%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /opt/mod_security/
Upload File :
Create Path :
Current File : //opt/mod_security/hg_rules.conf

ErrorDocument 406 "<head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>"
SecRule Request_Headers:User-Agent "PayPal IPN \( ?https:\/\/www\.paypal\.com\/ipn ?\)" "id:900191,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=900177,ctl:ruleRemoveByID=900183"
##10.7 Cookie Order Brute
SecRule REQUEST_URI "/administrator/"  "id:900200,chain,status:406,phase:1,t:none,log,deny,msg:'Request Cookie Ordering Alert: Potential Brute Tool'"
SecRule REQUEST_COOKIES_NAMES ".*" "chain,setvar:'tx.cookie_order=%{tx.cookie_order}, %{matched_var}'"
        SecRule TX:COOKIE_ORDER ", CHECK, humans, beget"

SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900205,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request UA used in DDOS'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/4\.0 \(compatible:"

SecRule REQUEST_URI "/wp-admin/admin-ajax\.php\?action\=(revslider|kbslider)_show_image\&img\=.*?\.php" "id:900258,t:urlDecode,status:406,phase:1,log,deny,msg:'Slider LFI Exploit'"

##7.28
SecRule REQUEST_HEADERS:User-Agent "@beginsWith User-Agent: " "id:900242,status:406,phase:1,log,deny,msg:'Fake UA :: User-Agent at start of UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Macintosh; U; Intel Mac OS X 10\.6; fr; rv:1\.9\.2\.8\) Gecko\/20100722 Firefox\/3\.6\.8" "id:900243,status:406,phase:1,log,deny,chain,msg:'Wordpress Brute Force'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
	
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(X11; Ubuntu; Linux x86_64; rv:23\.0\) Gecko\/20100101 Firefox\/23\.0" "id:900244,status:406,phase:1,log,deny,chain,msg:'FF23 NoCookie'"
SecRule &REQUEST_COOKIES "@eq 0" 

Secrule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 9\.0; Windows NT 6\.1; 125LA; \.NET CLR 2\.0\.50727; \.NET CLR 3\.0\.04506\.648; \.NET CLR 3\.5\.21022" "id:900245,status:406,phase:1,log,deny,chain,msg:'MSIE 9.0 No Cookie'"
SecRule &REQUEST_COOKIES "@eq 0"

SecRule REQUEST_URI "/wp-content/uploads/optpress/images_optbuttons/" "id:900246,phase:1,status:406,log,deny,chain,msg:'OptPress Image Upload POST'"
SecRule REQUEST_METHOD "^POST$" "t:none"

SecRule REQUEST_URI "/wp-content/plugins/[^/]+/readme\.txt" "id:900247,phase:1,log,deny,msg:'Wordpress Plugin README.txt file access attempt'"
SecRule REQUEST_URI "/wp-content/uploads/wp-backup-plus/" "id:900249,phase:1,status:406,log,deny,msg:'Wordpress Backup Plus Unsecured Backdir Access Attept'"
SecRule REQUEST_URI "/wp-admin/admin\.php\?page\=wysija_campaigns\&action\=themes\&reload\=1\&redirect\=1" "id:900250,phase:1,status:406,log,deny,chain,msg:'Wordpress MailPoet Upload attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

SecRule ARGS_GET:y "/home" "id:900248,phase:1,chain,log,t:none,t:lowercase,status:406,msg:'WSO Shell Block'"
SecRule ARGS_GET:x|ARGS_GET:edit|ARGS_GET:view "(edit|view|upload|mass|configs|php|symlink|sec|domains|mysql|boom)" "t:none,t:lowercase"




##2.6.13
SecRule REQUEST_HEADERS:Host "@beginsWith cpanel\." "id:900035,phase:2,t:none,t:lowercase,pass,nolog"
##4.9 -WPBrute
SecRule REQUEST_HEADERS:User-Agent  "Mozilla\/5\.0 \(Windows; U; MSIE 9\.0; WIndows NT 9\.0; en-US\)\)" "id:900122,phase:1,t:none,deny,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 9\.0; Windows NT 6\.1; WOW64; Trident\/5\.0; SLCC2; Media Center PC 6\.0; InfoPath\.3; MS-RTC LM 8; Zune 4\.7\)" "id:900123,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; rv:15\.0\) Gecko\/20120716 Firefox\/15\.0a2" "id:900124,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64\) AppleWebKit\/537\.15 \(KHTML, like Gecko\) Chrome\/24\.0\.1295\.0 Safari\/537\.15" "id:900125,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 9\.0; Windows NT 7\.1; Trident\/5\.0\)" "id:900126,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/(5|6)\.0 \(Windows NT 6\.2; WOW64; rv:16\.0\.1\) Gecko\/20121011 Firefox\/16\.0\.1" "id:900127,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"


#SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 10\.0; Windows NT 6\.1;( WOW64;)? Trident\/6\.0\)" "id:900130,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
#SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
#SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Macintosh; Intel Mac OS X 10_8_2\) AppleWebKit\/537\.17 \(KHTML, like Gecko\) Chrome\/24\.0\.1309\.0 Safari\/537\.17" "id:900131,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; Win64; x64; rv:16\.0\.1\) Gecko\/20121011 Firefox\/16\.0\.1" "id:900132,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; MSIE 9\.0; Windows NT 9\.0; en-US\)" "id:900133,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64\) AppleWebKit\/537\.14 \(KHTML, like Gecko\) Chrome\/24\.0\.1292\.0 Safari\/537\.14" "id:900134,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
###6.13
SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900154,deny,status:406,chain,log,msg:'WP Brute UA block'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.0; Trident\/4\.0; Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1; SV1\); \.NET CLR 3\.5\.30729\)"
SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900155,deny,status:406,chain,log,msg:'WP Brute UA block'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 10\.0; Windows NT 6\.1; Trident\/6\.0\)" chain
SecRule &REQUEST_HEADERS:Accept "@eq 0"
###6.17
SecRule REQUEST_HEADERS:User-Agent  "User-Agent: Mozilla\/\d\.0 \(compatible;" "id:900156,deny,status:406,log,msg:'Script Error for User-Agent Setting :: Spam/Malware Abuse'"

##9.27 XMLRPC Wordpress Amp Attack
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900195,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request UA used in BF'"
SecRule REQUEST_HEADERS:User-Agent "Internal Wordpress RPC connection"

#OFC Upload Vulnerability 9.25
SecRule REQUEST_URI "/ofc_upload_image\.php\?name\=.*?(\.|%2E)php" "id:900193,phase:1,t:none,status:406,deny,log,msg:'OFC Upload Exploit :: PHP File Upload Attempt'"
##Date 9.25
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)" "id:900192,phase:1,t:none,status:406,deny,chain,log,msg:'Wordpress Brute Force'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.0; Trident\/4\.0\)" chain
SecRule REQUEST_HEADERS:Cookie2 "\$Version=\"1\"" 

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1;(WOW64;)? rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" "id:900176,phase:1,t:none,chain,status:406,deny,msg:'Cloudflare WP-Brute block'"
SecRule &REQUEST_HEADERS:CF-Connecting-IP "@eq 1"

SecRule REQUEST_URI "(?:/mod_topic/|/akicmet/|/rus-to-lat/)collector\.php" "id:900180,phase:1,t:none,status:406,deny,msg:'Malicous PHP Mailer'"
#vB Upgrade ADMIN Injection
SecRule REQUEST_URI "/install/upgrade\.php" "id:900194,phase:1,t:none,chain,status:406,deny,log,msg:'vB Upgrade Admin Injection'"
SecRule REQUEST_METHOD "POST" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" 

SecRule REQUEST_FILENAME "\/administrator\/" "id:900139,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress Brute Force HTTP1.0 w/ HOST'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; (WOW64; )?rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" chain
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Host "@eq 1"

##Date 8.16 Wordpress BRUTE HTTP 1.0 w/o Accept header
SecRule REQUEST_URI "/(wp-login\.php|administrator|wp-admin/)" "id:900177,chain,phase:1,t:none,status:406,deny,msg:'Brute Force Attempt HTTP 1.0 w/o Accept Header'"
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Accept "@eq 0"
#
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900161,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request with no UA/Ref'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

SecRule REQUEST_URI "php\?y\=\/home[^\&]+\&x\=upload" "id:900174,phase:1,t:none,t:urlDecode,status:406,deny,msg:'PHP WebShell Upload Attempt'"
SecRule REQUEST_URI "php\?x\=f\&f\=[^\&]+\&ft\=" "id:900175,phase:1,t:none,t:urlDecode,status:406,deny,msg:'PHP WebShell Edit Attempt'"



SecRule REQUEST_URI "\/wp-content\/plugins\/hello\.php" "id:900140,t:none,phase:1,,chain,log,deny,status:406,msg:'Wordpress hello.php POST attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"

SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900148,log,deny,status:406,chain,msg:'Mozilla Header w/ Connection Close'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64; rv:18\.0\) Gecko\/20100101 Firefox\/18" chain
SecRule REQUEST_HEADERS:connection "close" "t:lowercase"

SecRule REQUEST_URI "/wp-content/.*/mod_system\.php" "id:900144,t:none,log,deny,status:406,msg:'Wordpress WRO Shell Attempt'"





