<IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "Modelayer.Com" # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:400" # # ## ## ## ## ## ## ## ## ## # # ## ## ## ## ## ## ## ## ## # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # my own rules SecFilter "\/var\/tmp" SecFilter "command=cd" SecFilter "\/etc\/passwd" SecFilter "rootDir" SecFilterSelective THE_REQUEST "/etc/passwd" SecFilterSelective THE_REQUEST "/etc/shadow" SecFilterSelective THE_REQUEST "cd /var/spool " SecFilterSelective THE_REQUEST "cd /dev/shm " SecFilterSelective THE_REQUEST "cd /dev " SecFilterSelective THE_REQUEST "cd shm " SecFilter "/dev/shm" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail" SecFilterSelective THE_REQUEST "/bin/ls" SecFilterSelective THE_REQUEST "/usr/sbin/httpd" SecFilter "local_path" SecFilter "LOCAL_PATH" SecFilterSelective THE_REQUEST "rootDir" SecFilter "rootDir" SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" SecFilterSelective ARGS "/shell\.php\&cmd=" SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC" SecFilterSelective THE_REQUEST "/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S *)? HTTP/(0\.9|1\.[01])$" SecFilterSelective REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/ " secFilterSelective THE_REQUEST "cgitelnet" SecFilter "nstview\.php" SecFilterSelective THE_REQUEST "chmod\x20" SecFilterSelective THE_REQUEST "wget\x20" SecFilterSelective THE_REQUEST "uname\x20-a" # methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "\.cgi*" chain SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "Fhome" SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "php?phpinfo" SecFilterSelective THE_REQUEST "php?phpini" SecFilterSelective THE_REQUEST "php?mem" SecFilterSelective THE_REQUEST "php?cpu" SecFilterSelective THE_REQUEST "php?users" SecFilterSelective THE_REQUEST "php?tmp" SecFilterSelective THE_REQUEST "php?delete" SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "cmd=cd\x20/var " secfilterSelective THE_REQUEST "HCL_path=http " SecFilterSelective THE_REQUEST "clamav-partial " SecFilterSelective THE_REQUEST "vi\.recover " SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "2Fpublic_html&" SecFilterSelective THE_REQUEST ".htaccess" SecFilterSelective THE_REQUEST "c99sh_datapipe.pl" SecFilterSelective THE_REQUEST "listDBs" SecFilterSelective THE_REQUEST "%2home%2" SecFilterSelective THE_REQUEST "%2home%" SecFilterSelective THE_REQUEST "%home%" SecFilterSelective THE_REQUEST "%home" SecFilterSelective THE_REQUEST "home%" SecFilterSelective THE_REQUEST "%2Fhome%2" SecFilterSelective THE_REQUEST "%2Fhome%" SecFilterSelective THE_REQUEST "%Fhome%" SecFilterSelective THE_REQUEST "%Fhome" SecFilterSelective THE_REQUEST "Fhome%" SecFilterSelective THE_REQUEST "2Fpublic_html&" SecFilterSelective THE_REQUEST "/etc/" SecFilterSelective THE_REQUEST "cd " # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective POST_PAYLOAD "wget " SecFilterSelective POST_PAYLOAD "lynx " SecFilterSelective POST_PAYLOAD "Fhome" SecFilterSelective POST_PAYLOAD "curl " SecFilterSelective POST_PAYLOAD "ssh " SecFilterSelective POST_PAYLOAD "echo " SecFilterSelective POST_PAYLOAD "links -dump " SecFilterSelective POST_PAYLOAD "links -dump-charset " SecFilterSelective POST_PAYLOAD "links -dump-width " SecFilterSelective POST_PAYLOAD "links http:// " SecFilterSelective POST_PAYLOAD "links ftp:// " SecFilterSelective POST_PAYLOAD "links -source " SecFilterSelective POST_PAYLOAD "mkdir " SecFilterSelective POST_PAYLOAD "cd /tmp " SecFilterSelective POST_PAYLOAD "cd /var/tmp " SecFilterSelective POST_PAYLOAD "cmd=cd\x20/var " SecFilterSelective POST_PAYLOAD "HCL_path=http " SecFilterSelective POST_PAYLOAD "clamav-partial " SecFilterSelective POST_PAYLOAD "vi\.recover " SecFilterSelective POST_PAYLOAD "netenberg " SecFilterSelective POST_PAYLOAD "psybnc " SecFilterSelective POST_PAYLOAD "fantastico_de_luxe " SecFilterSelective POST_PAYLOAD ".htaccess" SecFilterSelective POST_PAYLOAD "c99sh_datapipe.pl" SecFilterSelective POST_PAYLOAD "listDBs" SecFilterSelective POST_PAYLOAD "%2home%2" SecFilterSelective POST_PAYLOAD "%2home%" SecFilterSelective POST_PAYLOAD "%home%" SecFilterSelective POST_PAYLOAD "%home" SecFilterSelective POST_PAYLOAD "home%" SecFilterSelective POST_PAYLOAD "%2Fhome%2" SecFilterSelective POST_PAYLOAD "%2Fhome%" SecFilterSelective POST_PAYLOAD "%Fhome%" SecFilterSelective POST_PAYLOAD "%Fhome" SecFilterSelective POST_PAYLOAD "Fhome%" SecFilterSelective POST_PAYLOAD "2Fpublic_html&" SecFilterSelective POST_PAYLOAD "/etc/" SecFilterSelective POST_PAYLOAD "SHOW DATABASES " SecFilterSelective THE_REQUEST "/~root" SecFilterSelective THE_REQUEST "/~ftp" SecFilterSelective THE_REQUEST "/htgrep" chain SecFilterSelective THE_REQUEST "/htgrep" log,pass SecFilterSelective THE_REQUEST "/\.history" SecFilterSelective THE_REQUEST "/\.bash_history" SecFilterSelective THE_REQUEST "/~nobody" SecFilterSelective THE_REQUEST "psybnc" SecFilterSelective THE_REQUEST "dir=http" SecFilterSelective THE_REQUEST "\?STRENGUR" SecFilterSelective THE_REQUEST "/etc/motd" SecFilterSelective THE_REQUEST "/etc/passwd" SecFilterSelective THE_REQUEST "conf/httpd\.conf" </IfModule>