Shell&Cgi Engellemek [linux]

Spinkkz

Üye
22 May 2016
217
0
Alaska
Öncelikle ister terminal üzerinden , ister winscp'den sunucumuza bağlanıp
Kod:
/usr/local/apache/conf/
klasörüne giriyoruz.
Klasörün içinden "modsec2.user.conf" dosyasını açıyoruz.
İçine aşağıdaki kodları yerleştiriyoruz.
Kod:
SecRule REQUEST_BODY|REQUEST_URI "dm.cgi"
SecRule REQUEST_BODY|REQUEST_URI "dark.cgi"
SecRule REQUEST_BODY|REQUEST_URI "telnet.pl"
SecRule REQUEST_BODY|REQUEST_URI "mrm.cgi"
SecRule REQUEST_BODY|REQUEST_URI "coms.cgi"
SecRule REQUEST_BODY|REQUEST_URI "godi.cgi"
SecRule REQUEST_BODY|REQUEST_URI -\.cgi\?m\=state"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg"
SecRule REQUEST_BODY|REQUEST_URI "telbu.pl"
SecRule REQUEST_BODY|REQUEST_URI "web.root"
SecRule REQUEST_BODY|REQUEST_URI "izo.cin"
SecRule REQUEST_BODY|REQUEST_URI "python.izo"
#kural sonu
SecRule REQUEST_URI -!(horde/services/go\.php|tiki-view_cache\.php)- \
"chain,id:390144,rev:3,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'-
SecRule REQUEST_URI -=(https?|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?-
SecRule REQUEST_URI -!(horde/services/go\.php|tiki-view_cache\.php)- \
"chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'-
SecRule REQUEST_URI -=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?-
SecRule REQUEST_URI -/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?-
SecRule REQUEST_URI|REQUEST_BODY -/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) -
SecRule REQUEST_URI -/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?-
SecRule REQUEST_URI -/\.it/viewde"
SecRule REQUEST_URI -/cmd\?&(command|cmd)=-
SecRule REQUEST_URI -/cmd\.php\.ns\?&(command|cmd)=-
SecRule REQUEST_URI -/cmd\.(php|dat)\?&(command|cmd)=-
SecRule REQUEST_URI -/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=-
SecRule REQUEST_URI -/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?-
SecRule REQUEST_URI -/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?-
SecRule REQUEST_URI -/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?-
SecRule REQUEST_URI -/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?-

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)-
SecRule REQUEST_URI|REQUEST_BODY -\./xkernel\;-
SecRule REQUEST_URI|REQUEST_BODY -/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY -/mampus\?&(cmd|command)-

#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;-
SecRule REQUEST_URI -\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_URI -/izinvermekistedigin\.pl" allow
SecRule REQUEST_URI -/*\.pl"

#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI -/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=-
SecRule REQUEST_URI -/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=-
SecRule REQUEST_URI -/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=-
SecRule REQUEST_URI -/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=-

#other known tools
SecRule REQUEST_URI -/xpl\.php\?&(cmd|command)=-
SecRule REQUEST_URI -/(ssh2?|sfdg2)\.php"

#New kit
SecRule REQUEST_URI|REQUEST_BODY -/\.dump/(bash|httpd)(\;|\w)-
SecRule REQUEST_URI|REQUEST_BODY -/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)-

#new kir
SecRule REQUEST_URI -/dblib\.php\?&(cmd|command)=-

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS:Content-Disposition -/(suntzu.*|suntzu)\.php\?cmd=-

#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY -/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?-

#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY -/(phpbackdoor|phpbackdoor.*)\.php\?cmd=-

#new unknown kit
SecRule REQUEST_URI -/oops?&-

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)-
SecRule REQUEST_URI|REQUEST_BODY -(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)-
SecRule REQUEST_URI|REQUEST_BODY -/(too20|phpshell|shell)\.ph(p(3|4)?|tml)-
SecRule REQUEST_URI -/phpterm"

#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY -(netenberg |psybnc |fantastico_de_luxe |arta\.zip )-