###

#11.26 PHP Execution w/ Comments + Eval|Base64_Decode
SecRule REQUEST_URI "\?<\?\/\*[^\*]+\*\/(eval|base64_decode)\/\*" "id:900077,phase:1,t:none,t:lowercase,log,deny,msg:'PHP Execution w/ Comments in URI'"

##11.27 Automated Wordpress Exploit Attempt
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900078,t:none,chain,log,status:406,deny,msg:'Automated Wordpress Exploit Attempt INDY'" 
SecRule REQUEST_URI "/wp-login\.php"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900079,t:none,chain,log,status:406,deny,msg:'Automated Wordpress Exploit Attempt INDY'"
SecRule REQUEST_URI "/wp-admin/" 

##11.30 Automated WP-Login Bad UA
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(X11; U; Linux i686; pt-BR; rv:1\.9\.0\.15\) Gecko\/2009102815 Ubuntu\/9\.04 \(jaunty\) Firefox\/3\.0\.15" "id:900080,phase:2,t:none,status:406,log,drop,chain,msg:'Bad UA :: Brute Force Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
#SecRule REQUEST_HEADERS:Referer "^$" 

#12.3 WHMCS GoogleCheckout SQL Injection attempt
SecRule REQUEST_URI "/modules/gateways/callback/googlecheckout\.php" "id:900081,log,chain,deny,phase:1,msg:'WHMCS Google Checkout SQL Injection Attempt'"
SecRule REQUEST_HEADERS:User-Agent "!(Google Checkout Notification Agent \d\.\d)"

##Date 12.4.12 Automated Exploitation Attempt
SecRule REQUEST_HEADERS:User-Agent  "Mozilla\/4\.0 \(compatible; Synapse\)" "id:900082,log,deny,chain,status:406,phase:2,msg:'Automated Exploitation Tool'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule REQUEST_URI "/(templates|administrator)/"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900083,t:none,chain,log,status:406,deny,msg:'Automated Joomla Exploit Attempt INDY'"
SecRule REQUEST_URI "/(templates|administrator)/"

##Date 12.7 PHP DDOS
SecRule REQUEST_URI "\.php(?:\?|\&)act\=phptools(?:\?|\&)host\=" "id:900084,log,deny,phase:1,deny,msg:'PHP Tools DDOS Attempt'"

#12.5 Wordpress BING UA 
SecRule REQUEST_URI "/wp-login\.php" "id:900184,phase:1,t:none,t:lowercase,chain,status:406,log,deny,chain,msg:'Wordpress BRUTE w/ Bing UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; bingbot\/2\.0; \+http:\/\/www\.bing\.com\/bingbot\.htm\)" "t:none"

##Date 12.11
SecRule ARGS:pass "FgYuD@37" "id:900086,phase:1,drop,log,msg:'Brobot w/ known password'"

##3.20 Bad UA for Joomla Brute/WP Brute and dvmessages install
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php)" "id:900113,phase:2,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 6\.0; en-US; rv:1\.9\.0\.3\) Gecko\/2008092417 Firefox\/3\.0\.3$"


##3.22 Joomla/WP Brute and SPAM UA block
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php|wp-comments-post\.php|submit\.php)" "id:900115,phase:2,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing and Spam'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; en-US; rv:1\.9\.1\.3\) Gecko\/20090824 Firefox\/3\.5\.3 GTB5$"
###3.26 BroBOT Brute UA
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php|wp-comments-post\.php|submit\.php)" "id:900117,phase:2,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing and Spam'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 6\.0; en-US; rv:1\.9\.0\.3\) Gecko\/2008092417 Firefox\/3\.0\.3"


##Date 12.12
#/components/com_ag_google_analytics2/
SecRule REQUEST_URI "/components/com_ag_google_analytics2/" "id:900087,phase:2,chain,deny,log,msg:'Exploited Joomla Shell Access Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
##Date 12.12 Akismet WSO Shell
SecRule REQUEST_URI "/wp-content/plugins/akismet/" "id:900088,phase:2,chain,deny,status:406,chain,log,msg:'Wordpress COMP Akismet Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"

##DAte 12.14
SecRule REQUEST_URI "/monetize/general/upload-file\.php" "id:900090,phase:1,deny,status:406,log,msg:'Exploited THEME Upload attempt'"
SecRule REQUEST_URI "/themes/mantra/admin/upload-file\.php" "id:900091,phase:1,deny,status:406,log,msg:'Exploited THEME Upload attempt'"
#9.17 Joomla BF w/ Bing UA
SecRule REQUEST_URI "\/administrator\/" "id:900072,phase:1,t:none,t:lowercase,chain,log,status:406,deny,chain,msg:'Joomla Admin BRUTE w/ Bing UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; bingbot\/2\.0; \+http:\/\/www\.bing\.com\/bingbot\.htm\)" "t:none"

