diff options
| author | mh <mh@immerda.ch> | 2008-07-26 15:21:59 +0000 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2008-07-26 15:21:59 +0000 |
| commit | d6a3b141488165e350359207a5b4b63a305b27ce (patch) | |
| tree | 7ef63cd364d5d27f47ef3b7cc27653c9f6679f96 /files | |
| parent | f6d135d7e52f27d2dadad243417d81da62f3f347 (diff) | |
factered out the modules of the apache module
Diffstat (limited to 'files')
| -rw-r--r-- | files/mod_security/configs/gentoo/99_mod_security.conf | 15 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/Zour_excludes.conf | 14 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/apache2-rules.conf | 57 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/blacklist.conf | 7679 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/blacklist2.conf | 583 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/exclude.conf | 179 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/jitp.conf | 4442 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/recons.conf | 50 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/rootkits.conf | 182 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/rules.conf | 546 | ||||
| -rw-r--r-- | files/mod_security/custom_rules/useragents.conf | 229 | ||||
| -rw-r--r-- | files/php/apache2_php5_php.ini/php.ini | 1287 |
12 files changed, 0 insertions, 15263 deletions
diff --git a/files/mod_security/configs/gentoo/99_mod_security.conf b/files/mod_security/configs/gentoo/99_mod_security.conf deleted file mode 100644 index f1c55ad..0000000 --- a/files/mod_security/configs/gentoo/99_mod_security.conf +++ /dev/null @@ -1,15 +0,0 @@ -########################################################### -# copyleft 2008 immerda.ch -########################################################### -### this file is managed by PUPPET #### -### only modify in svn or you will loose the changes ! #### -########################################################### -<IfDefine SECURITY> - <IfModule !mod_security2.c> - LoadModule security2_module modules/mod_security2.so - </IfModule> - - # use Core Rule Set by default: - Include /etc/apache2/modules.d/mod_security/*.conf - Include /etc/apache2/modules.d/mod_security/Zcustom_rules/*.conf -</IfDefine> diff --git a/files/mod_security/custom_rules/Zour_excludes.conf b/files/mod_security/custom_rules/Zour_excludes.conf deleted file mode 100644 index 69f49c5..0000000 --- a/files/mod_security/custom_rules/Zour_excludes.conf +++ /dev/null @@ -1,14 +0,0 @@ -########################################################### -# copyleft 2008 immerda.ch -########################################################### -### this file is managed by PUPPET #### -### only modify in svn or you will loose the changes ! #### -########################################################### -<LocationMatch "scandir.php"> -SecRuleRemoveById 950013 -SecRuleRemoveById 970015 -</LocationMatch> - -<LocationMatch "showimg.php"> -SecRuleRemoveById 950013 -</LocationMatch> diff --git a/files/mod_security/custom_rules/apache2-rules.conf b/files/mod_security/custom_rules/apache2-rules.conf deleted file mode 100644 index eb2710e..0000000 --- a/files/mod_security/custom_rules/apache2-rules.conf +++ /dev/null @@ -1,57 +0,0 @@ -#http://www.gotroot.com/mod_security+rules -# Special Application Security Rules for Apache 2.x -# For ModSecurity 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2-rules.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# Version: N-20061022-01 -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - -#NOTE: These rules will only work for systems running Apache 2.x. - -#phpbb Session Cookie -SecRule REQUEST_COOKIES:sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" -SecRule REQUEST_URI|ARGS|REQUEST_BODY "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" - -#schema overflow attempt -SecRule REQUEST_URI|ARGS|REQUEST_BODY "\|3A\|///^[^\/]{14,}?\x3a\/\//U" - -#HappyMall Command Execution member_html.cgi -SecRule REQUEST_URI "/member_html\.cgi\x3F.*file\x3D(\x3B|\x7C)" - -#HappyMall Command Execution normal_html.cgi -SecRule REQUEST_URI "/normal_html\.cgi\x3F.*file\x3D(\x3B|\x7C)" - -#phpBB Remote Code Execution Attempt -SecRule REQUEST_URI "/viewtopic\.php\?" chain -SecRule REQUEST_URI|ARGS|REQUEST_BODY "highlight=.*(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})" - -#XSS generic sig -SecRule REQUEST_URI|ARGS|REQUEST_BODY "/(\x3D|=)[^\n]*(\x3C|<)[^\n]+(\x3E|>)" - -#generic SQL injection sigs using PCRE -SecRule REQUEST_URI|ARGS|REQUEST_BODY "/\w*(\x27|\’)(\x6F|o|\x4F)(\x72|r|\x52)/ix" - -##TWiki "rev" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/TWikiUsers\?rev=\x20\x7C" - -##ATutor Multiple Vulnerabilities -SecRule REQUEST_URI "/(body_header\.inc|print)\.php\?section.*\x00" - -#faqmanager.cgi arbitrary file access attempt -SecRule REQUEST_URI "/faqmanager.cgi?toc=.*(\|00\||\x00)" diff --git a/files/mod_security/custom_rules/blacklist.conf b/files/mod_security/custom_rules/blacklist.conf deleted file mode 100644 index 4b0ffdf..0000000 --- a/files/mod_security/custom_rules/blacklist.conf +++ /dev/null @@ -1,7679 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Comment Spam Rules for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/blacklist.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -#Version: N-20061022-01 -# -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - - -#http://www.gotroot.com -#see website for more information -SecRule REQUEST_URI "!(/compose\.php\?)" chain -SecRule ARGS|REQUEST_BODY|REQUEST_URI "Subject\:" chain -SecRule ARGS:Bcc ".*\@" -SecRule REQUEST_URI "!(/compose\.php\?)" chain -SecRule ARGS|REQUEST_BODY|REQUEST_URI "Subject\:" chain -SecRule ARGS|REQUEST_BODY|REQUEST_URI "\s*bcc\:" -SecRule REQUEST_URI "!(/compose\.php\?)" chain -SecRule ARGS|REQUEST_BODY|REQUEST_URI "\s*bcc\:\s*[a-z0-9._%-]+@[A-Z0-9.-]+\.[a-z]{2,}" -SecRule REQUEST_URI "!(/compose\.php\?)" chain -SecRule ARGS "\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@" -SecRule REQUEST_URI "!(/compose\.php\?)" chain -SecRule ARGS "\s*bcc\:\s*[a-z0-9._%-]+\@.*\.[a-z]{2,}" -SecRule HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$" -SecRule HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$" -SecRule HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$" -#SecRule HTTP_XXXXXXXXXXXXXXX ".+$" - -#unknown pattern in testing, logging only, please send -#any patterns RELATED TO SPAM OR ATTACKS you log with with these rules -#please do not send false positives for this rule set, just turn it off -#SecRule HTTP_aaaaaaaaa|HTTP_AAAAAAAAA ".+$" "log,pass" -#SecRule HTTP_aaaaaaaaaaa|HTTP_AAAAAAAAAAA ".+$" "log,pass" -#SecRule HTTP_aaaaaaaaaaaa|HTTP_AAAAAAAAAAAA ".+$" "log,pass" -#SecRule HTTP_aaaaaaaaaaaaaaa|HTTP_AAAAAAAAAAAAAAA ".+$" "log,pass" - -SecRule HTTP_Referer|ARGS "(blow)+[\w\-_.]*(jobs?)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(gay)+[\w\-_.]*(beastiality)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(beastilality)+[\w\-_.]*(stories)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(free)+[\w\-_.]*(beastiality)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(horse|animal|dog)+[\w\-_.]*(porn|cocks|dick|sex|penis|blowj.*)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(buy)+[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(diet|penis)+[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(enlarg|enhanc).*(male|penis|natural).*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(enlarg|enhanc).*(male|penis|natural)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(online)+[\w\-_.]*pharmacy" -SecRule HTTP_Referer|ARGS "(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}" -SecRule REQUEST_URI "!(/sugarcrm/index\.php)" chain -SecRule HTTP_Referer|ARGS "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(ephedrine|neurontin|glucosamine|testosterone|cialis|lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(magazine)+[\w\-_.]*(finder|netfirms)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(male|penis)enlarg*\.(biz|com|net|org|us|info)" -SecRule HTTP_Referer|ARGS "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" -SecRule HTTP_Referer|ARGS "(mike)+[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(milf)+[\w\-_.]*(hunter|moms|fucking|lessons)[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)" -SecRule HTTP_Referer|ARGS "(natural|penis|male)+[\w\-_.]*(enlarg.*|enhanc.*)" -SecRule HTTP_Referer|ARGS "(online)+[\w\-_.]*(prescription|casino|roulette|slot)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*(casino|roulette)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*(casino|roulette).*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(slot)+[\w\-_.]*machines\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(ragazze)-?\w+\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(texas)+[\w\-_.]*holdem" -SecRule HTTP_Referer|ARGS "(phentermine)+[\w\-_.]*online" -SecRule HTTP_Referer|ARGS "(texas)+[\w\-_.]