#new unknown kits
SecRule REQUEST_URI -/iblis\.htm\?- 
SecRule REQUEST_URI -/gif\.gif\?- 
SecRule REQUEST_URI -/go\.php\.txt\?- 
SecRule REQUEST_URI -/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?- 
SecRule REQUEST_URI -/iys\.(gif|jpe?g|txt|bmp|png)\?- 
SecRule REQUEST_URI -/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?- 
SecRule REQUEST_URI -/zehir\.asp"
SecRule REQUEST_URI -/aflast\.txt\?-
SecRule REQUEST_URI -/sikat\.txt\?&cmd" 
SecRule REQUEST_URI -/t\.gif\?- 
SecRule REQUEST_URI -/phpbb_patch\?&-
SecRule REQUEST_URI -/phpbb2_patch\?&-
SecRule REQUEST_URI -/lukka\?&-

#new kit
SecRule REQUEST_URI -/c99shell\.txt"
SecRule REQUEST_URI -/c99\.txt\?-

#remote bash shell
SecRule REQUEST_URI -/shell\.php\&cmd=-
SecRule ARGS -/shell\.php\&cmd=-

#zencart exploit
SecRule REQUEST_URI -/ipn\.php\?cmd=-

#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?-
SecRule REQUEST_URI "dsoul/tool\?-

#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\(-
SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI "help_text_vars\.php\?suntzu=-

#25dec new one
SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?-

#26dec new kit
SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?-
SecRule REQUEST_URI -/vsf\.vsf\?&-

#27dec
SecRule REQUEST_URI -/scan1\.0/scan/-
SecRule REQUEST_URI "test\.txt\?&-

#30dec
SecRule REQUEST_URI -\.k4ka\.txt\?-

#31dec
SecRule REQUEST_URI -/php\.txt\?-
#1 jan
SecRule REQUEST_URI -/sql\.txt\?-
SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?-

#22feb
SecRule REQUEST_URI -/juax\.(gif|jpe?g|txt|bmp|png)\?-
SecRule REQUEST_URI -/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?-

#24mar
SecRule REQUEST_URI -/docLib/cmd\.asp"
SecRule REQUEST_URI -\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI -\.asp\?.*showUpload&thePath=-
SecRule REQUEST_URI -\.asp\?.*theAct=inject&thePath=-

#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@-
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI -/r57en\.php"

#c99 rootshell
SecRule REQUEST_URI -\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)-

#generic shell
SecRule REQUEST_URI "shell\.txt"

#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"

#wormsign
SecRule REQUEST_BODY -((stripslashes|passthru)\(\$_REQUEST\[\-|if \(get_magic_quotes_gpc\()-

#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"