##12.26 Wordpress GSM   :: 1.2.13 update eval mod
SecRule REQUEST_URI "wp-content/plugins/[^/]+/gsm.php" "id:900092,deny,phase:2,log,status:406,msg:'GSM.PHP Shell access attempt'"
SecRule ARGS:act    "^eval$" "id:900093,deny,log,phase:2,status:406,msg:'PHP Shell eval action attempt'"

##12.31
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0$" "id:900095,phase:2,t:none,status:406,log,chain,deny,msg:'Bad UA :: Fake Mozilla Agent'"
SecRule REQUEST_FILENAME "!(cron\.php)" chain
SecRule Request_URI "!@beginsWith /?automatorsecretkey"
##1.3 168.167.249.98 - - [03/Jan/2013:16:55:57 -0600] "POST /plugins/system/dvmessages.php HTTP/1.1" 200 10 "-" "Mozilla/5.0 Firefox/3.6.12"
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 Firefox\/\d\.\d\.\d+$" "id:900096,phase:2,t:none,status:406,log,deny,msg:'Bad UA :: Fake Mozilla Agent'"

##1.4 WHMCS 5.x Auth bypass http://packetstormsecurity.com/files/119234/whmcs5-bypass.txt
SecRule REQUEST_URI "login\.php\?correct\&cache\=1\?login\=getpost\{\}" "id:900097,phase:2,t:none,log,deny,msg:'WHMCS 5.x Admin Bypass via Cache exploit'"
##1.4 JCE exploit attempts
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&method\=form" "id:900100,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&version\=\d+\&cid\=\d+"  "id:900101,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt CHECK'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&method\=form" "id:900147,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)" "t:none"


##1.11 IE6 Block for brute force/spam prevention
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1; SV1\)$" "id:900102,chain,status:406,deny,t:none,msg:'IE6 UA Block to prevent brute force and comment spam'"
SecRule REQUEST_URI "/(wp-(login|comments-post)\.php|administrator/|components/k2/|index\.php\?option\=com_k2)"

##1.15 Mailer / Fake LICESNE.php access attempt
SecRule REQUEST_URI "/LICESNE\.php" "id:900104,status:406,deny,t:none,msg:'Misspelled Licesne access attempt. WSO Shell'"

##1.29 SWFupload/js/upload.php BLOCK
SecRule REQUEST_URI "/js/swfupload/js/upload\.php" "id:900110,chain,phase:2,deny,status:406,msg:'SWFupload UPLOAD block'"
SecRule REQUEST_HEADERS:User-Agent "!(^Shockwave Flash$|^Adobe Flash Player \d+$|^Java/\d+\.\d+\.\d+_\d+$)" "t:none"

##1.31 Wordpress direct path 404 theme page POST 
SecRule REQUEST_URI "/wp-content/themes/[^/]+/404\.php" "id:900111,chain,phase:2,deny,status:406,msg:'Wordpress THEME 404 page POST attempt :: Possible Injection Attempt'"
SecRule REQUEST_METHOD "POST" "t:none"

# wordpres db cache
SecRule Request_URI "/wp-content/w3tc/dbcache/" "id:900094,phase:1,t:none,status:406,deny,msg:'WP DB Cache Block'"

## HTTP_CMD Attempt Blocked :: Used in passthru like <?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>
Secrule REQUEST_HEADERS_NAMES "^cmd$" "id:900073,t:lowercase,log,deny,msg:'HTTP_CMD Header attempted'"
Secrule REQUEST_HEADERS_NAMES "^nessus_cmd$" "id:900074,t:lowercase,log,deny,msg:'NESSUS_CMD Header from nessus cmdline tool'"

##Upload rule 900061
SecRule REQUEST_URI "/uploadify\.php" "id:900054,phase:2,t:none,t:lowercase,log,deny,chain,msg:'Upload Attempt w/o Referer'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule REQUEST_HEADERS:User-Agent "!(^Shockwave Flash$|^Adobe Flash Player \d+$|^Java/\d+\.\d+\.\d+_\d+$)" "t:none"

SecRule REQUEST_URI "/uploadify\.php" "id:900061,phase:2,t:none,t:lowercase,log,deny,chain,msg:'Upload Attempt w/o Referer'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