*hold[\w\-_.].*em" -SecRule HTTP_Referer|ARGS "texas[\w\-_.]hold[\w\-_.]em" -SecRule HTTP_Referer|ARGS "pacific+[\w\-_.]*poke.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*poker.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(random|free|internet)+[\w\-_.]*slots\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a\b)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ultram\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(celexa|valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova|bontril|nexium)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(lose[\w\-_.]*weight|weight[\w\-_.]*loss).*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(prices|pills|buy|diet*|medic(ine|ation|al)|dru.*)\.pharma.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "01-beltonen\.com" -SecRule HTTP_Referer|ARGS "01-klingeltoene\.at" -SecRule HTTP_Referer|ARGS "01-klingeltoene\.de" -SecRule HTTP_Referer|ARGS "01-loghi\.com" -SecRule HTTP_Referer|ARGS "01-logo\.com" -SecRule HTTP_Referer|ARGS "01-logot\.com" -SecRule HTTP_Referer|ARGS "01-logotyper\.com" -SecRule HTTP_Referer|ARGS "01-melodia\.com" -SecRule HTTP_Referer|ARGS "01-melodias\.com" -SecRule HTTP_Referer|ARGS "01-ringetone\.com" -SecRule HTTP_Referer|ARGS "01-ringsignaler\.com" -SecRule HTTP_Referer|ARGS "01-ringtone\.com" -SecRule HTTP_Referer|ARGS "01ringtones\.co\.uk" -SecRule HTTP_Referer|ARGS "01-ringtones\.us" -SecRule HTTP_Referer|ARGS "01-soittoaanet\.com" -SecRule HTTP_Referer|ARGS "01-suonerie\.com" -SecRule HTTP_Referer|ARGS "01-toque\.com" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(bulkcrawler|sysco[mn]-[a-z0-9]+|jagk|kloony|azgirlcam)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(camfun24|jardimed|kylos(net)?|istarthere|roxtet|freshgirls)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(dailyorbit|insurancequoteweb|i-horny|livenet|filthserver)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(formula42|ilya|9sekund|find-it-buy-it|xopy|bukakke)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*fortunecity\.[a-z.]+\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(notlong|isacommie|musicbox[0-9]|miccel|rooody|rowdd|colkk)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(nullnix|plongs|pimrim|ewilla|startseek|ponagansetpost)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[0-9a-z_.\-]*(sysrem[0-9]+|lemonrider[0-9]*|exitq|defunctportal|andrewsaluk)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "0adult-cartoon\.com" -SecRule HTTP_Referer|ARGS "0adult-manga\.com" -SecRule HTTP_Referer|ARGS "0cartoon\.com" -SecRule HTTP_Referer|ARGS "0cartoon-porn\.com" -SecRule HTTP_Referer|ARGS "0cartoon-sex\.com" -SecRule HTTP_Referer|ARGS "0casino-online\.com" -SecRule HTTP_Referer|ARGS "0casinoonline\.com" -SecRule HTTP_Referer|ARGS "0catch\.com" -SecRule HTTP_Referer|ARGS "0free-hentai\.com" -SecRule HTTP_Referer|ARGS "0freehentai\.com" -SecRule HTTP_Referer|ARGS "0hentai-anime\.com" -SecRule HTTP_Referer|ARGS "0hentai-manga\.com" -SecRule HTTP_Referer|ARGS "0hentaimanga\.com" -SecRule HTTP_Referer|ARGS "0internet-casino\.com" -SecRule HTTP_Referer|ARGS "0livesex\.com" -SecRule HTTP_Referer|ARGS "0manga\.com" -SecRule HTTP_Referer|ARGS "0manga-porno\.com" -SecRule HTTP_Referer|ARGS "0manga-sesso\.com" -SecRule HTTP_Referer|ARGS "0sesso-amatoriale\.com" -SecRule HTTP_Referer|ARGS "0sessoanale\.com" -SecRule HTTP_Referer|ARGS "0sesso\.biz" -SecRule HTTP_Referer|ARGS "0sessogratis\.us" -SecRule HTTP_Referer|ARGS "0sesso-orale\.biz" -SecRule HTTP_Referer|ARGS "0sesso\.us" -SecRule HTTP_Referer|ARGS "0sex-toons\.com" -SecRule HTTP_Referer|ARGS "0sfondi\.com" -SecRule HTTP_Referer|ARGS "0sfondi-desktop\.com" -SecRule HTTP_Referer|ARGS "0suonerie\.com" -SecRule HTTP_Referer|ARGS "0tatuaggi\.com" -SecRule HTTP_Referer|ARGS "0toons\.com" -SecRule HTTP_Referer|ARGS "0video-porno\.com" -SecRule HTTP_Referer|ARGS "0virtual-casino\.com" -SecRule HTTP_Referer|ARGS "0xxx-cartoon\.com" -SecRule HTTP_Referer|ARGS "100free\.com" -SecRule HTTP_Referer|ARGS "100hgh\.com" -SecRule HTTP_Referer|ARGS "100-sex\.com" -SecRule HTTP_Referer|ARGS "101pills\.com" -SecRule HTTP_Referer|ARGS "108bikes\.com" -SecRule HTTP_Referer|ARGS "123-home-improvement-equity-loans\.com" -SecRule HTTP_Referer|ARGS "123onlinepoker\.com" -SecRule HTTP_Referer|ARGS "123sessogratis\.com" -SecRule HTTP_Referer|ARGS "123-sign-making-equipment-and-supplies\.com" -SecRule HTTP_Referer|ARGS "125mb\.com" -SecRule HTTP_Referer|ARGS "15668\.com" -SecRule HTTP_Referer|ARGS "16pp\.com" -SecRule HTTP_Referer|ARGS "1a1merchantaccounts\.com" -SecRule HTTP_Referer|ARGS "1asphost\.com" -SecRule HTTP_Referer|ARGS "1-bignaturals\.com" -SecRule HTTP_Referer|ARGS "1concerttickets\.com" -SecRule HTTP_Referer|ARGS "1-cumfiesta\.com" -SecRule HTTP_Referer|ARGS "1-engineering-books\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "1footballtickets\.com" -SecRule HTTP_Referer|ARGS "1freespot\.com" -SecRule HTTP_Referer|ARGS "1-klingeltone\.com" -SecRule HTTP_Referer|ARGS "1on8\.com" -SecRule HTTP_Referer|ARGS "1on8\.co\.uk" -SecRule HTTP_Referer|ARGS "1-online-poker\.us" -SecRule HTTP_Referer|ARGS "1-poker-games\.biz" -SecRule HTTP_Referer|ARGS "1st-advantage-credit-repair\.com" -SecRule HTTP_Referer|ARGS "1st-auto-insurance-4u\.com" -SecRule HTTP_Referer|ARGS "1stchoiceontv\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "1st-host\.org" -SecRule HTTP_Referer|ARGS "1stincomeracing\.co\.uk" -SecRule HTTP_Referer|ARGS "1stindustrialdirectory\.com" -SecRule HTTP_Referer|ARGS "\.redir\.cz" -SecRule HTTP_Referer|ARGS "\.vnsoul\.org" -SecRule HTTP_Referer|ARGS "\.caribbean-poker-trx\.com" -SecRule HTTP_Referer|ARGS "\.baccarat.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pay-casinos\.com" -SecRule HTTP_Referer|ARGS "\.psxtreme\.com" -SecRule HTTP_Referer|ARGS "bhqx\.com" -SecRule HTTP_Referer|ARGS "unique-poker\.com" -SecRule HTTP_Referer|ARGS "moneydetails\.net" -SecRule HTTP_Referer|ARGS "\.reachcasino\.com" -SecRule HTTP_Referer|ARGS "\.society-health\.com" -SecRule HTTP_Referer|ARGS "1stlookcd\.com" -SecRule HTTP_Referer|ARGS "1st-payday-loans\.net" -SecRule HTTP_Referer|ARGS "1st-phonecard\.com" -SecRule HTTP_Referer|ARGS "1st-poker-online\.com" -SecRule HTTP_Referer|ARGS "1st-printer-ink-cartridge\.com" -SecRule HTTP_Referer|ARGS "1st-shemale-sex\.com" -SecRule HTTP_Referer|ARGS "1-welivetogether\.com" -SecRule HTTP_Referer|ARGS "1-wholesale-distributor\.com" -SecRule HTTP_Referer|ARGS "1xp6z\.com" -#SecRule HTTP_Referer|ARGS "20fr\.com" -SecRule HTTP_Referer|ARGS "216\.130\.167\.230" -SecRule HTTP_Referer|ARGS "247-rx\.net" -SecRule HTTP_Referer|ARGS "24-hour-fitness-online\.com" -SecRule HTTP_Referer|ARGS "2ndmortgageinterestrates\.com" -SecRule HTTP_Referer|ARGS "2teens\.net" -SecRule HTTP_Referer|ARGS "2twinks\.com" -SecRule HTTP_Referer|ARGS "\.2waky\.com" -SecRule HTTP_Referer|ARGS "2zj\.cn" -SecRule HTTP_Referer|ARGS "321cigarettes\.com" -SecRule HTTP_Referer|ARGS "3333\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "3333\.ws" -SecRule HTTP_Referer|ARGS "333-casino\.com" -SecRule HTTP_Referer|ARGS "333-poker\.com" -SecRule HTTP_Referer|ARGS "33633\.net" -SecRule HTTP_Referer|ARGS "365jp\.com" -SecRule HTTP_Referer|ARGS "38ha\.com" -SecRule HTTP_Referer|ARGS "3-day-diet-plan\.com" -SecRule HTTP_Referer|ARGS "3daytrialporn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "3host\.com" -SecRule HTTP_Referer|ARGS "3sixtyfour\.com" -SecRule HTTP_Referer|ARGS "3yaoi\.com" -SecRule HTTP_Referer|ARGS "404host\.com" -SecRule HTTP_Referer|ARGS "404servers\.com" -SecRule HTTP_Referer|ARGS "41b\.net" -SecRule HTTP_Referer|ARGS "42tower\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "42tower\.ws" -SecRule HTTP_Referer|ARGS "444-casino\.com" -SecRule HTTP_Referer|ARGS "444-poker\.com" -SecRule HTTP_Referer|ARGS "4hs8\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "4hs8\.com" -SecRule HTTP_Referer|ARGS "4mg\.com" -SecRule HTTP_Referer|ARGS "4result\.net" -SecRule HTTP_Referer|ARGS "-4u\.info" -SecRule HTTP_Referer|ARGS "4u-topshelfpussy\.com" -SecRule HTTP_Referer|ARGS "4womenoftheworld\.com" -SecRule HTTP_Referer|ARGS "-4-you\.info" -SecRule HTTP_Referer|ARGS "5000n\.com" -SecRule HTTP_Referer|ARGS "50webs\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "51asa\.com" -SecRule HTTP_Referer|ARGS "51\.net" -SecRule HTTP_Referer|ARGS "555-poker\.com" -SecRule HTTP_Referer|ARGS "5amateurs\.com" -SecRule HTTP_Referer|ARGS "5ux\.com" -SecRule HTTP_Referer|ARGS "65\.217\.108\.182" -SecRule HTTP_Referer|ARGS "666-casino\.com" -SecRule HTTP_Referer|ARGS "666-gambling\.com" -SecRule HTTP_Referer|ARGS "69\.61\.11\.163" -SecRule HTTP_Referer|ARGS "6p\.org\.uk" -SecRule HTTP_Referer|ARGS "6x\.to" -SecRule HTTP_Referer|ARGS "7host\.com" -SecRule HTTP_Referer|ARGS "7p\.org\.uk" -SecRule HTTP_Referer|ARGS "7yardsweb\.com" -SecRule HTTP_Referer|ARGS "888cas\.com" -SecRule