#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)-
# ROOKIT BITTI
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR -^127.0.0.1$- nolog,allow
Secfilter "sbin/-
SecFilter "eggz"
SecFilter "eggdrop"
SecFilter "psybnc"
SecFilter "udp.pl"
SecFilter "bindtty"
SecFilterSelective ARG_PHPSESSID -!^[0-9a-z]*$-
SecFilterSelective COOKIE_PHPSESSID -!^[0-9a-z]*$-
Include -/usr/local/apache/conf/modsec.user.conf"
SecFilterSelective THE_REQUEST "dc.pl -
SecFilterSelective THE_REQUEST "wget -
SecFilterSelective THE_REQUEST "act=tools"
SecFilterSelective THE_REQUEST "act=gof"
SecFilterSelective THE_REQUEST "act=ls"
SecFilterSelective THE_REQUEST "act=mk"
SecFilterSelective THE_REQUEST "act=f&-
SecFilterSelective THE_REQUEST "act=sql"
SecFilterSelective THE_REQUEST "act=gofile"
SecFilterSelective THE_REQUEST "act=mkdir"
SecFilterSelective THE_REQUEST "act=ftpquickbrute"
SecFilterSelective THE_REQUEST "act=d"
SecFilterSelective THE_REQUEST "act=phpinfo"
SecFilterSelective THE_REQUEST "act=security"
SecFilterSelective THE_REQUEST "act=makefile"
SecFilterSelective THE_REQUEST "act=encoder"
SecFilterSelective THE_REQUEST "act=fsbuff"
SecFilterSelective THE_REQUEST "act=selfremove"
SecFilterSelective THE_REQUEST "act=update"
SecFilterSelective THE_REQUEST "act=feedback"
SecFilterSelective THE_REQUEST "act=search"
SecFilterSelective THE_REQUEST "act=chmod"
SecFilterSelective THE_REQUEST "act=upload -
SecFilterSelective THE_REQUEST "act=delete"
SecFilterSelective THE_REQUEST "act=paste"
SecFilterSelective THE_REQUEST "act=copy"
SecFilterSelective THE_REQUEST "act=cut"
SecFilterSelective THE_REQUEST "act=unselect -
SecFilterSelective THE_REQUEST "act=cmd"
SecFilterSelective THE_REQUEST "act=tools"
SecFilterSelective THE_REQUEST "act=eval"
SecFilterSelective THE_REQUEST "act=f"
SecFilterSelective THE_REQUEST -&s=r&cmd=dir&dir=.-
SecFilterSelective THE_REQUEST -&s=r&cmd=con"
SecFilterSelective THE_REQUEST "INSERT%20INTO"
SecFilterSelective THE_REQUEST "SELECT%20"
SecFilterSelective THE_REQUEST "root=-
SecFilterSelective THE_REQUEST "phpshell.php -
SecFilterSelective THE_REQUEST "cc.php"
SecFilterSelective THE_REQUEST "lynx -
SecFilterSelective THE_REQUEST "scp -
SecFilterSelective THE_REQUEST "ftp -
SecFilterSelective THE_REQUEST "cvs -
SecFilterSelective THE_REQUEST "rcp -
SecFilterSelective THE_REQUEST "curl -
SecFilterSelective THE_REQUEST "telnet -
SecFilterSelective THE_REQUEST "perl -
SecFilterSelective THE_REQUEST "b0t.tmp -
SecFilterSelective THE_REQUEST "bt.pl -
SecFilterSelective THE_REQUEST "fetch -
SecFilterSelective THE_REQUEST "ssh -
SecFilterSelective THE_REQUEST "echo -
SecFilterSelective THE_REQUEST "links -dump -
SecFilterSelective THE_REQUEST "links -dump-charset -
SecFilterSelective THE_REQUEST "links -dump-width -
SecFilterSelective THE_REQUEST "links http:// -
SecFilterSelective THE_REQUEST "links ftp:// -
SecFilterSelective THE_REQUEST "links -source -
SecFilterSelective THE_REQUEST "mkdir -
SecFilterSelective THE_REQUEST "cd /tmp -
SecFilterSelective THE_REQUEST "cd /var/tmp -
SecFilterSelective THE_REQUEST "cd /tmp/ -
SecFilterSelective THE_REQUEST "cd /var/tmp/ -
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy -
SecFilterSelective THE_REQUEST -/config.php?v=1&DIR -
SecFilterSelective THE_REQUEST -&highlight=%2527%252E -
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php -
SecFilterSelective THE_REQUEST "arta\.zip -
SecFilterSelective THE_REQUEST "cmd=cd\x20/var -
SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp -
SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp -
SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp/ -
SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp/ -
SecFilterSelective THE_REQUEST "HCL_path=http -
SecFilterSelective THE_REQUEST "clamav-partial -
SecFilterSelective THE_REQUEST "vi\.recover -
SecFilterSelective THE_REQUEST "netenberg -
SecFilterSelective THE_REQUEST "psybnc -
SecFilterSelective THE_REQUEST "fantastico_de_luxe -
SecFilterSelective THE_REQUEST "tool.gif?cmd -
SecFilterSelective THE_REQUEST "rm -rf -
SecFilterSelective THE_REQUEST -\.htaccess"
SecFilterSelective THE_REQUEST "cd\.\.-
SecFilterSelective THE_REQUEST -///cgi-bin"
SecFilterSelective THE_REQUEST -/cgi-bin///-
SecFilterSelective THE_REQUEST -/~root"
SecFilterSelective THE_REQUEST -/~ftp"
SecFilterSelective THE_REQUEST -/htgrep" chain
SecFilterSelective THE_REQUEST -/htgrep" log,pass
SecFilterSelective THE_REQUEST -/\.history"
SecFilterSelective THE_REQUEST -/\.bash_history"
SecFilterSelective THE_REQUEST -/~nobody"
SecFilterSelective THE_REQUEST -<script"
SecFilterSelective THE_REQUEST "psybnc"
SecFilterSelective THE_REQUEST "cmd=cd\x20/var"
SecFilterSelective THE_REQUEST "dir=http"
SecFilterSelective THE_REQUEST -\?STRENGUR"
SecFilterSelective THE_REQUEST -/etc/motd"
SecFilterSelective THE_REQUEST -/etc/passwd"
SecFilterSelective THE_REQUEST "conf/httpd\.conf"
SecFilterSelective THE_REQUEST -/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "linuxdaybot\.txt"
SecFilterSelective THE_REQUEST "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective THE_REQUEST -/usr/bin/perl"
SecFilterSelective THE_REQUEST "links -dump -
