Shell Scriptlerinin Çalışmasını Engellemek
Özellikle Linux sunucuların başının derdi olan shell scriptleri ftp hesaplarına illegal yollarla bulaşmaktadır. Bu scriptler hiçbir işlem yapmasa bile Mysql bilgilerini ele geçirmektedir. Ftp hesaplarına yerleşen bu scriptler diğer hesaplara bulaşabilmekte birçok illegal yazılımları sistemlere yüklemektedir. Birçok sunucuya bulaşıp mail gönderme işlemleri yapan yüzlerce script mevcuttur.Bu tarz scriptlere özellikle yüklenme aşamasında müdahale etmek kurtarıcı oluyor. Linux sunucuların olmazsa olmaz modüllerinden birtanesi mod_security modülüdür. Bu modül içersinde kullanılacak olan .conf dosyaları sizi birçok saldırıdan kurtaracaktır. Sizler için shell scriptlerinin yüklenmesinin yasaklandığı ve cgi kullanımının durdurulduğu conf dosyasını paylaşıyoruz. /usr/local/apache/conf dizinindeki modsec2.user.conf dosyasını yedekleyerek benim verdiğim kodları eklerseniz probleminiz çözülecektir. Dosyayı yükledikten sonra Apache restartlıyoruz. Tüm işlemler bu kadar. conf dosyasını aşağıda sizler için paylaşıyoruz.
# ROOKITLERIMIZ ICIN KORUMA # --------------------------------------------- #YellSOFT DirectMailer icin girdigim kurallar SecRule REQUEST_BODY|REQUEST_URI "dm.cgi" SecRule REQUEST_BODY|REQUEST_URI "dark.cgi" SecRule REQUEST_BODY|REQUEST_URI "telnet.pl" SecRule REQUEST_BODY|REQUEST_URI "mrm.cgi" SecRule REQUEST_BODY|REQUEST_URI "coms.cgi" SecRule REQUEST_BODY|REQUEST_URI "godi.cgi" SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state" SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd" SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg" SecRule REQUEST_BODY|REQUEST_URI "telbu.pl" #kural sonu SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \ "chain,id:390144,rev:3,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'" SecRule REQUEST_URI "=(https?|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \ "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" SecRule REQUEST_URI "/\.it/viewde" SecRule REQUEST_URI "/cmd\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecRule REQUEST_URI "/izinvermekistedigin\.pl" allow SecRule REQUEST_URI "/*\.pl" #Known rootkit Defacing Tool 2.0 SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" #other known tools SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" #new kir SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS:Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" #phpbackdoor SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecRule REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI "/phpterm" #Frantastico worm SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #new unknown kits SecRule REQUEST_URI "/iblis\.htm\?" SecRule REQUEST_URI "/gif\.gif\?" SecRule REQUEST_URI "/go\.php\.txt\?" SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/zehir\.asp" SecRule REQUEST_URI "/aflast\.txt\?" SecRule REQUEST_URI "/sikat\.txt\?&cmd" SecRule REQUEST_URI "/t\.gif\?" SecRule REQUEST_URI "/phpbb_patch\?&" SecRule REQUEST_URI "/phpbb2_patch\?&" SecRule REQUEST_URI "/lukka\?&" #new kit SecRule REQUEST_URI "/c99shell\.txt" SecRule REQUEST_URI "/c99\.txt\?" #remote bash shell SecRule REQUEST_URI "/shell\.php\&cmd=" SecRule ARGS "/shell\.php\&cmd=" #zencart exploit SecRule REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\(" SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" #25dec new one SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?" #26dec new kit SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/vsf\.vsf\?&" #27dec SecRule REQUEST_URI "/scan1\.0/scan/" SecRule REQUEST_URI "test\.txt\?&" #30dec SecRule REQUEST_URI "\.k4ka\.txt\?" #31dec SecRule REQUEST_URI "/php\.txt\?" #1 jan SecRule REQUEST_URI "/sql\.txt\?" SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" #22feb SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?" #24mar SecRule REQUEST_URI "/docLib/cmd\.asp" SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer" SecRule REQUEST_URI "\.asp\?.*showUpload&thePath=" SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath=" #some broken attack program SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@" SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" SecRule REQUEST_URI "/r57en\.php" #c99 rootshell SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" #generic shell SecRule REQUEST_URI "shell\.txt" #bad scanner SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" #wormsign SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" #New SEL attack seen SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" #New SQL attack seen SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" # ROOKIT BITTI SecFilterCheckURLEncoding Off SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/audit_log SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 SecFilterDefaultAction "deny,log,status:406" SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow Secfilter "sbin/" SecFilter "eggz" SecFilter "eggdrop" SecFilter "psybnc" SecFilter "udp.pl" SecFilter "bindtty" SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" Include "/usr/local/apache/conf/modsec.user.conf" SecFilterSelective THE_REQUEST "dc.pl " SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "act=tools" SecFilterSelective THE_REQUEST "act=gof" SecFilterSelective THE_REQUEST "act=ls" SecFilterSelective THE_REQUEST "act=mk" SecFilterSelective THE_REQUEST "act=f&" SecFilterSelective THE_REQUEST "act=sql" SecFilterSelective THE_REQUEST "act=gofile" SecFilterSelective THE_REQUEST "act=mkdir" SecFilterSelective THE_REQUEST "act=ftpquickbrute" SecFilterSelective THE_REQUEST "act=d" SecFilterSelective THE_REQUEST "act=phpinfo" SecFilterSelective THE_REQUEST "act=security" SecFilterSelective THE_REQUEST "act=makefile" SecFilterSelective THE_REQUEST "act=encoder" SecFilterSelective THE_REQUEST "act=fsbuff" SecFilterSelective THE_REQUEST "act=selfremove" SecFilterSelective THE_REQUEST "act=update" SecFilterSelective THE_REQUEST "act=feedback" SecFilterSelective THE_REQUEST "act=search" SecFilterSelective THE_REQUEST "act=chmod" SecFilterSelective THE_REQUEST "act=upload " SecFilterSelective THE_REQUEST "act=delete" SecFilterSelective THE_REQUEST "act=paste" SecFilterSelective THE_REQUEST "act=copy" SecFilterSelective THE_REQUEST "act=cut" SecFilterSelective THE_REQUEST "act=unselect " SecFilterSelective THE_REQUEST "act=cmd" SecFilterSelective THE_REQUEST "act=tools" SecFilterSelective THE_REQUEST "act=eval" SecFilterSelective THE_REQUEST "act=f" SecFilterSelective THE_REQUEST "&s=r&cmd=dir&dir=." SecFilterSelective THE_REQUEST "&s=r&cmd=con" SecFilterSelective THE_REQUEST "INSERT%20INTO" SecFilterSelective THE_REQUEST "SELECT%20" SecFilterSelective THE_REQUEST "root=" SecFilterSelective THE_REQUEST "phpshell.php " SecFilterSelective THE_REQUEST "cc.php" SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "perl " SecFilterSelective THE_REQUEST "b0t.tmp " SecFilterSelective THE_REQUEST "bt.pl " SecFilterSelective THE_REQUEST "fetch " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /tmp/ " SecFilterSelective THE_REQUEST "cd /var/tmp/ " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "arta\.zip " SecFilterSelective THE_REQUEST "cmd=cd\x20/var " SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp " SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp " SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp/ " SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp/ " SecFilterSelective THE_REQUEST "HCL_path=http " SecFilterSelective THE_REQUEST "clamav-partial " SecFilterSelective THE_REQUEST "vi\.recover " SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "tool.gif?cmd " SecFilterSelective THE_REQUEST "rm -rf " SecFilterSelective THE_REQUEST "\.htaccess" SecFilterSelective THE_REQUEST "cd\.\." SecFilterSelective THE_REQUEST "///cgi-bin" SecFilterSelective THE_REQUEST "/cgi-bin///" SecFilterSelective THE_REQUEST "/~root" SecFilterSelective THE_REQUEST "/~ftp" SecFilterSelective THE_REQUEST "/htgrep" chain SecFilterSelective THE_REQUEST "/htgrep" log,pass SecFilterSelective THE_REQUEST "/\.history" SecFilterSelective THE_REQUEST "/\.bash_history" SecFilterSelective THE_REQUEST "/~nobody" SecFilterSelective THE_REQUEST "<script" SecFilterSelective THE_REQUEST "psybnc" SecFilterSelective THE_REQUEST "cmd=cd\x20/var" SecFilterSelective THE_REQUEST "dir=http" SecFilterSelective THE_REQUEST "\?STRENGUR" SecFilterSelective THE_REQUEST "/etc/motd" SecFilterSelective THE_REQUEST "/etc/passwd" SecFilterSelective THE_REQUEST "conf/httpd\.conf" SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "bin/tclsh" SecFilterSelective THE_REQUEST "tclsh8\x20" SecFilterSelective THE_REQUEST "udp\.pl" SecFilterSelective THE_REQUEST "linuxdaybot\.txt" SecFilterSelective THE_REQUEST "wget\x20" SecFilterSelective THE_REQUEST "bin/nasm" SecFilterSelective THE_REQUEST "nasm\x20" SecFilterSelective THE_REQUEST "/usr/bin/perl" SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-(charset|width) " SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" SecFilterSelective THE_REQUEST "cd\.\." SecFilterSelective THE_REQUEST "///cgi-bin" SecFilterSelective THE_REQUEST "/cgi-bin///" SecFilterSelective THE_REQUEST "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/\.history HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective THE_REQUEST "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective REQUEST_URI "/nessus_is_probing_you_" SecFilterSelective REQUEST_URI "/NessusTest" SecFilter "javascript\://" SecFilter "img src=javascript" SecFilter "_PHPLIB\[libdir\]" SecFilter "hdr=/" SecFilter '$path."*"' SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*=/Ri" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript/i" SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i" SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i" SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT" SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter "(\<xml|\<.*xml)" chain SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/content\.php" chain SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/" SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php" SecFilter "^/viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" SecFilterSelective THE_REQUEST "viewtopic\.php" chain SecFilterSelective "THE_REQUEST|ARG_VALUES" "(passthru|cmd|fopen|exit|fwrite)" SecFilter "phpbb_root_path=" SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'" SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'" SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'" SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'" SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'" SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'" SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'" SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'" SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">" SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" SecFilterSelective COOKIE_sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" SecFilter "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain SecFilterSelective ARG_highlight "%27" SecFilter "&highlight=\'\.fwrite\(fopen\(" SecFilter "&highlight=\x2527\x252Esystem\(" SecFilter "&highlight=\'\.mysql_query\(" SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\(" SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\(" SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\(" SecFilterSelective THE_REQUEST "&highlight=%2527%252E" SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\(" SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()" SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00" SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl" SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com" SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)" SecFilterSelective REQUEST_URI "usercp_register\.php" chain SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "login\.php" chain SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "search\.php" chain SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "usercp_register\.php" chain SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective ARG_signature_bbcode_uid "(<.