HTTP_Referer|ARGS "888jack\.com" -SecRule HTTP_Referer|ARGS "888-online-poker\.com" -SecRule HTTP_Referer|ARGS "88aabb\.com" -SecRule HTTP_Referer|ARGS "8bit\.co\.uk" -SecRule HTTP_Referer|ARGS "8gold\.com" -SecRule HTTP_Referer|ARGS "8k\.com" -SecRule HTTP_Referer|ARGS "8th\S*street\S*latina\S*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "8yardsweb\.com" -SecRule HTTP_Referer|ARGS "911easymoney\.com" -SecRule HTTP_Referer|ARGS "911pills\.info" -SecRule HTTP_Referer|ARGS "989888\.com" -SecRule HTTP_Referer|ARGS "9irl\.com" -SecRule HTTP_Referer|ARGS "9p\.org\.uk" -SecRule HTTP_Referer|ARGS "9sekund\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "a1cellphoneaccessories\.info" -SecRule HTTP_Referer|ARGS "a1digitalcameras\.info" -SecRule HTTP_Referer|ARGS "a1metalbuildings\.info" -SecRule HTTP_Referer|ARGS "a1-mortgage-finder\.com" -SecRule HTTP_Referer|ARGS "a1steelbuildings\.info" -SecRule HTTP_Referer|ARGS "a1timemanagement\.info" -SecRule HTTP_Referer|ARGS "a-1-versicherungsvergleich\.de" -SecRule HTTP_Referer|ARGS "abc3x\.com" -SecRule HTTP_Referer|ARGS "abnehmen-ganz-sicher\.com" -SecRule HTTP_Referer|ARGS "abocams\.de" -SecRule HTTP_Referer|ARGS "about-enzyte" -SecRule HTTP_Referer|ARGS "aboutgrouphomes\.com" -SecRule HTTP_Referer|ARGS "abymetro\.org\.uk" -SecRule HTTP_Referer|ARGS "academyofmusic\.us" -SecRule HTTP_Referer|ARGS "acceptcreditcardsonlineinternetmerchantaccountservices\.com" -SecRule HTTP_Referer|ARGS "acceptcreditcardsrealtime\.com" -SecRule HTTP_Referer|ARGS "accessthepeace\.com" -SecRule HTTP_Referer|ARGS "accompagnatrici\.cc" -SecRule HTTP_Referer|ARGS "account-master.ru" -SecRule HTTP_Referer|ARGS "accountservices\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "achtung\.hopto\.org" -SecRule HTTP_Referer|ARGS "acomputer4u\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "acornfm\.com" -SecRule HTTP_Referer|ARGS "acornwebdesign\.co\.uk" -SecRule HTTP_Referer|ARGS "acrs\.us" -SecRule HTTP_Referer|ARGS "activerx\.com" -SecRule HTTP_Referer|ARGS "acyclovir\.net" -SecRule HTTP_Referer|ARGS "addictinggames\.com" -SecRule HTTP_Referer|ARGS "adspo(o|l)l\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "adminshop\.com" -SecRule HTTP_Referer|ARGS "aducasher\.spb\.ru" -SecRule HTTP_Referer|ARGS "adult-dvd-dot\.com" -SecRule HTTP_Referer|ARGS "adult-dvds-dot\.com" -SecRule HTTP_Referer|ARGS "adultfreehosting\.com" -SecRule HTTP_Referer|ARGS "adult-free-webcams\.com" -SecRule HTTP_Referer|ARGS "adultfriendfinder\.com" -SecRule HTTP_Referer|ARGS "adultfriendfindernow\.com" -SecRule HTTP_Referer|ARGS "adultfriendfindersite\.com" -SecRule HTTP_Referer|ARGS "adult-friend\.info" -SecRule HTTP_Referer|ARGS "adultfriendsite\.com" -SecRule HTTP_Referer|ARGS "adult-games\.name" -SecRule HTTP_Referer|ARGS "adulthostpro\.com" -SecRule HTTP_Referer|ARGS "adultlingerieuk\.com" -SecRule HTTP_Referer|ARGS "adult-manga\.org" -SecRule HTTP_Referer|ARGS "adultnonstop\.com" -SecRule HTTP_Referer|ARGS "adultpagina.nl" -SecRule HTTP_Referer|ARGS "adultporncentral\.net" -SecRule HTTP_Referer|ARGS "adult-porno\.us" -SecRule HTTP_Referer|ARGS "adultserviceproviders\.com" -SecRule HTTP_Referer|ARGS "adultshare\.com" -SecRule HTTP_Referer|ARGS "adultsitescenter\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "adultstartsites\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "advantage-quotes\.com" -SecRule HTTP_Referer|ARGS "advisordvd\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "a--e\.com" -SecRule HTTP_Referer|ARGS "aektschen\.de" -SecRule HTTP_Referer|ARGS "aesthetics\.co\.il" -SecRule HTTP_Referer|ARGS "affilino\.net" -SecRule HTTP_Referer|ARGS "afreeserver\.com" -SecRule HTTP_Referer|ARGS "agiz\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ahbabe\.com" -SecRule HTTP_Referer|ARGS "aimite\.com" -SecRule HTTP_Referer|ARGS "airfare-links\.net" -SecRule HTTP_Referer|ARGS "airshow-china\.com\.cn" -SecRule HTTP_Referer|ARGS "alawna\.blogspot\.com" -SecRule HTTP_Referer|ARGS "albinshu\.com" -SecRule HTTP_Referer|ARGS "alfonssackpfeiffe\.com" -SecRule HTTP_Referer|ARGS "allago\.de" -SecRule HTTP_Referer|ARGS "all-calmortgage\.com" -SecRule HTTP_Referer|ARGS "all-debt-consolidation\.org" -SecRule HTTP_Referer|ARGS "allfind\.us" -SecRule HTTP_Referer|ARGS "all-fioricet\.com" -SecRule HTTP_Referer|ARGS "all-gay-porn\.us" -SecRule HTTP_Referer|ARGS "allinsurancetype\.com" -SecRule HTTP_Referer|ARGS "allmagic\.ru" -SecRule HTTP_Referer|ARGS "alloha\.info" -SecRule HTTP_Referer|ARGS "allohaweb\.com" -SecRule HTTP_Referer|ARGS "alloz\.com" -SecRule HTTP_Referer|ARGS "all-poker-online" -SecRule HTTP_Referer|ARGS "allslots\.com" -SecRule HTTP_Referer|ARGS "allthediets\.com" -SecRule HTTP_Referer|ARGS "allthroating\.com" -SecRule HTTP_Referer|ARGS "all-we-live-together\.com" -SecRule HTTP_Referer|ARGS "almacenpc\.com" -SecRule HTTP_Referer|ARGS "alphacarolinas\.org" -SecRule HTTP_Referer|ARGS "alright\.com\.ru" -SecRule HTTP_Referer|ARGS "alt-bdsm\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "altersvorsorge-1a\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "alumnicards\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "alumnicards\.com" -SecRule HTTP_Referer|ARGS "amateurjerkoff\.org" -SecRule HTTP_Referer|ARGS "amateur-lesbian\.us" -SecRule HTTP_Referer|ARGS "amateur-movie\.us" -SecRule HTTP_Referer|ARGS "amateur-naked\.us" -SecRule HTTP_Referer|ARGS "amateur-porn-gallery\.com" -SecRule HTTP_Referer|ARGS "amateur-porno\.us" -SecRule HTTP_Referer|ARGS "amateur-site\.us" -SecRule HTTP_Referer|ARGS "amateurs\.r00m\.com" -SecRule HTTP_Referer|ARGS "amateursuite\.com" -SecRule HTTP_Referer|ARGS "amateurs-xxx\.us" -SecRule HTTP_Referer|ARGS "amateur-thumbnail\.com" -SecRule HTTP_Referer|ARGS "amateur-thumbs\.net" -SecRule HTTP_Referer|ARGS "amateurxpass\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "amazing-satellite-tv-deals\.info" -SecRule HTTP_Referer|ARGS "americacashfast\.com" -SecRule HTTP_Referer|ARGS "americancdduplication\.com" -SecRule HTTP_Referer|ARGS "americanpaydayloans\.net" -SecRule HTTP_Referer|ARGS "american-single-dating\.com" -SecRule HTTP_Referer|ARGS "americastgp\.com" -SecRule HTTP_Referer|ARGS "amoxicillin-online\.net" -SecRule HTTP_Referer|ARGS "analgirls.nl" -SecRule HTTP_Referer|ARGS "analingus.nl" -SecRule HTTP_Referer|ARGS "analloverz\.com" -SecRule HTTP_Referer|ARGS "analsex.d4f\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "anal-sex-pictures\.us" -SecRule HTTP_Referer|ARGS "andrewsaluk\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "andyedf\.de" -SecRule HTTP_Referer|ARGS "angenehmen-aufenthalt\.de" -SecRule HTTP_Referer|ARGS "animalfuck\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "animal-fuck\.org" -SecRule HTTP_Referer|ARGS "animal-porn\.ws" -SecRule HTTP_Referer|ARGS "animalsex-movies-archive\.com" -SecRule HTTP_Referer|ARGS "animalsex-pics-gallery\.com" -SecRule HTTP_Referer|ARGS "anime-adult\.us" -SecRule HTTP_Referer|ARGS "anime-hentai-porn\.com" -SecRule HTTP_Referer|ARGS "anime-manga\.us" -SecRule HTTP_Referer|ARGS "anime-porn\.name" -SecRule HTTP_Referer|ARGS "anime-porn-sex-xxx\.com" -SecRule HTTP_Referer|ARGS "anime-sex-1\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "anime-sex-cartoon-porn\.com" -SecRule HTTP_Referer|ARGS "annunci-coppie\.net" -SecRule HTTP_Referer|ARGS "annunci-erotici\.net" -SecRule HTTP_Referer|ARGS "annunci-erotici\.org" -SecRule HTTP_Referer|ARGS "annunci-personali\.org" -SecRule HTTP_Referer|ARGS "annunci-sesso\.org" -SecRule HTTP_Referer|ARGS "annunci-sesso\.us" -SecRule HTTP_Referer|ARGS "annuncisesso\.us" -SecRule HTTP_Referer|ARGS "anomic\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "anonsi\.com" -SecRule HTTP_Referer|ARGS "anonymous-blogger\.com" -SecRule HTTP_Referer|ARGS "ansar-u-deen\.org" -SecRule HTTP_Referer|ARGS "anticlick\.com\.ru" -SecRule HTTP_Referer|ARGS "anti-exploit\.com" -SecRule HTTP_Referer|ARGS "anuntisinmobiliaria\.com" -SecRule HTTP_Referer|ARGS "anxietydisorders\.biz" -SecRule HTTP_Referer|ARGS "anylight4u\.com" -SecRule HTTP_Referer|ARGS "anything4health\.com" -SecRule HTTP_Referer|ARGS "anzwers\.org" -SecRule HTTP_Referer|ARGS "aol-com\.us" -SecRule HTTP_Referer|ARGS "ap8\.com" -SecRule HTTP_Referer|ARGS "apecceosummit2003\.com" -SecRule HTTP_Referer|ARGS "a-pics\.net" -SecRule HTTP_Referer|ARGS "apollopatch\.com" -SecRule HTTP_Referer|ARGS "apornhost\.com" -SecRule HTTP_Referer|ARGS "apotheke-heute\.com" -SecRule HTTP_Referer|ARGS "applyonline\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "apply-to-green-card\.org" -SecRule HTTP_Referer|ARGS "appollo\.org" -SecRule HTTP_Referer|ARGS "approval-loan\.com" -SecRule HTTP_Referer|ARGS "a-purfectdream-expression\.com" -SecRule HTTP_Referer|ARGS "aquari\.ru" -SecRule HTTP_Referer|ARGS "aquatyca\.net" -SecRule HTTP_Referer|ARGS "arabicmusic.nl" -SecRule HTTP_Referer|ARGS "arcsecurity\.co\.uk" -SecRule HTTP_Referer|ARGS "area-code-npa-nxx\.com" -SecRule