SecFilterSelective THE_REQUEST "links -dump-(charset|width) -
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/-
SecFilterSelective THE_REQUEST "links -source -
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)- 
SecFilterSelective THE_REQUEST "cd\.\.- 
SecFilterSelective THE_REQUEST -///cgi-bin" 
SecFilterSelective THE_REQUEST -/cgi-bin///- 
SecFilterSelective THE_REQUEST -/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)- 
SecFilterSelective THE_REQUEST -/\.history HTTP\/(0\.9|1\.0|1\.1)$- 
SecFilterSelective THE_REQUEST -/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$-
SecFilterSelective REQUEST_URI -/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI -/NessusTest"
SecFilter "javascript\://-
SecFilter "img src=javascript"
SecFilter "_PHPLIB\[libdir\]-
SecFilter "hdr=/-
SecFilter -$path.-*--
SecFilterSelective THE_REQUEST -\<IMG.*/\bonerror\b[\s]*=/Ri"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]text\/javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]application\/x-javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]text\/jscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]text\/vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]application\/x-vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\-\-]text\/ecmascript/i"
SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecFilterSelective THE_REQUEST -[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecFilterSelective THE_REQUEST -<!\[CDATA\[<\]\]>SCRIPT"
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)-
SecFilterSelective REQUEST_METHOD -^POST$- chain
SecFilterSelective HTTP_Content-Length -^$-
SecFilterSelective HTTP_Transfer-Encoding -!^$-
SecFilter -(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])-
SecFilterSelective REQUEST_URI -\.php\?- chain
SecFilter -(http|https|ftp)\:/- chain
SecFilter -(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])-
SecFilterSelective THE_REQUEST -(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter -(\<xml|\<.*xml)- chain
SecFilter -(echo( |\(|\-).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;-
SecFilterSelective THE_REQUEST -(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter -<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re​name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>-
SecFilterSelective REQUEST_URI -/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|u​pdate|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/content\.php" chain
SecFilterSelective ARG_user_rating -.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective ARG_mosConfig_absolute_path -(\.\./\.\.|/|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/-
SecFilterSelective REQUEST_URI -/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\-(\<script|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)-
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php"
SecFilter -^/viewtopic\.php\?- chain
SecFilter "chr\(([0-9]{1,3})\)-
SecFilterSelective THE_REQUEST "viewtopic\.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" -(passthru|cmd|fopen|exit|fwrite)-
SecFilter "phpbb_root_path=-
SecFilterSelective THE_REQUEST -/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/groupcp\.php\?g=.*sid=\--
SecFilterSelective REQUEST_URI -/index\.php\?(c|mark)=*\--
SecFilterSelective REQUEST_URI -/portal\.php\?article=*\--
SecFilterSelective REQUEST_URI -/viewforum.php?f=.*sid=\--
SecFilterSelective REQUEST_URI -/viewtopic.php?p=.*sid=\--
SecFilterSelective REQUEST_URI -/album_search\.php\?mode=\--
SecFilterSelective REQUEST_URI -/album_cat\.php\?cat_id=.*sid=\--
SecFilterSelective REQUEST_URI -/album_comment\.php\?pic_id=.*sid=\--
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\-\->-
SecFilterSelective REQUEST_URI -/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)-
SecFilterSelective COOKIE_sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
SecFilter "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$- chain
SecFilterSelective ARG_highlight -%27"
SecFilter -&highlight=\-\.fwrite\(fopen\(-
SecFilter -&highlight=\x2527\x252Esystem\(-
SecFilter -&highlight=\-\.mysql_query\(-
SecFilterSelective THE_REQUEST -/quick-reply\.php" chain
SecFilterSelective THE_REQUEST -(\;|\&)highlight=\-\.system\(-
SecFilterSelective THE_REQUEST -&highlight=\-\.mysql_query\(-
SecFilterSelective THE_REQUEST -&highlight=\-\.fwrite\(fopen\(-
SecFilterSelective THE_REQUEST -&highlight=%2527%252E"
SecFilterSelective THE_REQUEST -&highlight=\x2527\x252Esystem\(-
SecFilterSelective THE_REQUEST -/viewtopic\.php\?.*(highlight.*(\-\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()-
SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00"
SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl"
SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com"
SecFilterSelective THE_REQUEST -/admin/admin_forums\.php\?sid=.*- chain
SecFilter -(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)-
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_error_msg -<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>-
SecFilterSelective REQUEST_URI "login\.php" chain