##DDOS Script.  startphp variant
SecRule REQUEST_URI "@endsWith \?action\=status" "id:900065,phase:1,t:none,deny,chain,capture,msg:'DDOS Status Report'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule Request_URI "\?action\=start\&time_s\=\d*\&time_e\=\d+" "id:900066,phase:1,t:none,deny,capture,msg:'DDOS Self Spawn'"
SecRule Request_URI "\?action\=start\&protocol\=(?:tcp|udp)\&time_s\=\d*\&time_e\=\d+" "id:900067,phase:1,t:none,deny,capture,msg:'DDOS Self Spawn'"



SecRule SCRIPT_BASENAME "indx\.php" "id:900068,phase:1,t:none,deny,chain,capture,msg:'DDOS indx.php request::No UA/Ref'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"

SecRule SCRIPT_BASENAME "stc?ph?\.php" "id:900069,phase:1,t:none,deny,chain,capture,msg:'DDOS stcp.php request::No UA/Ref'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" 

SecRule SCRIPT_BASENAME "stmdu\.php" "id:900070,phase:1,t:none,deny,chain,capture,msg:'DDOS stcp.php request::No UA/Ref'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"


##DDos Script
SecRule REQUEST_URI "port\=\d+\&ipbc\=\d+\.\d+\.\d+\.\d+\&mod\=(?:udp|tcp)\&time\=\d+" "id:900075,t:none,log,deny,msg:'PHP DDOS Attempt'"
##No UA/REF VB template edit
SecRule REQUEST_URI "\/admincp\/template\.php\?do\=updatetemplate" "id:900167,phase:1,t:none,t:lowercase,log,deny,chain,msg:'VB Template Update :: No UA/Ref'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"


#Joomla no UA/Referer Block
SecRule REQUEST_URI "\/index\.php\?option\=com_templates\&layout\=edit" "id:900063,phase:1,t:none,deny,chain,capture,msg:'No UA/Referer with Joomla theme edit'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
#Joomla JCE Exploit bot UA
SecRule REQUEST_HEADERS:User-Agent "BOT\/0\.1 \(BOT for JCE\)" "id:900064,phase:1,t:none,deny,capture,msg:'JCE Exploit bot'"

# /inc/upload no REFERER
SecRule Request_URI "\/inc\/upload\.php"  "id:9000049,phase:2,t:none,t:lowercase,log,pass,chain,msg:'Inc Upload Exploit NO Referrer'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" 
#

##Joomla NoNumber Framework Block
SecRule REQUEST_URI "/index\.php\?nn_qp\=\d\&url\=" "id:9000045,phase:2,t:none,t:urlDecodeUni,t:lowercase,log,deny,chain,msg:'Joomla NoNumber Framework Exploit'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"

#WooTheme Block
SecRule REQUEST_URI "preview-shortcode-external\.php\?shortcode\=(%5B|\[)php(%5D|\])" "id:900050,phase:2,t:none,log,status:406,deny,msg:'WooTheme Exploit'"
#WP 404 Login attempt w/ comped password
SecRule REQUEST_URI "wp-login\.php\?redirect_to\=http(%3A|:)(%2F|/)(%2F|/)[^(%2F|/)]+(%2F|/)wp-admin(%2F|/)theme-editor(\.php)?(\?|%3F)file(\=|%3D)(%252F|\%2F|\/)themes(%252F|\%2F|\/)[^(%252F|\%2F|\/)]+(%252F|\%2F|\/)404\.php" "id:900051,phase:2,t:none,t:urlDecode,log,status:406,deny,msg:'Exploited WP-Login attempt :: 404'"
#Wordpress Functions.php 
SecRule REQUEST_URI "\?cperpage\=1" "id:900053,phase:2,t:none,t:lowercase,log,status:406,deny,msg:'Wordpress functions.php Admin Bypass'"

## Bad UA Brute 
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; ru; rv:1\.9\.2\.3\) Gecko\/20100401 Firefox\/3\.6\.3" "id:9000044,phase:2,t:none,log,drop,status:406,chain,msg:'Bad UA :: Brute Force Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"

#osDate RFI 
SecRule REQUEST_URI "config(%5B|\[)\S+(%5D|\])=http" "id:9000040,phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'RFI via osDate Forum module'"

#Sql COMMENT block
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(\/\*\!? ?(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe|union|concat|group_concat))" "phase:2,rev:'2.2.2',id:9000042,t:none,t:urlDecodeUni,t:lowercase,deny,msg:'SQL Comment Sequence Detected.',capture,logdata:'%{tx.0}'"

#Known bad UA
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[en\] \(Win98; U\)" "id:9000038,phase:1,t:none,deny,status:406,log,msg:'Known Exploiting User-Agent :: Not Valid'"
SecRule REQUEST_HEADERS:User-Agent "Chilkat\/1\.\d\.\d \(\+http:\/\/www\.chilkatsoft\.com\/ChilkatHttpUA\.asp\)" "id:9000145,phase:1,t:none,deny,log,msg:'Know BAD User-Agent'"

SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; Win32; WinHttp\.WinHttpRequest\.5\)" "id:9000043,t:none,status:406,chain,deny,msg:'Bad UA :: Brute Force Attempt'"
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php|xmlrpc\.php)"
#SecRule REQUEST_URI "/wp-login\.php"

SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.1; WOW64; Trident/4\.0; SLCC2; \.NET CLR 2\.0\.5.727; \.NET CLR 3\.5.30729; \.NET CLR 3\.0\.30729; Media Center PC 6\.0; MAAR; \.NET4\.0C; \.NET4\.0E; AskTbPTV2/5\.9\.1\.14019\)" "id:9000039,phase:1,t:none,deny,status:406,log,msg:'Known Exploiting User-Agent :: Not Valid'"

# Wordpress Exploit Comped Pass:: Referer/UA Present
SecRule REQUEST_URI "/(wp-login\.php|toolspack\.php|wp-admin/plugin-install\.php|wp-admin/update\.php|startphp\.php|static\/ajax\.php\?do\=\/ad\/complete\/$)" "id:900036,phase:2,t:none,t:lowercase,log,drop,status:406,chain,msg:'Wordpress BOT exploit :: No UA/Referer'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" 

# Wordpress Exploit Comped Pass :: Referer/UA Empty
SecRule REQUEST_URI "/(wp-login\.php|toolspack\.php|wp-admin/plugin-install\.php|wp-admin/update\.php|startphp\.php|static\/ajax\.php\?do\=\/ad\/complete\/$)" "id:9000037,phase:2,t:none,t:lowercase,log,drop,chain,status:406,msg:'Wordpress BOT exploit :: Empty UA/Referer'"
SecRule REQUEST_HEADERS:Referer "^$" chain
SecRule REQUEST_HEADERS:User-Agent "^$" 


#Joomla Component OzioGallery WritetoFile block
SecRule REQUEST_URI "/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile\.php" "id:900034,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla Oziogallery2 Block'"
SecRule REQUEST_METHOD "^POST$" "t:none"

#Joomla Token Reset Request
SecRule REQUEST_URI "\?option\=com_user\&view\=reset\&layout\=confirm" "id:900032,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla RESET request without refferer'"
SecRule &REQUEST_HEADERS:REFERER "@eq 0" chain
SecRule REQUEST_METHOD "^POST$" "t:none"


SecRule REQUEST_URI "\?option\=com_user\&task\=(complete|confirm)reset" "id:900033,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla RESET request without refferer'"
SecRule &REQUEST_HEADERS:REFERER "@eq 0" chain
SecRule REQUEST_METHOD "^POST$" "t:none" 



#TimThumb /cache/ 32 md5sum.php block.
SecRule REQUEST_URI "/cache/(?:external_)?[0-9a-z]{32}\.php" "id:900031,rev:1,t:lowercase,severity:2,log,status:406,deny,msg:'TimThumb Upload CACHE attempt'"

## Zen-Photo Ajax File Manager Exploit
SecRule Request_URI "/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php" "log,phase:2,deny,id:9990028,chain,msg:'Ajax File Manager Exploit'"
SecRule &ARGS ^0$


SecRule Request_URI "/class.images.php\?truecss\=1" "log,phase:2,deny,id:9990029,msg:'Ajax File Manager Exploit 2'"
SecRule Request_URI "/date.php\?truecss\=1" "log,phase:2,deny,id:9990030,msg:'Ajax File Manager Exploit 3'"
SecRule REQUEST_URI "(?:cookies|showimg|truecss)\=1&(?:showimg|cookies|truecss)\=1" "log,phase:1,deny,id:'9990026',msg:'OSCommerce Backdoor Exploit'"
SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000 
SecDefaultAction "phase:2,deny,log"

##Wordpress 1-flash-gallery Uploadify
SecRule REQUEST_URI "/wp-content/plugins/1-flash-gallery/upload\.php\?action\=uploadify&fileext\=php" \
        "id:900020,rev:1,severity:2,status:406,log,deny,msg:'Wordpress 1-Flash-Gallery Uploadify PHP upload'"

SecRule REQUEST_URI "/wp-content/uploads/fgallery/" \
        "id:900021,rev:1,severity:2,log,deny,status:406,chain,msg:'Wordpress 1-Flash-Gallery Upload Dir POST attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"

# Rule 310019:  WEB-MISC mod_gzip_status access
SecRule REQUEST_URI "/mod_gzip_status" "log,pass,id:310019"

#block proc/self/environ requests
SecRule REQUEST_URI "proc/self/environ" "id:999997,phase:1,t:none,t:lowercase,t:normalisePath,t:urlDecode,log,drop,msg:'proc environ'"