HTTP_Referer|ARGS "argendrom\.com" -SecRule HTTP_Referer|ARGS "armor2net\.com" -SecRule HTTP_Referer|ARGS "aromacc\.com" -SecRule HTTP_Referer|ARGS "artark\.com" -SecRule HTTP_Referer|ARGS "artlilei\.com" -SecRule HTTP_Referer|ARGS "artsculpture\.org" -SecRule HTTP_Referer|ARGS "aseman\.weblogs\.us" -SecRule HTTP_Referer|ARGS "asian-4you\.net" -SecRule HTTP_Referer|ARGS "asianbum\.com" -SecRule HTTP_Referer|ARGS "asian-girls\.name" -SecRule HTTP_Referer|ARGS "asian-girls-porn-sex\.com" -SecRule HTTP_Referer|ARGS "asian-nude\.blogspot\.com" -SecRule HTTP_Referer|ARGS "asian-sex-woman\.com" -SecRule HTTP_Referer|ARGS "asian-trans\.net" -SecRule HTTP_Referer|ARGS "asiantrans\.net" -SecRule HTTP_Referer|ARGS "assparade\.com" -SecRule HTTP_Referer|ARGS "ass-picture\.us" -SecRule HTTP_Referer|ARGS "assserver\.com" -SecRule HTTP_Referer|ARGS "ass-traffic\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "a-stories\.com" -SecRule HTTP_Referer|ARGS "at-capstone\.com" -SecRule HTTP_Referer|ARGS "atelebanon\.com" -SecRule HTTP_Referer|ARGS "ath\.cx" -SecRule HTTP_Referer|ARGS "athirst-for-tranquillity\.net" -SecRule HTTP_Referer|ARGS "atkins-diet-center\.com" -SecRule HTTP_Referer|ARGS "atkinsexpert\.com" -SecRule HTTP_Referer|ARGS "atkpremium\.net" -SecRule HTTP_Referer|ARGS "atkpremium\.org" -SecRule HTTP_Referer|ARGS "atlanta2000\.org" -SecRule HTTP_Referer|ARGS "atlas-pharmacy\.com" -SecRule HTTP_Referer|ARGS "aubonpanier\.com" -SecRule HTTP_Referer|ARGS "auctionmoneymakers\.com" -SecRule HTTP_Referer|ARGS "auktions-uebersicht\.de" -SecRule HTTP_Referer|ARGS "auslutschen\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "australia-online-travel\.com" -SecRule HTTP_Referer|ARGS "austria-travels\.info" -SecRule HTTP_Referer|ARGS "autodetailproducts\.com" -SecRule HTTP_Referer|ARGS "autodirektversicherung\.com" -SecRule HTTP_Referer|ARGS "autofinanzierung-autokredit\.de" -SecRule HTTP_Referer|ARGS "autofinanzierung-zum-festzins\.de" -SecRule HTTP_Referer|ARGS "autohandelsmarktplatz\.de" -SecRule HTTP_Referer|ARGS "auto-insurance-links\.net" -SecRule HTTP_Referer|ARGS "autokredit-autofinanzierung\.de" -SecRule HTTP_Referer|ARGS "autokredit-tipp\.de" -SecRule HTTP_Referer|ARGS "auto-loans-usa\.biz" -SecRule HTTP_Referer|ARGS "automotive\.com" -SecRule HTTP_Referer|ARGS "autumn-jade\.com" -SecRule HTTP_Referer|ARGS "avon-one\.com" -SecRule HTTP_Referer|ARGS "azgirlcam\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "azian\.org" -SecRule HTTP_Referer|ARGS "azubiweb\.com" -SecRule HTTP_Referer|ARGS "ba2000\.com" -SecRule HTTP_Referer|ARGS "babes-d\.com" -SecRule HTTP_Referer|ARGS "babes-plus\.com" -SecRule HTTP_Referer|ARGS "babymarktplatz-aktiv\.de" -SecRule HTTP_Referer|ARGS "baby-perfekt\.de" -SecRule HTTP_Referer|ARGS "\.bac[0-9]\.com" -SecRule HTTP_Referer|ARGS "\.bac8\.com" -SecRule HTTP_Referer|ARGS "background-check\.info" -SecRule HTTP_Referer|ARGS "backroom-facials\.150m\.com" -SecRule HTTP_Referer|ARGS "back-room-facials\.angelcities\.com" -SecRule HTTP_Referer|ARGS "backseatbangers" -SecRule HTTP_Referer|ARGS "bad-movies\.net" -SecRule HTTP_Referer|ARGS "bad-passion\.com" -SecRule HTTP_Referer|ARGS "bahraichfun\.com" -SecRule HTTP_Referer|ARGS "bali-dewadewi-tours\.com" -SecRule HTTP_Referer|ARGS "balidiscovery\.org" -SecRule HTTP_Referer|ARGS "bali-hotels\.co\.uk" -SecRule HTTP_Referer|ARGS "balivillas\.net" -SecRule HTTP_Referer|ARGS "balltaas\.com" -SecRule HTTP_Referer|ARGS "baltikum-travel\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bamfri\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "banialoba3w\.150m\.com" -SecRule HTTP_Referer|ARGS "bankcards.nl" -SecRule HTTP_Referer|ARGS "bannedhome\.com" -SecRule HTTP_Referer|ARGS "banned-pics\.com" -SecRule HTTP_Referer|ARGS "barcodes\.cn" -SecRule HTTP_Referer|ARGS "barely-legald\.com" -SecRule HTTP_Referer|ARGS "barelylegalgirlsex\.com" -SecRule HTTP_Referer|ARGS "barely-legal-teenb\.com" -SecRule HTTP_Referer|ARGS "bare\.org" -SecRule HTTP_Referer|ARGS "bargainfindsonebay\.com" -SecRule HTTP_Referer|ARGS "bargeld-tipp\.de" -SecRule HTTP_Referer|ARGS "base-poker\.com" -SecRule HTTP_Referer|ARGS "basi-musicali\.com" -SecRule HTTP_Referer|ARGS "basketball--betting\.net" -SecRule HTTP_Referer|ARGS "baskets-online\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bast3\.ru" -SecRule HTTP_Referer|ARGS "batukaru\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bayofnoreturn\.com" -SecRule HTTP_Referer|ARGS "bbwclips\.com" -SecRule HTTP_Referer|ARGS "\bby\.ru\b" -SecRule HTTP_Referer|ARGS "bccinet\.org" -SecRule HTTP_Referer|ARGS "\.bda\.ru" -SecRule HTTP_Referer|ARGS "\.bde\.gg" -SecRule HTTP_Referer|ARGS "\.bde\.nr" -SecRule HTTP_Referer|ARGS "\.bde\.tc" -SecRule HTTP_Referer|ARGS "\.bde\.tp" -SecRule HTTP_Referer|ARGS "bdsm-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "beastiality-animal-sex-stories\.com" -SecRule HTTP_Referer|ARGS "beastiality-stories\.net" -SecRule HTTP_Referer|ARGS "beastsex-movies\.com" -SecRule HTTP_Referer|ARGS "beauty-farm\.net" -SecRule HTTP_Referer|ARGS "bedding-etc\.com" -SecRule HTTP_Referer|ARGS "belinking\.com" -SecRule HTTP_Referer|ARGS "belle-donne\.biz" -SecRule HTTP_Referer|ARGS "belleragazze\.biz" -SecRule HTTP_Referer|ARGS "belle-ragazze\.net" -SecRule HTTP_Referer|ARGS "belle-ragazze\.org" -SecRule HTTP_Referer|ARGS "belleragazze\.org" -SecRule HTTP_Referer|ARGS "bellissime-donne\.com" -SecRule HTTP_Referer|ARGS "bellissimedonne\.com" -SecRule HTTP_Referer|ARGS "bellissime-donne\.net" -SecRule HTTP_Referer|ARGS "bellissimedonne\.org" -SecRule HTTP_Referer|ARGS "beltonen-logos-spel\.com" -SecRule HTTP_Referer|ARGS "benessere\.us" -SecRule HTTP_Referer|ARGS "berwickfoundation\.org" -SecRule HTTP_Referer|ARGS "bestasianteens\.com" -SecRule HTTP_Referer|ARGS "best-buy-cialis\.com" -SecRule HTTP_Referer|ARGS "best-cell-phone-batteries\.info" -SecRule HTTP_Referer|ARGS "best-cialis-source\.com" -SecRule HTTP_Referer|ARGS "(best|play)-craps" -SecRule HTTP_Referer|ARGS "best-deals-blackjack\.info" -SecRule HTTP_Referer|ARGS "best-deals-casino\.info" -SecRule HTTP_Referer|ARGS "best-deals-cheap-airline-tickets\.info" -SecRule HTTP_Referer|ARGS "best-deals-diet\.info" -SecRule HTTP_Referer|ARGS "best-deals-flowers\.info" -SecRule HTTP_Referer|ARGS "best-deals-hotels\.info" -SecRule HTTP_Referer|ARGS "best-deals-online-gambling\.info" -SecRule HTTP_Referer|ARGS "best-deals-online-poker\.info" -SecRule HTTP_Referer|ARGS "best-deals-poker\.info" -SecRule HTTP_Referer|ARGS "best-deals-roulette\.info" -SecRule HTTP_Referer|ARGS "best-deals-weight-loss\.info" -SecRule HTTP_Referer|ARGS "bestdims\.com" -SecRule HTTP_Referer|ARGS "bestdvdclubs\.com" -SecRule HTTP_Referer|ARGS "best-e-site\.com" -SecRule HTTP_Referer|ARGS "best-gambling\.biz" -SecRule HTTP_Referer|ARGS "bestgamblinghouseonline\.com" -SecRule HTTP_Referer|ARGS "besthandever\.com" -SecRule HTTP_Referer|ARGS "best-high-speed-internet\.com" -SecRule HTTP_Referer|ARGS "bestialitylinks\.org" -SecRule HTTP_Referer|ARGS "bestiality-pics\.org" -SecRule HTTP_Referer|ARGS "best-internet-bingo\.com" -SecRule HTTP_Referer|ARGS "bestits\.net" -SecRule HTTP_Referer|ARGS "bestlowmortgagerates" -SecRule HTTP_Referer|ARGS "bestonline-medication\.com" -SecRule HTTP_Referer|ARGS "bestonline-medication\.net" -SecRule HTTP_Referer|ARGS "bestonline-shopping\.com" -SecRule HTTP_Referer|ARGS "best-pharmacy\.us" -SecRule HTTP_Referer|ARGS "bestpornhost\.com" -SecRule HTTP_Referer|ARGS "best-result-fast\.com" -SecRule HTTP_Referer|ARGS "bet-on-horseracing\.com" -SecRule HTTP_Referer|ARGS "beverlyhillspimpandhos\.com" -SecRule HTTP_Referer|ARGS "beverlyhillspimpsandhos\.com" -SecRule HTTP_Referer|ARGS "\bgo\.ro\b" -SecRule HTTP_Referer|ARGS "bierikiuetsch\.com" -SecRule HTTP_Referer|ARGS "biexperience\.org" -SecRule HTTP_Referer|ARGS "big-black-butts\.net" -SecRule HTTP_Referer|ARGS "bigbras-club\.com" -SecRule HTTP_Referer|ARGS "big-breast-success\.com" -SecRule HTTP_Referer|ARGS "bigdig\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "big-fat-girls\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "big-hooters\.net" -SecRule HTTP_Referer|ARGS "bigmag\.com\.ua" -SecRule HTTP_Referer|ARGS "bigmoms\.com" -SecRule HTTP_Referer|ARGS "bigmouthfuls\.com" -SecRule HTTP_Referer|ARGS "big-natural-boobs\.us" -SecRule HTTP_Referer|ARGS "big-naturals-4u\.com" -SecRule HTTP_Referer|ARGS "big-rant\.com" -SecRule HTTP_Referer|ARGS "\.bigsitecity\.com" -SecRule HTTP_Referer|ARGS "bigtitchaz\.com" -SecRule HTTP_Referer|ARGS "bigtitsroundasses\.com" -SecRule HTTP_Referer|ARGS "bigyonet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bigyonet\.com" -SecRule HTTP_Referer|ARGS "bildmitteilung\.us" -SecRule HTTP_Referer|ARGS "billigfluege-billige-fluege\.de" -SecRule HTTP_Referer|ARGS "bingo-net\.com" -SecRule HTTP_Referer|ARGS "bio-snoop\.com" -SecRule HTTP_Referer|ARGS "birds\.com.ru" -SecRule HTTP_Referer|ARGS "birth-control-links\.com" -SecRule HTTP_Referer|ARGS "biteenz\.com" -SecRule HTTP_Referer|ARGS "bizhat\.com" -SecRule HTTP_Referer|ARGS "bj-cas\.cn" -SecRule HTTP_Referer|ARGS "bjerwai\.com" -SecRule HTTP_Referer|ARGS "bj-fyhj\.com" -SecRule HTTP_Referer|ARGS "bjgift\.com" -SecRule HTTP_Referer|ARGS "bj-hchy\.com" -SecRule HTTP_Referer|ARGS "bjkhp\.com" -SecRule HTTP_Referer|ARGS "bjxhjy\.com" -SecRule HTTP_Referer|ARGS "bla5\.com" -SecRule HTTP_Referer|ARGS "black-4u.