SecFilterSelective ARG_forward_page -<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>-
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_list_cat -<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>-
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_signature_bbcode_uid -((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|de​scribe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\-|UNION.*SELECT.*INTO.*FROM)-
SecFilterSelective ARG_signature_bbcode_uid -(<.*php|<php)-
SecFilterSelective REQUEST_URI -/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_email -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_ratenum -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_min -(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_show -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_orderby -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_url -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_email -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_ratenum -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_min -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_show -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_orderby -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective SCRIPT_FILENAME "modules\.php$- chain
SecFilterSelective ARG_url -(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>-
SecFilterSelective REQUEST_URI -/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>-
SecFilterSelective REQUEST_URI -/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors"
SecFilterSelective REQUEST_URI -/modules\.php\?*name=Search*instory=-
SecFilterSelective REQUEST_URI -/modules\.php\?*name=(Search|Web_Links).*\--
SecFilterSelective THE_REQUEST -/modules\.php\?*name=<[[:space:]]*script"
SecFilterSelective THE_REQUEST -/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)-
SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)-
SecFilterSelective THE_REQUEST -/index\.php*file=*(http|https|ftp)-
SecFilterSelective THE_REQUEST -/modules\.php\?*name=Search*instory=-
SecFilterSelective THE_REQUEST -/modules\.php*name=Forums.*file=viewtopic*/forum=.*\-/-
SecFilterSelective REQUEST_URI -/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/joinrequests\.php" chain
SecFilter "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|crea​te|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/user\.php" chain
SecFilter "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create​|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/(usertitle|usertools)\.php" chain
SecFilter -(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/modcp/announcement\.php" chain
SecFilter "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/admincalendar\.php" chain
SecFilter "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/email\.php" chain
SecFilter "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/help\.php" chain
SecFilter "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI "admincp/language\.php" chain
SecFilter "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|d​escribe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/admincp/phrase\.php" chain
SecFilter "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|d​escribe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)-
SecFilterSelective REQUEST_URI -/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;-
SecFilterSelective REQUEST_URI -/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"
SecFilterSelective REQUEST_URI -/forumdisplay\.php\?- chain
SecFilter -\.system\(.+\)\.-
SecFilterSelective REQUEST_URI -/forumdisplay\.php\?*comma=-
SecFilterSelective REQUEST_URI -/ad_member\.php" chain
SecFilter "emailer\.php"
SecFilterSelective REQUEST_URI -/ipchat\.php*root_path*conf_global\.php"
SecFilterSelective REQUEST_URI -/ipchat\.php" chain
SecFilter "conf_global\.php"
SecFilterSelective REQUEST_URI -/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)-
SecFilterSelective REQUEST_URI -/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)-
SecFilterSelective REQUEST_URI -/index\.php" chain
SecFilterSelective ARG_comment -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/index.php" chain
SecFilterSelective ARG_mid -.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective THE_REQUEST -/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)-
SecFilterSelective REQUEST_URI "index\.php" chain
SecFilterSelective ARG_st -((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\-|UNION.*SELECT.*INTO.*FROM)-
SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|​t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)-
SecFilterSelective REQUEST_URI -/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;-
SecFilterSelective SCRIPT_FILENAME "export\.php$- chain
SecFilterSelective ARG_what -\.\.-
SecFilterSelective REQUEST_URI -/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecFilterSelective REQUEST_URI -/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|ac​tivex|chrome)*\>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/product_info\.php" chain
SecFilterSelective ARG_products_id -(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]-