# block r57 and c99shell
SecRule REQUEST_URI "c99\.php|r57shell\.php|r57\.php|c99\.txt" \
        "id:900010,rev:1,phase:1,severity:2,drop,msg:'c99 variant '"

SecRule REQUEST_URI "concat\(username,0x3a,activation" \
        "id:900011,rev:1,severity:2,deny,msg:'attempted sql injection '"

SecRule REQUEST_URI "tmp/x-shell" \
        "id:900012,rev:1,severity:2,deny,msg:'attempted tmp/x-shell '"

SecRule REQUEST_URI "fwriteq\.php\?ipaddr=" \
    "id:900014,rev:1,severity:2,deny,msg:'attempted UDP flood 2'"

### ZEN


SecRule REQUEST_URI "/(admin|banner_manager|product|sqlpatch|define_pages_editor|orders|record_company)\.php/password_forgotten\.php" \
    "log,deny,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:320757,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: ZenCart Sql Injection Exploit',logdata:'%{TX.0}'"


SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[ru] \(X11; U; SunOS 5\.7 sun4u\)" \
        "log,drop,id:000014,rev:1,status:406,severity:2,msg:'attempoted e107 exploit '"


SecRule REQUEST_HEADERS:User-Agent "Mozila/4\.0 \(compatible;\s+MSIE 6\.0;\s+Windows NT 5\.1;\s+SV1; MyIE2;" \
        "id:900016,log,deny,phase:2,rev:1,status:406,severity:2,msg:'JITP: 900016 improper Mozilla useragent with MyIE2 osCommerce exploit attempt '"

SecRule REQUEST_HEADERS:User-Agent "@beginsWith ZWNobyAiSXQgV29ya3MiO" \
        "id:900017,log,deny,phase:1,rev:1,severity:2,msg:'JITP: 900017 Base64 Useragent TEST'"

SecRule REQUEST_HEADERS:User-Agent "@contains file_get_contents" \
        "id:900018,log,deny,phase:1,rev:1,t:base64Decode,severity:2,msg:'JITP: 900018 Base64 Useragent TEST'"


SecRule REQUEST_URI "redirect/cl2.php" "nolog,phase:1,allow,id:310012"

SecRule REQUEST_URI "tiny_?mce/plugins/tinybrowser/upload(_file)?\.php\?(\S+?\=\S+?)?(\&|\?type\=\S+?&)?folder" "id:999991, phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'JITP:TinyMCE Upload'"


SecRule Request_URI "(?:\?|&)(?:host|ip|target)=(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:&port=[0-9]+|&time=[0-9]+){2}" "id:900056,rev:1,severity:2,drop,msg:'JITP:gatorattack1'"
SecRule Request_URI "(?:\?|&)(?:port|time)\=\d+(?:\?|\&)(?:port|time)\=\d+(?:\?|\&)(?:host|ip|target)=(?:[0-9]{1,3}\.){3}[0-9]{1,3}" "id:900062,rev:1,severity:2,drop,msg:'JITP:gatorattack2'"
#####


# 1235235 New OS Commerce (file_manager\.php|categories\.php|administrators\.php|banner_manager\.php|define_language\.php) exploit prevention
SecRule Request_URI "admin\/(?:file_manager|categories|orders|admin_members|administrators|banner_manager|define_language|manufacturers|backup|configuration|modules|orders)\.php\/login(_admin)?\.php" "id:1235235,phase:1,deny,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'JITP:1235235 OS Commerce Protection'"


SecRule REQUEST_Headers:User-Agent "@endsWith Havij" "id:900119,deny,t:none,phase:1,status:406,msg:'Havik SQL Injection rool'"


# 1235236 block password_forgotten.php exploit
SecRule Request_URI "(password_forgotten|cookie_usage)\.php\?((cookies|showimg)\=1)+(language\=[a-z]{1,7})?(?:&(cookies|showimg)\=1)*" "id:1235236,log,deny,phase:1,status:403,t:-lowercase,t:-replaceNulls,t:-compressWhitespace,rev:1,severity:2,msg:'JITP: 1235236 osCommerce password_forgotten exploit attempt '"

# 9993339 sql.php SQL Hacking Tool
SecRule REQUEST_URI "/sql.php\?action\=(logon|listdb)" "id:999333,deny,t:none,t:lowercase,phase:2,rev:1,severity:2,msg:'SQL.php Exploit'"

SecRule REQUEST_URI "(?:showimg\=1)?(?:language\=([a-z]{1,7})&lang\=\1&lng\=\1)(?:&(cookies|showimg)\=1)+" "id:999811,phase:2,t:none,t:lowercase,capture,rev:1,severity:4,msg:'OSCommerce Language Sessions Exploit attempt'"