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "black-4u.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "black-amateur-cock\.net" -SecRule HTTP_Referer|ARGS "blackbusty\.com" -SecRule HTTP_Referer|ARGS "black-dick-white-slut\.com" -SecRule HTTP_Referer|ARGS "black-girls\.blowsearch\.ws" -SecRule HTTP_Referer|ARGS "blackjack-123\.com" -SecRule HTTP_Referer|ARGS "blackjack-21\.ws" -SecRule HTTP_Referer|ARGS "black-jack-4u\.net" -SecRule HTTP_Referer|ARGS "blackjack-4u\.net" -SecRule HTTP_Referer|ARGS "blackjack-777\.net" -SecRule HTTP_Referer|ARGS "blackjack777\.net" -SecRule HTTP_Referer|ARGS "blackjack-8\.com" -SecRule HTTP_Referer|ARGS "blackjack-dot\.com" -SecRule HTTP_Referer|ARGS "blackjack\.fm" -SecRule HTTP_Referer|ARGS "blackjack-game" -SecRule HTTP_Referer|ARGS "blackjack-homepage\.com" -SecRule HTTP_Referer|ARGS "blackjack-p\.com" -SecRule HTTP_Referer|ARGS "blackjack-play-blackjack\.com" -SecRule HTTP_Referer|ARGS "blackjacksite\.net" -SecRule HTTP_Referer|ARGS "black-jack-trx\.com" -SecRule HTTP_Referer|ARGS "blackjack-winner\.net" -SecRule HTTP_Referer|ARGS "blackmanhiggs\.com" -SecRule HTTP_Referer|ARGS "black-poker.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "blahblah\.tk" -SecRule HTTP_Referer|ARGS "blevensdamman\.com" -SecRule HTTP_Referer|ARGS "blk-web\.de" -SecRule HTTP_Referer|ARGS "bllogspot\.com" -SecRule HTTP_Referer|ARGS "bloglabs\.biz" -SecRule HTTP_Referer|ARGS "blogman\.biz" -SecRule HTTP_Referer|ARGS "blogmen\.net" -SecRule HTTP_Referer|ARGS "blogspam\.org" -SecRule HTTP_Referer|ARGS "blog-tips\.com" -SecRule HTTP_Referer|ARGS "blonde-pussy\.us" -SecRule HTTP_Referer|ARGS "blondes2fuck\.com" -SecRule HTTP_Referer|ARGS "blonde-video\.us" -SecRule HTTP_Referer|ARGS "blonde-xxx\.us" -SecRule HTTP_Referer|ARGS "blownapart\.com" -SecRule HTTP_Referer|ARGS "blumengruss-onlineshop\.de" -SecRule HTTP_Referer|ARGS "blumenshop-versand\.de" -SecRule HTTP_Referer|ARGS "bnetsol\.com" -SecRule HTTP_Referer|ARGS "body-jewelry\.reestr\.net" -SecRule HTTP_Referer|ARGS "bodyjock\.com" -SecRule HTTP_Referer|ARGS "body-piercing\.softinterop\.com" -SecRule HTTP_Referer|ARGS "boldbdsm.nl" -SecRule HTTP_Referer|ARGS "bondage-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "bon-referencement\.com" -SecRule HTTP_Referer|ARGS "boobmorning\.com" -SecRule HTTP_Referer|ARGS "boobspost\.com" -SecRule HTTP_Referer|ARGS "booktextone\.com" -SecRule HTTP_Referer|ARGS "boom\.ru" -SecRule HTTP_Referer|ARGS "\.realestateseller\.net" -SecRule HTTP_Referer|ARGS "bootyquake\.com" -SecRule HTTP_Referer|ARGS "borindonaragara\.com" -SecRule HTTP_Referer|ARGS "boysgonebad\.net" -SecRule HTTP_Referer|ARGS "boys-sex\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "brazilbang\.biz" -SecRule HTTP_Referer|ARGS "brd-frauen.de" -SecRule HTTP_Referer|ARGS "breast-augmentation\.top-big-tits\.com" -SecRule HTTP_Referer|ARGS "breastfeeding\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "briana-banks-dot\.com" -SecRule HTTP_Referer|ARGS "british-hardcore\.net" -SecRule HTTP_Referer|ARGS "bszz\.com" -SecRule HTTP_Referer|ARGS "btnetsol\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "budobytes\.com" -SecRule HTTP_Referer|ARGS "bueroversand-xxl\.de" -SecRule HTTP_Referer|ARGS "bugaboo-stroller\.com" -SecRule HTTP_Referer|ARGS "build-penis\.com" -SecRule HTTP_Referer|ARGS "bukakke\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bulkcrawler\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bulkemailsoft\.com" -SecRule HTTP_Referer|ARGS "burningcar\.net" -SecRule HTTP_Referer|ARGS "burundonamagara\.com" -SecRule HTTP_Referer|ARGS "businessgrants\.biz" -SecRule HTTP_Referer|ARGS "business-grants\.org" -SecRule HTTP_Referer|ARGS "business-web-site\.net" -SecRule HTTP_Referer|ARGS "bustyangelique\.com" -SecRule HTTP_Referer|ARGS "bustydustystash\.com" -SecRule HTTP_Referer|ARGS "bustykerrymarie\.com" -SecRule HTTP_Referer|ARGS "busty-models\.us" -SecRule HTTP_Referer|ARGS "butalbital\.org" -SecRule HTTP_Referer|ARGS "buy-2005" -SecRule HTTP_Referer|ARGS "buy-2005\.com" -SecRule HTTP_Referer|ARGS "buy-2005-top\.com" -SecRule HTTP_Referer|ARGS "buy-adult-sex-toys\.com" -SecRule HTTP_Referer|ARGS "buy-adult-toys\.biz" -SecRule HTTP_Referer|ARGS "buy-car-insurance-4-us\.com" -SecRule HTTP_Referer|ARGS "buy-ceramics\.com" -SecRule HTTP_Referer|ARGS "buycheapcialis" -SecRule HTTP_Referer|ARGS "buy-cheapest-lexapro-side-effects-noprescription\.biz" -SecRule HTTP_Referer|ARGS "buycheappills\.net" -SecRule HTTP_Referer|ARGS "buy-cialis\.ws" -SecRule HTTP_Referer|ARGS "buy-computer-memory\.net" -SecRule HTTP_Referer|ARGS "buy-computer\.us" -SecRule HTTP_Referer|ARGS "buy-diclofenac-online" -SecRule HTTP_Referer|ARGS "buy-discount-airline-tickets\.com" -SecRule HTTP_Referer|ARGS "buy-drugs-online\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "buyhgh" -SecRule HTTP_Referer|ARGS "buy-laptop\.biz" -SecRule HTTP_Referer|ARGS "buylipitor" -SecRule HTTP_Referer|ARGS "buyprilosec" -SecRule HTTP_Referer|ARGS "buy-rx-usa\.com" -SecRule HTTP_Referer|ARGS "buy-sex-toys\.net" -SecRule HTTP_Referer|ARGS "buystuffpayless\.com" -SecRule HTTP_Referer|ARGS "buyzocor" -SecRule HTTP_Referer|ARGS "b-witchedcentral\.co\.uk" -SecRule HTTP_Referer|ARGS "byronbayinternet\.com" -SecRule HTTP_Referer|ARGS "ca-america\.com" -SecRule HTTP_Referer|ARGS "calendari-donne\.com" -SecRule HTTP_Referer|ARGS "calendaridonne\.com" -SecRule HTTP_Referer|ARGS "calendari-donne\.net" -SecRule HTTP_Referer|ARGS "calendaridonne\.net" -SecRule HTTP_Referer|ARGS "callingcardchoice\.com" -SecRule HTTP_Referer|ARGS "cambridgetherapynotebook\.co\.uk" -SecRule HTTP_Referer|ARGS "camemberts\.org" -SecRule HTTP_Referer|ARGS "camfun24\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "canadianlabels\.net" -SecRule HTTP_Referer|ARGS "cantwell2000\.com" -SecRule HTTP_Referer|ARGS "canzoni\.cc" -SecRule HTTP_Referer|ARGS "canzoni-italiane\.com" -SecRule HTTP_Referer|ARGS "canzoni-italiane\.net" -SecRule HTTP_Referer|ARGS "canzoni-italiane\.org" -SecRule HTTP_Referer|ARGS "canzoni-karaoke\.com" -SecRule HTTP_Referer|ARGS "canzoni-mp3\.com" -SecRule HTTP_Referer|ARGS "canzoni-mp3\.us" -SecRule HTTP_Referer|ARGS "canzoni-musica\.com" -SecRule HTTP_Referer|ARGS "canzonisanremo\.com" -SecRule HTTP_Referer|ARGS "canzonistraniere\.com" -SecRule HTTP_Referer|ARGS "capital-credit-cards\.com" -SecRule HTTP_Referer|ARGS "capitalraiser\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "capquella\.com" -SecRule HTTP_Referer|ARGS "captain-stabbin-4u\.com" -SecRule HTTP_Referer|ARGS "captain-stabbin\.blogspot\.com" -SecRule HTTP_Referer|ARGS "card-games-tfx\.com" -SecRule HTTP_Referer|ARGS "cardsloansmortgages\.com" -SecRule HTTP_Referer|ARGS "car-financing-low-rates\.biz" -SecRule HTTP_Referer|ARGS "car-fuck\.net" -SecRule HTTP_Referer|ARGS "caribbean-poker-web\.com" -SecRule HTTP_Referer|ARGS "carnalhost\.com" -SecRule HTTP_Referer|ARGS "carnumbers\.ru" -SecRule HTTP_Referer|ARGS "carpia\.net" -SecRule HTTP_Referer|ARGS "carpiar\.net" -SecRule HTTP_Referer|ARGS "car-rental-links\.com" -SecRule HTTP_Referer|ARGS "car-rentals-2go\.com" -SecRule HTTP_Referer|ARGS "car-rental-search\.com" -SecRule HTTP_Referer|ARGS "carriere.ca" -SecRule HTTP_Referer|ARGS "carrot.no" -SecRule HTTP_Referer|ARGS "cars-links\.com" -SecRule HTTP_Referer|ARGS "cartoni-animati\.com" -SecRule HTTP_Referer|ARGS "cartonierotici\.com" -SecRule HTTP_Referer|ARGS "cartonigiapponesi\.com" -SecRule HTTP_Referer|ARGS "cartoni-hentai\.com" -SecRule HTTP_Referer|ARGS "cartoni-hentai\.net" -SecRule HTTP_Referer|ARGS "cartonihentai\.net" -SecRule HTTP_Referer|ARGS "cartoni-hentai\.org" -SecRule HTTP_Referer|ARGS "cartoni-porno\.com" -SecRule HTTP_Referer|ARGS "cartopia\.com" -SecRule HTTP_Referer|ARGS "\.cas44\.com" -SecRule HTTP_Referer|ARGS "cas7\.net" -SecRule HTTP_Referer|ARGS "cashadvanceclub\.com" -SecRule HTTP_Referer|ARGS "cash-advance-quick\.com" -SecRule HTTP_Referer|ARGS "cash-net\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cash-net\.biz" -SecRule HTTP_Referer|ARGS "casino\.150m\.com" -SecRule HTTP_Referer|ARGS "casino747\.net" -SecRule HTTP_Referer|ARGS "casino-attraction\.com" -SecRule HTTP_Referer|ARGS "casino-bet-casino\.com" -SecRule HTTP_Referer|ARGS "casino-cash\.net" -SecRule HTTP_Referer|ARGS "casinochique\.com" -SecRule HTTP_Referer|ARGS ".