SecFilterSelective REQUEST_URI -/relocate_server\.php"
SecFilterSelective REQUEST_URI -/theme\.php\?THEME_DIR=(http|https|ftp)/:/-
SecFilterSelective REQUEST_URI -/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)-
SecFilterSelective THE_REQUEST "awstats" chain
SecFilterSelective ARGS -(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)-
SecFilterSelective REQUEST_URI -/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()-
SecFilterSelective REQUEST_URI -/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)-
SecFilterSelective REQUEST_URI -/awstats\.pl\?[^\r\n]*logfile=\|-
SecFilterSelective REQUEST_URI -/awstats\.pl\?configdir=-
SecFilterSelective REQUEST_URI "awstats\.pl\?- chain
SecFilterSelective ARGS -(debug|configdir|perl|chmod|exec|print|cgi)-
SecFilterSelective THE_REQUEST -/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$-
SecFilterSelective REQUEST_URI -/attachments\.php\?file=\.\./\.\.-
SecFilterSelective REQUEST_URI -/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/-
SecFilterSelective REQUEST_URI -/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)-
SecFilterSelective REQUEST_URI -/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)-
SecFilterSelective THE_REQUEST -/view\.php" chain
SecFilterSelective ARG_t -.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|renam​e|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/index\.php.*func=*(\.\./|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|de​scribe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)-
SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain
SecFilterSelective ARG_show -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/modules/pn_bbcode/pnincludes/contrib/example\.php"
SecFilterSelective REQUEST_URI -/samples/news\.php\?DIR=(http|https|ftp)\:/-
SecFilterSelective THE_REQUEST -/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)-
SecFilterSelective REQUEST_URI -/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/wp-trackback\.php" chain
SecFilterSelective ARG_tb_id -(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|​describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|upd​ate|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)-
SecFilterSelective REQUEST_URI -/wordpress/- chain
SecFilterSelective ARG_cat -!^[0-9]*$-
SecFilterSelective ARG_cache_lastpostdate -<\?php"
SecFilterSelective REQUEST_URI -/index\.php" chain
SecFilterSelective ARG_poll|ARG_category|ARG_ctg -((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|de​scribe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\-|UNION.*SELECT.*INTO.*FROM)-
SecFilterSelective REQUEST_URI -/index\.php\?&PHPSESSID=\--
SecFilterSelective REQUEST_URI -/tellafriend\.php\?&product=\--
SecFilterSelective REQUEST_URI -/view_cart\.php\?add=\--
SecFilterSelective REQUEST_URI -/view_product\.php\?product=\--
SecFilterSelective REQUEST_URI -/libraries/lib-xmlrpcs.inc\.php"
SecFilterSelective REQUEST_URI -/maintenance/maintenance-activation\.php"
SecFilterSelective REQUEST_URI -/maintenance/maintenance-cleantables\.php"
SecFilterSelective REQUEST_URI -/maintenance/maintenance-autotargeting\.php"
SecFilterSelective REQUEST_URI -/maintenance/maintenance-reports\.php"
SecFilterSelective REQUEST_URI -/misc/backwards\x20compatibility/phpads\.php"
SecFilterSelective REQUEST_URI -/misc/backwards\x20compatibility/remotehtmlview\.php"
SecFilterSelective REQUEST_URI -/misc/backwards\x20compatibility/click\.php"
SecFilterSelective REQUEST_URI -/adframe\.php\?*******=securityreason\.com\-\>-
SecFilterSelective REQUEST_URI -/logout\.php" chain
SecFilterSelective ARG_sessiodID -((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\-|UNION.*SELECT.*INTO.*FROM)-
SecFilterSelective THE_REQUEST -(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilterSelective POST_PAYLOAD -<methodName>blogger\.getUsersBlogs</methodName>- chain
SecFilter -.*\- AND ascii\(substring\(pass"
SecFilter -\<.*php .*\(.*\)\;system\(.*\).*php*\>-
#Slightly stronger version of the above
SecFilter -\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>-
SecFilterSelective REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM"
SecFilterSelective REQUEST_URI -/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))-
SecFilterSelective THE_REQUEST -/index\.php\?homeinclude=catalog&category_id=&parent_id=.*- chain
SecFilter -<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>-
SecFilterSelective REQUEST_URI -/index\.php" chain
SecFilterSelective ARG_campaign_id -((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|de​scribe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\-|UNION.*SELECT.*INTO.*FROM)-
Sonra aynı klasördeki "httpd.conf" dosyasını açıyoruz.
Dosyanın içinden "AddHandler cgi-script" kodunu bulup başına "#" ekliyoruz. (Bu sayede deaktif kılıyoruz.)
Daha sonra eğer ubuntuysa "service apache restart" yazıyoruz.
Eğer ubuntu değilse apache restart atıyoruz.
İşlem bu kadar. Eğer sunucularınızı ciddi amaçlar için kullanıyorsanız bu koruma çok önemli.
Aksi takdirde rahatça sunucularınıza bağlı olan tüm web siteler ele geçirilebilir.
İyi forumlar.
~Spinkkz
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.