code exec scans'"

# Bogus UA for xmlrpc
SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000227,chain,msg:'xmlrpc DoS attempt'"
SecRule HTTP_User-Agent "WinHttp.WinHttpRequest.5"

# Fix for wysija newsletters (Mail Poet).
# Please inform akwiecinski immediately and verbosely if there are any false positives with this rule.
SecRule REQUEST_URI "wp-admin/admin-post\.php\?page=wysija_campaigns&action=themes" "deny,id:5000229"

# Stop-gap Fix for custom-contact-forms hacks
# Please inform akwiecinski immediately and verbosely if there are any false positives with this rule.
SecRule REQUEST_URI "custom-contact-forms/import/.*\.sql\.php" "deny,t:lowercase,t:normalisePath,id:5000230"

# Fix for revslider http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
SecRule QUERY_STRING "revslider_show_image.*&img=.*(\.php|\.my.cnf|\.bash|wp-config)" "deny,t:lowercase,id:5000231"
SecRule REQUEST_URI "noid-mailpolet\.php" "deny,id:5001000"
SecRule REQUEST_URI "resvlide.php" "deny,id:5001001"

# RevSlider rules for new shell upload vuln. This will still allow the inital malware uploads into
# wp-content/plugins/revslider/temp/update_extract/revslider/ but will deny access to the malicious files
# this should stop actual compromise of the site, rendering the uploaded malware useless to code inject the site
# Please inform secteam if this stops any legitimate updates, as it should not inhibit them.
SecRule REQUEST_URI "/temp/update_extract/revslider/.+\.php" "deny,t:lowercase,id:5000232,msg:'RevSlider shell upload attempt'"
SecRule REQUEST_URI "/revslider/temp/update_extract/.+\.php" "deny,t:lowercase,id:5001232,msg:'RevSlider shell upload attempt'"

# Fix for Gravity Forms shell upload.
SecRule REQUEST_URI "wp-content" "chain,deny,id:5001002,msg:'gravity forms shell upload attempt'"
SecRule REQUEST_URI "_input_.*p(hp|html)" "t:lowercase"

# Fix for https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html
SecRule REQUEST_URI "genericons/example.html" "deny,id:5001003"

# Fix for https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
SecRule ARGS:action "grunion-contact-form" "t:urldecode,t:lowercase,id:5001004,deny,status:411,chain"
SecRule ARGS "\/\*\*\/|\&\#" "t:urldecode"

# Fixes for script kiddy Drupal injections
# Please inform secteam of any false positives.
SecRule REQUEST_URI "/user/login/" "deny,t:lowercase,id:5000233,chain,msg:'drupal exploit attempt'"
SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode"

SecRule QUERY_STRING "q=node" "deny,t:lowercase,t:urldecode,id:5000234,chain,msg:'drupal exploit attempt'"
SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode"

# Block malicious CN user agent
SecRule HTTP_User-Agent "Mozilla/5\.0 \(Windows; U; Windows NT 5\.1; zh-CN; rv:1\.7\.6\)" "deny,id:5000235"

# Block HEAD requests from Typhoeus
SecRule REQUEST_METHOD "HEAD" "id:5000236,chain,msg:'Blocking bad Typhoeus UA'"
SecRule HTTP_User-Agent "Typhoeus"

# Ongoing fixes for bash issue, CVE-2014-6271. Please inform akwiecinski of any suspected false positives.
# Request Header values:
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:5000300,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

# SERVER_PROTOCOL values:
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:5000301,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

# GET/POST values:
SecRule ARGS "^\(\) {" "phase:2,deny,id:5000303,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

# Botnet posing as Googlebot Nov 18 2015
SecRule QUERY_STRING "cookie=1" "deny,t:lowercase,id:5000305,chain,msg:'base64 encoded eval statement from fake googlebot'"
SecRule HTTP_User-Agent "googlebot" "t:lowercase,chain"
SecRule ARGS "eval\(" "t:none,t:base64Decode"

# Joomla 0day Dec 14 https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html
SecRule HTTP_User-Agent "jdatabasedrivermysql" "t:lowercase,t:urldecode,id:5000306"
SecRule HTTP_User-Agent "{s:" "t:urldecode,id:5000307"

# New LFI WP protection
SecRule REQUEST_BODY "mysite_download_skin" "t:lowercase,id:5000308,chain"
SecRule REQUEST_BODY "wp-config\.php"

# Protections for JOOMLA CVE-2016-8870 and CVE-2016-8869
SecRule ARGS:name "\.pht$" "deny,id:5000309,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'"
SecRule ARGS:filename "\.pht$" "deny,id:5000310,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'"
SecRule FILES "\.pht$" "deny,id:5000311,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'"

# Protections for wp-mobile-detector
# See https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
SecRule REQUEST_URI "wp-mobile-detector/cache/.+\.php" "deny,id:5000312,t:lowercase"
SecRule REQUEST_URI "wp-mobile-detector/resize.php" "deny,chain,id:5000313"
SecRule REQUEST_BODY "src=.+\.php" "t:urldecode,t:lowercase"

# Protections for 'realstatistics' hack
# See https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html
SecRule QUERY_STRING "option=com_tags" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000314"
SecRule REQUEST_BODY "(JDatabaseDriverMysql|base64_decode)"

SecRule REQUEST_URI "/modules/cache\.uniq.+\.php" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000315"
SecRule REQUEST_METHOD "POST"

# Detection for https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html

SecRule REQUEST_URI "wp-content/uploads/ultimatemember/temp/.+\.php" "deny,id:5000316,msg:'ultimatemember plugin attack',t:lowercase"

# Mitigate vBulletin 5.x command injection. See:
# SOS-1344
# https://seclists.org/fulldisclosure/2019/Sep/31
# https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html
SecRule ARGS:routestring "ajax/render/widget_php" "phase:2,id:4044036,t:none,auditlog,deny,chain"
SecRule ARGS_NAMES "widgetConfig\[code\]"

# Low risk of false positive
SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000320"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase"

# Some possibility of false positive; whitelist if needed.
SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000321"
SecRule ARGS:/subwidgets[\d+][template]/ "widget_php" "t:lowercase,chain"
SecRule ARGS_NAMES "subwidgets\[\d+]\[config\]\[code\]" "t:lowercase"

# POC 2 - low risk of false positive  https://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html
SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000322"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase"

# Some possibility of false positive; whitelist if needed.
SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000323"
SecRule ARGS_NAMES "widgetconfig\[code\]" "t:lowercase"

# Mitigate CVE-2020-12720 via stricter SQLi threshold
SecRule REQUEST_URI "ajax/api/content_infraction/getIndexableContent" "phase:2,id:'4044043',auditlog,t:none,t:urlDecode,deny,chain"
SecRule ARGS_NAMES "nodeId\[nodeid\]"

# Block probable backdoor attempts in vBulletin backend
SecRule REQUEST_URI "ajax/api/widget/saveAdminConfig" "phase:2,id:'4044044',t:none,auditlog,deny,chain"
SecRule ARGS:data[code] "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)"

## whitelist ##
Include "/etc/apache2/conf.d/modsec2/exclude.conf"
Include "/etc/apache2/conf.d/modsec2/whitelist.conf"

Youez - 2016 - github.com/yon3zu
LinuXploit