*php|<php)" SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>" SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors" SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory=" SecFilterSelective REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'" SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" SecFilterSelective THE_REQUEST "/index\.php*file=*(http|https|ftp)" SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" SecFilterSelective REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/joinrequests\.php" chain SecFilter "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/user\.php" chain SecFilter "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/(usertitle|usertools)\.php" chain SecFilter "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/modcp/announcement\.php" chain SecFilter "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/admincalendar\.php" chain SecFilter "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/email\.php" chain SecFilter "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/help\.php" chain SecFilter "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "admincp/language\.php" chain SecFilter "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/phrase\.php" chain SecFilter "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" SecFilterSelective REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" SecFilterSelective REQUEST_URI "/forumdisplay\.php\?" chain SecFilter "\.system\(.+\)\." SecFilterSelective REQUEST_URI "/forumdisplay\.php\?*comma=" SecFilterSelective REQUEST_URI "/ad_member\.php" chain SecFilter "emailer\.php" SecFilterSelective REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" SecFilterSelective REQUEST_URI "/ipchat\.php" chain SecFilter "conf_global\.php" SecFilterSelective REQUEST_URI "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective REQUEST_URI "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index.php" chain SecFilterSelective ARG_mid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)" SecFilterSelective REQUEST_URI "index\.php" chain SecFilterSelective ARG_st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/product_info\.php" chain SecFilterSelective ARG_products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/relocate_server\.php" SecFilterSelective REQUEST_URI "/theme\.php\?THEME_DIR=(http|https|ftp)/:/" SecFilterSelective REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "awstats" chain SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)" SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()" SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir=" SecFilterSelective REQUEST_URI "awstats\.pl\?" chain SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)" SecFilterSelective THE_REQUEST "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective REQUEST_URI "/attachments\.php\?file=\.\./\.\." SecFilterSelective REQUEST_URI "/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/" SecFilterSelective REQUEST_URI "/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective REQUEST_URI "/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view\.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php" SecFilterSelective REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/wp-trackback\.php" chain SecFilterSelective ARG_tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/wordpress/" chain SecFilterSelective ARG_cat "!^[0-9]*$" SecFilterSelective ARG_cache_lastpostdate "<\?php" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_poll|ARG_category|ARG_ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'" SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'" SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'" SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'" SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php" SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" SecFilterSelective REQUEST_URI "/logout\.php" chain SecFilterSelective ARG_sessiodID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilterSelective POST_PAYLOAD "<methodName>blogger\.getUsersBlogs</methodName>" chain SecFilter ".*\' AND ascii\(substring\(pass" SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>" #Slightly stronger version of the above SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" SecFilterSelective REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM" SecFilterSelective REQUEST_URI "/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" SecFilterSelective THE_REQUEST "/index\.php\?homeinclude=catalog&category_id=&parent_id=.*" chain SecFilter "<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_campaign_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" # SON
cgi yasaklamak linux shell yasaklamak shell dosyaları yasaklamak shell scriptleri yasaklamak üstmenü
Yorumlar (3)
test
bu kodları uyguladıktan sonra apache restart etmiyor ve tüm siteler yayını durduruyor
apache güncellemesi gerekti. 50 dakika siteler kapalı kaldı
admin
İlginç bir durum uzun zamandır bu kodları kullanıyoruz herhangi bir sıkıntı yaşamadık.
Can
Benzer durumu yaşadım bende.