SecRule Request_URI "/fckeditor/editor/filemanager/connectors/test\.html" "id:999009,deny,phase:2,rev:1,severity:2,msg:'Fckeditor exploit'"

SecRule REQUEST_URI "/uploadify/uploadify\.php\?fileext=(?:php|cl|cgi)" "id:999050,deny,phase:2,rev:1,severity:2,msg:'Uploadify Exploit'"

SecRule REQUEST_URI "/password_forgotten\.php" \
 "log,deny,auditlog,t:urlDecodeUni,t:lowercase,chain,id:390637,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:action "^insert$" chain
SecRule ARGS|REQUEST_BODY "(php|;+|shell_exec|wget|system\()"

#/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" \
 "log,deny,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,chain,id:390638,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:admin_email "(union select|php|;+|shell_exec|wget|system\()" 

SecRule REQUEST_URI "/_?#?(?:(?:p(?:ma_?(?:bd)?)?(?:hp)?)?\d?)?-?(?:mya?d?)?(?:sql)?\d?_?-?(?:php(?:as)?)?(?:db)?(?:(database)?ad?mm??i?n?s?(?:istrator)?(?:\.old)?)?-?_?(?:(?:(?:\d\.?){1,5})?-?(?:pl\d?|rc\d?|beta\d?)?)/(scripts/setup|config/config\.inc)\.php" \
    "id:999995,log,drop,auditlog,t:lowercase,phase:1,rev:2,severity:4,msg:'PHPMyadmin Script Attack'"

SecRule REQUEST_URI "/connectors/php/(?:config|connector)\.php?Command=FileUpload&CurrentFolder=" "id:998001,deny,phase:2,rev:1,severity:2,msg:'TinyMCE Upload Vuln'"
SecRule REQUEST_FILENAME "\.php[456]?_?\d?\.(asf|asx|avi|bmp|gif|ico|jpe|jpeg|jpg|png|tif|tiff|wax|wmv|wmx)$" "id:900055,deny,status:412,log,msg:'Fake Image Extension'"

SecRule REQUEST_URI "/incl/upload\.inc\.php\?allowupload\=1&upload\=1" "id:998002,deny,phase:1,t:none,t:lowercase,rev:1,severity:2,msg:'WP-FileManager - PHPFM Upload Exploit'"

Secrule REQUEST_URI "\/dvmessages\.php" "id:900114,phase:2,t:none,status:404,log,deny,msg:'BroBOT dvmessages request'"

## Wordpress BruteForce

# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:900999
SecCollectionTimeout 900
<Files wp-login.php>
# Setup brute force detection.
# React if block flag has been set.
#SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'Wordpress Brute Force 15 attempts in 3 Mins. 5 Min block'"
SecRule user:bf_block "@gt 0" "id:900998,deny,status:406,log,msg:'Wordpress Brute Force 15 attempts in 3 Mins. 5 Min block'"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "id:900997,phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "id:900996,phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/120"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Files>


secrule ARGS_POST "TABLEJOIN" "id:89006,status:406,t:none,t:urldecode,deny,msg:'WHMCS TableJOIN Exploit Attempt'"
<LocationMatch /c(art|lientarea)\.php>
SecRequestBodyAccess On
SecRequestBodyLimitAction ProcessPartial
</LocationMatch>

<LocationMatch /view(ticket|quote|email)\.php>
SecRequestBodyAccess On
SecRequestBodyLimitAction ProcessPartial
</LocationMatch>


<LocationMatch /su(bmitticket|pporttickets)\.php>
SecRequestBodyAccess On
SecRequestBodyLimitAction ProcessPartial
</LocationMatch>






SecRule REQUEST_URI "/(components|plugins|wp-content|templates|wp-admin|images|modules)/" "id:900183,chain,phase:1,t:none,status:406,deny,msg:'UA Spam POST http 1.1 w/ close '"
SecRule &REQUEST_HEADERS "@eq 4" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"

SecRule REQUEST_URI "/(components|plugins|wp-content|templates|wp-admin|images|modules)/" "id:900185,chain,phase:1,t:none,status:406,deny,msg:'UA Spam POST http 1.1 w/ close '"
SecRule &REQUEST_HEADERS "@eq 5" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule REQUEST_HEADERS:Expect "100-continue" "t:none,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"

SecRule REQUEST_FILENAME "/collector\.php" "id:900189,status:406,phase:1,t:none,log,chain,deny,msg:'PHP Mailer :: Collector'"
SecRule REQUEST_METHOD "^POST$" "t:none"

#
#
#

Zerion Mini Shell 1.0