*-casino\.com" -SecRule HTTP_Referer|ARGS "ca-s-ino\.com" -SecRule HTTP_Referer|ARGS "casino\.com" -SecRule HTTP_Referer|ARGS "casino-en-ligne\.fr\.vu" -SecRule HTTP_Referer|ARGS "casinoequipmentsalesandrental\.com" -SecRule HTTP_Referer|ARGS "casino-games-4-us\.com" -SecRule HTTP_Referer|ARGS "casino-games-i\.com" -SecRule HTTP_Referer|ARGS "casino-game-trx\.com" -SecRule HTTP_Referer|ARGS "casino-gaming-trx\.com" -SecRule HTTP_Referer|ARGS "casino-in-linea\.it\.st" -SecRule HTTP_Referer|ARGS "casino-jp\.com" -SecRule HTTP_Referer|ARGS "casinolasvegas-online\.com" -SecRule HTTP_Referer|ARGS "casino\.menegum\.co\.uk" -SecRule HTTP_Referer|ARGS "casino-online-i\.com" -SecRule HTTP_Referer|ARGS "casino-online-on-line\.com" -SecRule HTTP_Referer|ARGS "casino-onnet-bonus\.com" -SecRule HTTP_Referer|ARGS "casino-on-net\.com" -SecRule HTTP_Referer|ARGS "casinoplaces\.net" -SecRule HTTP_Referer|ARGS "casinos-8\.com" -SecRule HTTP_Referer|ARGS "casinos-jp\.com" -SecRule HTTP_Referer|ARGS "casino-slot\.ws" -SecRule HTTP_Referer|ARGS "casinos-plus\.com" -SecRule HTTP_Referer|ARGS "casinotrixx\.com" -SecRule HTTP_Referer|ARGS "(casino)+[\w\-_.]*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "casino-wins\.net" -SecRule HTTP_Referer|ARGS "castingagentur2004\.de" -SecRule HTTP_Referer|ARGS "catchathief\.org" -SecRule HTTP_Referer|ARGS "cbitech\.com" -SecRule HTTP_Referer|ARGS "ccbill\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ccie130\.com" -SecRule HTTP_Referer|ARGS "ccie-ccnie\.com" -SecRule HTTP_Referer|ARGS "ccna130\.com" -SecRule HTTP_Referer|ARGS "ccna-ccna\.com" -SecRule HTTP_Referer|ARGS "ccnp130\.com" -SecRule HTTP_Referer|ARGS "ccnp-ccnp\.com" -SecRule HTTP_Referer|ARGS "cdshop-guenstig\.de" -SecRule HTTP_Referer|ARGS "cds-xxl\.de" -SecRule HTTP_Referer|ARGS "celebrexonline\.us" -SecRule HTTP_Referer|ARGS "celebritylust\.blog-city\.com" -SecRule HTTP_Referer|ARGS "celebritypics\.ws" -SecRule HTTP_Referer|ARGS "celebskin\.com" -SecRule HTTP_Referer|ARGS "celebtastic\.com" -SecRule HTTP_Referer|ARGS "cell-phone-accessories-dot\.com" -SecRule HTTP_Referer|ARGS "ceramics-store\.com" -SecRule HTTP_Referer|ARGS "certificationking\.net" -SecRule HTTP_Referer|ARGS "certified-new-autos\.com" -SecRule HTTP_Referer|ARGS "certified-new-cars\.com" -SecRule HTTP_Referer|ARGS "certified-new-suvs\.com" -SecRule HTTP_Referer|ARGS "certified-used-cars\.com" -SecRule HTTP_Referer|ARGS "certified-used-suvs\.com" -SecRule HTTP_Referer|ARGS "cesew\.org" -SecRule HTTP_Referer|ARGS "charisma\.dyndns\.dk" -SecRule HTTP_Referer|ARGS "chat-l\.de" -SecRule HTTP_Referer|ARGS "chatten\.bilder-j\.de" -SecRule HTTP_Referer|ARGS "chauffeurtours\.co\.uk" -SecRule HTTP_Referer|ARGS "cheapacyclovir\.com" -SecRule HTTP_Referer|ARGS "cheap-adult-sex-toys\.com" -SecRule HTTP_Referer|ARGS "cheap-airfare-airline-ticket\.com" -SecRule HTTP_Referer|ARGS "cheap-celebrex-prescriptions\.com" -SecRule HTTP_Referer|ARGS "cheap-christmas-gifts\.co\.uk" -SecRule HTTP_Referer|ARGS "cheap-cigarettes\.com" -SecRule HTTP_Referer|ARGS "cheapcodeine\.biz" -SecRule HTTP_Referer|ARGS "cheap-computers\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cheapdrugpharmacy\.com" -SecRule HTTP_Referer|ARGS "cheaper-digital-cameras\.uk\.com" -SecRule HTTP_Referer|ARGS "cheaper-loans\.eu\.com" -SecRule HTTP_Referer|ARGS "cheapest-pills-online\.com" -SecRule HTTP_Referer|ARGS "cheapgenericsoma\.info" -SecRule HTTP_Referer|ARGS "cheap-laptop-notebook\.netdims\.com" -SecRule HTTP_Referer|ARGS "cheap-online-pharmacy\.org" -SecRule HTTP_Referer|ARGS "cheap-pills-online\.com" -SecRule HTTP_Referer|ARGS "cheapsomaonline\.biz" -SecRule HTTP_Referer|ARGS "cheaptabs\.envy\.nu" -SecRule HTTP_Referer|ARGS "cheap-web-hosting-companies\.com" -SecRule HTTP_Referer|ARGS "checkmeds\.com" -SecRule HTTP_Referer|ARGS "\.checkproxy\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cherrybrady\.com" -SecRule HTTP_Referer|ARGS "chickz\.com" -SecRule HTTP_Referer|ARGS "chillout\.bpa\.nu" -SecRule HTTP_Referer|ARGS "chinaaircatering\.com" -SecRule HTTP_Referer|ARGS "chinagoldcoininc\.com" -SecRule HTTP_Referer|ARGS "chineseapesattack" -SecRule HTTP_Referer|ARGS "chloesworld\.com" -SecRule HTTP_Referer|ARGS "choose-online-university\.com" -SecRule HTTP_Referer|ARGS "chrislaker\.co\.uk" -SecRule HTTP_Referer|ARGS "christmas-casino\.spb\.ru" -SecRule HTTP_Referer|ARGS "cialisapcalis\.com" -SecRule HTTP_Referer|ARGS "cialis-buy\.com" -SecRule HTTP_Referer|ARGS "cialis-dot\.com" -SecRule HTTP_Referer|ARGS "cialis-express\.com" -SecRule HTTP_Referer|ARGS "cialis\.homeip\.net" -SecRule HTTP_Referer|ARGS "cialisnetwork\.com" -SecRule HTTP_Referer|ARGS "\.bravehost\.com" -SecRule HTTP_Referer|ARGS "cialis-weekend-pills\.com" -SecRule HTTP_Referer|ARGS "ciscochina\.com" -SecRule HTTP_Referer|ARGS "clamber\.de" -SecRule HTTP_Referer|ARGS "clanbov\.com" -SecRule HTTP_Referer|ARGS "classifiche-italiane\.org" -SecRule HTTP_Referer|ARGS "classifiche-musicali\.com" -SecRule HTTP_Referer|ARGS "classifichemusicali\.com" -SecRule HTTP_Referer|ARGS "classifiche-musicali\.net" -SecRule HTTP_Referer|ARGS "classifiche-musicali\.org" -SecRule HTTP_Referer|ARGS "claudiachristian\.co\.uk" -SecRule HTTP_Referer|ARGS "claypokerchips-claypokerchips\.com" -SecRule HTTP_Referer|ARGS "cleanadulthost\.com" -SecRule HTTP_Referer|ARGS "cleannbright\.co\.uk" -SecRule HTTP_Referer|ARGS "click-or-not\.de" -SecRule HTTP_Referer|ARGS "click-poker\.com" -SecRule HTTP_Referer|ARGS "clickscoring\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "clophillac\.org\.uk" -SecRule HTTP_Referer|ARGS "closed-network\.com" -SecRule HTTP_Referer|ARGS "club69\.net" -SecRule HTTP_Referer|ARGS "clubatlantiscasino\.com" -SecRule HTTP_Referer|ARGS "club-nouvelle-mini\.com" -SecRule HTTP_Referer|ARGS "club-online-poker" -SecRule HTTP_Referer|ARGS "clubstic\.com" -SecRule HTTP_Referer|ARGS "cmeontv\.de" -SecRule HTTP_Referer|ARGS "cnbjflower\.com" -SecRule HTTP_Referer|ARGS "cngangqiu\.com" -SecRule HTTP_Referer|ARGS "cntoplead\.com" -SecRule HTTP_Referer|ARGS "coed-girls\.com" -SecRule HTTP_Referer|ARGS "coffee-delivered\.com" -SecRule HTTP_Referer|ARGS "cokemusic\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "colkk\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "college-girl-pic\.com" -SecRule HTTP_Referer|ARGS "college-links\.net" -SecRule HTTP_Referer|ARGS "college-scholarships-grants\.biz" -SecRule HTTP_Referer|ARGS "colunn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "combaltec\.com" -SecRule HTTP_Referer|ARGS "comeback\.com" -SecRule HTTP_Referer|ARGS "cometojapan\.com" -SecRule HTTP_Referer|ARGS "cometomalaysia\.com" -SecRule HTTP_Referer|ARGS "cometosingapore\.com" -SecRule HTTP_Referer|ARGS "cometothailand\.com" -SecRule HTTP_Referer|ARGS "commtec.ch" -SecRule HTTP_Referer|ARGS "comnaked-old-women\.com" -SecRule HTTP_Referer|ARGS "compare-counseling" -SecRule HTTP_Referer|ARGS "compare-mortgage-rates" -SecRule HTTP_Referer|ARGS "completelycars\.com" -SecRule HTTP_Referer|ARGS "completelyherbal\.com" -SecRule HTTP_Referer|ARGS "comptershops-online\.de" -SecRule HTTP_Referer|ARGS "computer-onlinebestellung\.de" -SecRule HTTP_Referer|ARGS "computer-und-erotische-spiele-download\.com" -SecRule HTTP_Referer|ARGS "computerversand-xxl\.de" -SecRule HTTP_Referer|ARGS "condodream\.com" -SecRule HTTP_Referer|ARGS "condosee\.com" -SecRule HTTP_Referer|ARGS "conjuratia\.com" -SecRule HTTP_Referer|ARGS "consolidate-debt-usa\.net" -SecRule HTTP_Referer|ARGS "consolidation-elimination\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "consolidation-loans\.com" -SecRule HTTP_Referer|ARGS "container-partner\.de" -SecRule HTTP_Referer|ARGS "cool-extreme\.com" -SecRule HTTP_Referer|ARGS "cool-mix\.com" -SecRule HTTP_Referer|ARGS "coolp\.biz" -SecRule HTTP_Referer|ARGS "coolp\.net" -SecRule HTTP_Referer|ARGS "cool-poker\.com" -SecRule HTTP_Referer|ARGS "coolp\.org" -SecRule HTTP_Referer|ARGS "coresleep\.com" -SecRule HTTP_Referer|ARGS "cosmeticsurgery\.us" -SecRule HTTP_Referer|ARGS "cosmeticsurgery\.us\.com" -SecRule HTTP_Referer|ARGS "cost-of-penis-enlargement-surgery" -SecRule HTTP_Referer|ARGS "couponmountain\.com" -SecRule HTTP_Referer|ARGS "cover-your-feet\.com" -SecRule HTTP_Referer|ARGS "cowrie\.com.ru" -SecRule HTTP_Referer|ARGS "crazyfrog\.wtf\.la" -SecRule HTTP_Referer|ARGS "creamfilledholes\.biz" -SecRule HTTP_Referer|ARGS "creamlog.org" -SecRule HTTP_Referer|ARGS "creditcardpost\.com" -SecRule HTTP_Referer|ARGS "credit-cards-credit-cards-credit-cards\.net" -SecRule HTTP_Referer|ARGS "credit-dreams\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "credit-factor\.com" -SecRule HTTP_Referer|ARGS "credit-links\.net" -SecRule HTTP_Referer|ARGS "credit-loans-2005\.com" -SecRule HTTP_Referer|ARGS "credit-repair\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "creditrepairsoft\.com" -SecRule HTTP_Referer|ARGS "credit-report-links\.net" -SecRule HTTP_Referer|ARGS "creditsharpie\.com" -SecRule HTTP_Referer|ARGS "crepesuzette\." -SecRule HTTP_Referer|ARGS "crepesuzette\.com" -SecRule HTTP_Referer|ARGS "crescentarian\.net" -SecRule HTTP_Referer|ARGS "crpublish\.com" -SecRule HTTP_Referer|ARGS "crusingforsex.co.uk" -SecRule HTTP_Referer|ARGS "c-start\.net" -SecRule HTTP_Referer|ARGS "cum-facials\.us" -SecRule HTTP_Referer|ARGS "cumfiesta-4u\.com" -SecRule HTTP_Referer|ARGS "cumfietavideos\.com" -SecRule HTTP_Referer|ARGS "cumlogin\.com" -SecRule HTTP_Referer|ARGS "cumshot42\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cureage\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "customerhandshaker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "customer-reviews\.org" -SecRule HTTP_Referer|ARGS "cutpricepills\.com" -SecRule HTTP_Referer|ARGS "cyberfreehost\.com" -SecRule HTTP_Referer|ARGS "cycatki\.com" -SecRule HTTP_Referer|ARGS "cyclo-cross\.co\.uk" -SecRule HTTP_Referer|ARGS "cykanax\.com" -SecRule HTTP_Referer|ARGS "dad-daughter-incest\.com" -SecRule HTTP_Referer|ARGS "daiiuvwx\.com" -SecRule HTTP_Referer|ARGS "dailyliving\.info" -SecRule HTTP_Referer|ARGS "dailyorbit\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "dallmayr\.de" -SecRule HTTP_Referer|ARGS "damianer\.top-100\.pl" -SecRule HTTP_Referer|ARGS "danni\.com" -SecRule HTTP_Referer|ARGS "darest\.de" -SecRule HTTP_Referer|ARGS "darkangelclan\.com" -SecRule HTTP_Referer|ARGS "darkprofits.co.uk" -SecRule HTTP_Referer|ARGS "darzgx\.com" -SecRule HTTP_Referer|ARGS "datashaping\.com" -SecRule HTTP_Referer|ARGS "datestop\.net" -SecRule HTTP_Referer|ARGS "dating999" -SecRule HTTP_Referer|ARGS "dating999\.com" -SecRule HTTP_Referer|ARGS "dating-choice\.com" -SecRule HTTP_Referer|ARGS "dating-harmony\.com" -SecRule HTTP_Referer|ARGS "dating-online-dating\.org" -SecRule HTTP_Referer|ARGS "dating-porn-sluts\.com" -SecRule HTTP_Referer|ARGS "dating-service-dating\.com" -SecRule HTTP_Referer|ARGS "dating-services-dating-service\.com" -SecRule HTTP_Referer|ARGS "davidtaylor\.topcities\.com" -SecRule HTTP_Referer|ARGS "day4sex\.com" -SecRule HTTP_Referer|ARGS "deals-4you\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "debtconsolidationfirm\.net" -SecRule HTTP_Referer|ARGS "debt-consolidation-i" -SecRule HTTP_Referer|ARGS "debt-consolidation-i\.biz" -SecRule HTTP_Referer|ARGS "debt-consolidation-kick-a\.com" -SecRule HTTP_Referer|ARGS "debtconsolidationloans" -SecRule HTTP_Referer|ARGS "debt-consolidation-low-rates\.biz" -SecRule HTTP_Referer|ARGS "debt-consolidation-now-online\.com" -SecRule HTTP_Referer|ARGS "debtconsolidationusa\.org" -SecRule HTTP_Referer|ARGS "debt-disappear\.com" -SecRule HTTP_Referer|ARGS "debt-help-bill-consolidation-elimination\.com" -SecRule HTTP_Referer|ARGS "debtmanagementcompanyonline\.com" -SecRule HTTP_Referer|ARGS "debt-solution-tips\.com" -SecRule HTTP_Referer|ARGS "dedichepersonali\.com" -SecRule HTTP_Referer|ARGS "deep-ice\.com" -SecRule HTTP_Referer|ARGS "defunctportal\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "de\.hm" -SecRule HTTP_Referer|ARGS "deikmann\.de" -SecRule HTTP_Referer|ARGS "dentalinsurancehealth\.com" -SecRule HTTP_Referer|ARGS "dental-insurance-plan\.freeservers\.com" -SecRule HTTP_Referer|ARGS "dental-plan-source" -SecRule HTTP_Referer|ARGS "department-storez\.com" -SecRule HTTP_Referer|ARGS "desex.nl" -SecRule HTTP_Referer|ARGS "design4u\.ws" -SecRule HTTP_Referer|ARGS "desiraesworld\.com" -SecRule HTTP_Referer|ARGS "de\.sr" -SecRule HTTP_Referer|ARGS "deutschlandweite-immobilienangebote\.de" -SecRule HTTP_Referer|ARGS "devilofnights\.net" -SecRule HTTP_Referer|ARGS "devilofnights\.org" -SecRule HTTP_Referer|ARGS "devonanal\.com" -SecRule HTTP_Referer|ARGS "devon-daniels\.com" -SecRule HTTP_Referer|ARGS "dia-host\.com" -SecRule HTTP_Referer|ARGS "dianepoppos\.com" -SecRule HTTP_Referer|ARGS "diarypeople\.com" -SecRule HTTP_Referer|ARGS "dick-deputy\.com" -SecRule HTTP_Referer|ARGS "diecastdot\.com" -SecRule HTTP_Referer|ARGS "dieta\.cc" -SecRule HTTP_Referer|ARGS "dieta-dimagrante\.net" -SecRule HTTP_Referer|ARGS "dieta-mediterranea\.net" -SecRule HTTP_Referer|ARGS "dieta-zona\.com" -SecRule HTTP_Referer|ARGS "diet-doctor\.net" -SecRule HTTP_Referer|ARGS "diete\.bz" -SecRule HTTP_Referer|ARGS "diete-dimagranti\.com" -SecRule HTTP_Referer|ARGS "diethost\.net" -SecRule HTTP_Referer|ARGS "dieting-review\.com" -SecRule HTTP_Referer|ARGS "diet.org.ru" -SecRule HTTP_Referer|ARGS "dietpage\.net" -SecRule HTTP_Referer|ARGS "dietpatchformula\.com" -SecRule HTTP_Referer|ARGS "diet-pill" -SecRule HTTP_Referer|ARGS "diet-pills-now" -SecRule HTTP_Referer|ARGS "dietrest\.com" -SecRule HTTP_Referer|ARGS "diets-health\.com" -SecRule HTTP_Referer|ARGS "diets-plan\.net" -SecRule HTTP_Referer|ARGS "dietway\.net" -SecRule HTTP_Referer|ARGS "digitale-teile\.de" -SecRule HTTP_Referer|ARGS "digital-projector\.net" -SecRule HTTP_Referer|ARGS "digitaltwist\.co\.uk" -SecRule HTTP_Referer|ARGS "directcarrental\.com" -SecRule HTTP_Referer|ARGS "direct-contact\.com" -SecRule HTTP_Referer|ARGS "directcti\.com" -SecRule HTTP_Referer|ARGS "direct-deals-for-you\.info" -SecRule HTTP_Referer|ARGS "directrape\.com" -SecRule HTTP_Referer|ARGS "directringtones\.com" -SecRule HTTP_Referer|ARGS "direct-tv-for-free\.com" -SecRule HTTP_Referer|ARGS "direct-tv-online\.com" -SecRule HTTP_Referer|ARGS "dirty-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "discount-airfares-guide\.com" -SecRule HTTP_Referer|ARGS "discount-cheap-dental-insurance\.com" -SecRule HTTP_Referer|ARGS "discount-life-insurance\.us" -SecRule HTTP_Referer|ARGS "discountprinterrefill\.com" -SecRule HTTP_Referer|ARGS "discount-store\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "discover-credit-card" -SecRule HTTP_Referer|ARGS "discoveryofusa\.com" -SecRule HTTP_Referer|ARGS "dish-network\.org" -SecRule HTTP_Referer|ARGS "dish-network-w\.com" -SecRule HTTP_Referer|ARGS "disigncn\.com" -SecRule HTTP_Referer|ARGS "disney-hentai\.org" -SecRule HTTP_Referer|ARGS "divorce-links\.com" -SecRule HTTP_Referer|ARGS "djpritchard\.com" -SecRule HTTP_Referer|ARGS "dlctc\.com" -SecRule HTTP_Referer|ARGS "dnpose\.com" -SecRule HTTP_Referer|ARGS "dns110\.com" -SecRule HTTP_Referer|ARGS "dns2008\.cn" -SecRule HTTP_Referer|ARGS "dogfartmovieclips\.com" -SecRule HTTP_Referer|ARGS "dogolz\.de" -SecRule HTTP_Referer|ARGS "domkino\.com\.ua" -SecRule HTTP_Referer|ARGS "donne-belle\.net" -SecRule HTTP_Referer|ARGS "donnebelle\.net" -SecRule HTTP_Referer|ARGS "donne\.bz" -SecRule HTTP_Referer|ARGS "donne-famose\.biz" -SecRule HTTP_Referer|ARGS "donnefamose\.biz" -SecRule HTTP_Referer|ARGS "donnegrasse\.org" -SecRule HTTP_Referer|ARGS "donnemature\.biz" -SecRule HTTP_Referer|ARGS "donnemuscolose\.com" -SecRule HTTP_Referer|ARGS "donne-muscolose\.net" -SecRule HTTP_Referer|ARGS "donne-muscolose\.org" -SecRule HTTP_Referer|ARGS "donnenere\.com" -SecRule HTTP_Referer|ARGS "donne-nere\.net" -SecRule HTTP_Referer|ARGS "donnenere\.net" -SecRule HTTP_Referer|ARGS "donne-nere\.org" -SecRule HTTP_Referer|ARGS "donne-nude\.biz" -SecRule HTTP_Referer|ARGS "donnenude\.biz" -SecRule HTTP_Referer|ARGS "donne-porche\.com" -SecRule HTTP_Referer|ARGS "donneporche\.org" -SecRule HTTP_Referer|ARGS "donnesexy\.org" -SecRule HTTP_Referer|ARGS "donne-vogliose\.com" -SecRule HTTP_Referer|ARGS "donnevogliose\.net" -SecRule HTTP_Referer|ARGS "donnevogliose\.org" -SecRule HTTP_Referer|ARGS "donshardcoreporn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "doobu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "doobu\.com" -SecRule HTTP_Referer|ARGS "doo\.pl" -SecRule HTTP_Referer|ARGS "doorway-page-software" -SecRule HTTP_Referer|ARGS "dostweb\.com" -SecRule HTTP_Referer|ARGS "dotcomup\.com" -SecRule HTTP_Referer|ARGS "doubleyoudoubleyou\.com" -SecRule HTTP_Referer|ARGS "download-slotmachines\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "downloadzipcode\.com" -SecRule HTTP_Referer|ARGS "dr\.ag" -SecRule HTTP_Referer|ARGS "dragonball-porno\.com" -SecRule HTTP_Referer|ARGS "dragonballporno\.net" -SecRule HTTP_Referer|ARGS "dragonball-x\.biz" -SecRule HTTP_Referer|ARGS "dragonballx\.cc" -SecRule HTTP_Referer|ARGS "dragonball-xxx\.biz" -SecRule HTTP_Referer|ARGS "dragonballxxx\.biz" -SecRule HTTP_Referer|ARGS "draufgeschissen\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "dressagehorseinternational\.co\.uk" -SecRule HTTP_Referer|ARGS "drive-backup\.com" -SecRule HTTP_Referer|ARGS "drochka\.com" -SecRule HTTP_Referer|ARGS "drtushy\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "drug-enzyte" -SecRule HTTP_Referer|ARGS "drugsexperts\.com" -SecRule HTTP_Referer|ARGS "drugstore-online\.us" -SecRule HTTP_Referer|ARGS "drugstore\.st" -SecRule HTTP_Referer|ARGS "drunk-girls-flashing\.com" -SecRule HTTP_Referer|ARGS "drunk-girls-party\.us" -SecRule HTTP_Referer|ARGS "\.drunk-mom-sex\.com" -SecRule HTTP_Referer|ARGS "dtiserv2\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "dunecliffesaunton\.co\.uk" -SecRule HTTP_Referer|ARGS "dvd2\.us" -SecRule HTTP_Referer|ARGS "dvd-copier\.info" -SecRule HTTP_Referer|ARGS "dvd-downloads.nl" -SecRule HTTP_Referer|ARGS "dvddownloads.nl" -SecRule HTTP_Referer|ARGS "dvd-home-theatre\.com" -SecRule HTTP_Referer|ARGS "dvd-top-shop\.info" -SecRule HTTP_Referer|ARGS "dvdwizardpro\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "dwoq\.com" -SecRule HTTP_Referer|ARGS "e40\.nl" -SecRule HTTP_Referer|ARGS "easy-application-credit-cards\.com" -SecRule HTTP_Referer|ARGS "easygo\.hn\.org" -SecRule HTTP_Referer|ARGS "easy-loan\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "easyrecorder\.com" -SecRule HTTP_Referer|ARGS "easyseek\.us" -SecRule HTTP_Referer|ARGS "ebanking\.info" -SecRule HTTP_Referer|ARGS "ebaybusiness\.net" -SecRule HTTP_Referer|ARGS "e-best-poker\.com" -SecRule HTTP_Referer|ARGS "ebloggy\.com" -SecRule HTTP_Referer|ARGS "ebonyarchives\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ebony-girls\.angelcities\.com" -SecRule HTTP_Referer|ARGS "ebony-xxx\.us" -SecRule HTTP_Referer|ARGS "ebookers\.co\.uk" -SecRule HTTP_Referer|ARGS "e-bookszone\.com" -SecRule HTTP_Referer|ARGS "e-casino-bonus\.com" -SecRule HTTP_Referer|ARGS "ecblast\.com" -SecRule HTTP_Referer|ARGS "eccentrix\.com/members/casinotips" -SecRule HTTP_Referer|ARGS "echofourdesign\.com" -SecRule HTTP_Referer|ARGS "e-cialis\.net" -SecRule HTTP_Referer|ARGS "eclexion\.net" -SecRule HTTP_Referer|ARGS "ecologix\.co\.uk" -SecRule HTTP_Referer|ARGS "e-credit-card-debt\.com" -SecRule HTTP_Referer|ARGS "eddiereva\.com" -SecRule HTTP_Referer|ARGS "e-debt-consolidation-loans\.com" -SecRule HTTP_Referer|ARGS "e-dental-insurance-plans" -SecRule HTTP_Referer|ARGS "e-dental-plans\.com" -SecRule HTTP_Referer|ARGS "edietplans\.net" -SecRule HTTP_Referer|ARGS "e-discus\.com" -SecRule HTTP_Referer|ARGS "edmontgomeryministries\.org" -SecRule HTTP_Referer|ARGS "edpowerspasswords\.com" -SecRule HTTP_Referer|ARGS "edrugstore\.md" -SecRule HTTP_Referer|ARGS "education-line\.com" -SecRule HTTP_Referer|ARGS "edwardbaskett\.com" -SecRule HTTP_Referer|ARGS "effexor\.cc" -SecRule HTTP_Referer|ARGS "effexor-web\.com" -SecRule HTTP_Referer|ARGS "e-fioricet\.com" -SecRule HTTP_Referer|ARGS "e-free-credit-reports\.com" -SecRule HTTP_Referer|ARGS "eggesfordhotel\.co\.uk" -SecRule HTTP_Referer|ARGS "egygift\.com" -SecRule HTTP_Referer|ARGS "e-hoodia-gordonii\.com" -SecRule HTTP_Referer|ARGS "einfach-wunschgewicht\.com" -SecRule HTTP_Referer|ARGS "elcenter-s\.ru" -SecRule HTTP_Referer|ARGS "eldorado\.com\.ua" -SecRule HTTP_Referer|ARGS "electricscooterland\.com" -SecRule HTTP_Referer|ARGS "electromark-uk\.co\.uk" -SecRule HTTP_Referer|ARGS "electronics-info\.com" -SecRule HTTP_Referer|ARGS "elegant-candles\.com" -SecRule HTTP_Referer|ARGS "elektronikshop-xxl\.de" -SecRule HTTP_Referer|ARGS "e-lemonlaw\.com" -SecRule HTTP_Referer|ARGS "elfundelf\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "elite-change\.com" -SecRule HTTP_Referer|ARGS "elitecities\.com" -SecRule HTTP_Referer|ARGS "emailsafety\.net" -SecRule HTTP_Referer|ARGS "emedia-omni\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "emedici\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "emmasarah\.com" -SecRule HTTP_Referer|ARGS "emmss\.com" -SecRule HTTP_Referer|ARGS "enacre\.net" -SecRule HTTP_Referer|ARGS "e-news\.host\.sk" -SecRule HTTP_Referer|ARGS "enhancementenlargement\.net" -SecRule HTTP_Referer|ARGS "enhancement-male\.com" -SecRule HTTP_Referer|ARGS "enhancementmale\.net" -SecRule HTTP_Referer|ARGS "enhancement-natural\.com" -SecRule HTTP_Referer|ARGS "enhancementnatural\.com" -SecRule HTTP_Referer|ARGS "enhancementnatural\.us" -SecRule HTTP_Referer|ARGS "enhancementpenis\.biz" -SecRule HTTP_Referer|ARGS "enhancementpenis\.com" -SecRule HTTP_Referer|ARGS "enjoy-blackjack\.com" -SecRule HTTP_Referer|ARGS "\.enlargementenhancement\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "enlargementenhancement\.com" -SecRule HTTP_Referer|ARGS "enlargementenhancement\.us" -SecRule HTTP_Referer|ARGS "enlargement-for-penis\.com" -SecRule HTTP_Referer|ARGS "enlargement-male\.biz" -SecRule HTTP_Referer|ARGS "enlargementmale\.net" -SecRule HTTP_Referer|ARGS "enlargementmale\.org" -SecRule HTTP_Referer|ARGS "enlargementnatural\.biz" -SecRule HTTP_Referer|ARGS "enlarg.*enhanc.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "envoyer-des-fleurs\.com" -SecRule HTTP_Referer|ARGS "enzyte-commercial" -SecRule HTTP_Referer|ARGS "e-online-bingo\.com" -SecRule HTTP_Referer|ARGS "eonsystems\.com" -SecRule HTTP_Referer|ARGS "e-order-propecia\.com" -SecRule HTTP_Referer|ARGS "epaycash\.com" -SecRule HTTP_Referer|ARGS "e-personalinjurylawyers" -SecRule HTTP_Referer|ARGS "e-personalinjurylawyers\.com" -SecRule HTTP_Referer|ARGS "e--pics\.com" -SecRule HTTP_Referer|ARGS "e-pills-buy\.com" -SecRule HTTP_Referer|ARGS "e-play-bingo\.com" -SecRule HTTP_Referer|ARGS "e-poker-888\.com" -SecRule HTTP_Referer|ARGS "e-poker-games\.info" -SecRule HTTP_Referer|ARGS "erbium12\.com" -SecRule HTTP_Referer|ARGS "erosway\.com" -SecRule HTTP_Referer|ARGS "erotic4free\.net" -SecRule HTTP_Referer|ARGS "erotic-free\.com" -SecRule HTTP_Referer|ARGS "erotic-lesbian-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "erotic-video\.us" -SecRule HTTP_Referer|ARGS "erotische-geschichten-portal\.com" -SecRule HTTP_Referer|ARGS "erotischkontakt\.com" -SecRule HTTP_Referer|ARGS "escort-agency-paris\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "escort-links\.net" -SecRule HTTP_Referer|ARGS "escort-service-paris\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "escorts-links\.com" -SecRule HTTP_Referer|ARGS "escort-woman\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "esesso-gratis\.com" -SecRule HTTP_Referer|ARGS "esmartdesign\.com" -SecRule HTTP_Referer|ARGS "e-southbeachdiet\.com" -SecRule HTTP_Referer|ARGS "esport3\.com" -SecRule HTTP_Referer|ARGS "ethixsouthwest\.com" -SecRule HTTP_Referer|ARGS "e-top-pharmacy\.com" -SecRule HTTP_Referer|ARGS "e-tutor\.com" -SecRule HTTP_Referer|ARGS "eurotexans\.com" -SecRule HTTP_Referer|ARGS "eurowins\.net" -SecRule HTTP_Referer|ARGS "evananderson\.topcities\.com" -SecRule HTTP_Referer|ARGS "evanstonpl\.org" -SecRule HTTP_Referer|ARGS "event-kalendarium\.de" -SecRule HTTP_Referer|ARGS "evenway\.net" -SecRule HTTP_Referer|ARGS "everyvoice\.net" -SecRule HTTP_Referer|ARGS "e-virtual-casino\.com" -SecRule HTTP_Referer|ARGS "evromaster\.ru" -SecRule HTTP_Referer|ARGS "ewilla\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "exclaim4creditcardprocessingmerchantaccount\.com" -SecRule HTTP_Referer|ARGS "exdrawings\.com" -SecRule HTTP_Referer|ARGS "exitq\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "exoticdvds\.co\.uk" -SecRule HTTP_Referer|ARGS "exoticmoms\.com" -SecRule HTTP_Referer|ARGS "expert-gambling\.com" -SecRule HTTP_Referer|ARGS "expoze\.com" -SecRule HTTP_Referer|ARGS "extrasms\.de" -SecRule HTTP_Referer|ARGS "extreme-rape\.org" -SecRule HTTP_Referer|ARGS "extreme-sex\.org" -SecRule HTTP_Referer|ARGS "f2g\.net" -SecRule HTTP_Referer|ARGS "f2s\.be" -SecRule HTTP_Referer|ARGS "fabida\.net" -SecRule HTTP_Referer|ARGS "fabulos\.de" -SecRule HTTP_Referer|ARGS "fabuloussextoys\.com" -SecRule HTTP_Referer|ARGS "facial-skin-care-center\.com" -SecRule HTTP_Referer|ARGS "fakoli\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "familydiet\.org" -SecRule HTTP_Referer|ARGS "family-incest-stories\.com" -SecRule HTTP_Referer|ARGS "family-incest\.us" -SecRule HTTP_Referer|ARGS "famousass\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "famousppl\.me\.uk" -SecRule HTTP_Referer|ARGS "fantasyfootballsportsbook\.com" -SecRule HTTP_Referer|ARGS "\.FAQserv\.com" -SecRule HTTP_Referer|ARGS "farm-beastiality\.com" -SecRule HTTP_Referer|ARGS "farmsx\.com" -SecRule HTTP_Referer|ARGS "fast-cash-quick-money-easy-loan\.com" -SecRule HTTP_Referer|ARGS "fast-fioricet\.com" -SecRule HTTP_Referer|ARGS "fast-mortgage-4-u\.com" -SecRule HTTP_Referer|ARGS "fast-news-servers\.com" -SecRule HTTP_Referer|ARGS "fat-cash\.com" -SecRule HTTP_Referer|ARGS "fateback\.com" -SecRule HTTP_Referer|ARGS "fat-lesbians\.net" -SecRule HTTP_Referer|ARGS "fat-pussy-sex\.net" -SecRule HTTP_Referer|ARGS "fatty-liver\.cn" -SecRule HTTP_Referer|ARGS "fatwarfare\.com" -SecRule HTTP_Referer|ARGS "favilon\.net" -SecRule HTTP_Referer|ARGS "fbc-media\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "fda\.com\.cn" -SecRule HTTP_Referer|ARGS "fearcrow\.com" -SecRule HTTP_Referer|ARGS "federalgovernmentgrants\.net" -SecRule HTTP_Referer|ARGS "feetslave.nl" -SecRule HTTP_Referer|ARGS "feidenfurniture\.com" -SecRule HTTP_Referer|ARGS "femaledrive\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "female-drive-dysfunction\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "female-dysfunction\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "female-enhancement\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "femalelibido" -SecRule HTTP_Referer|ARGS "female-libido" -SecRule HTTP_Referer|ARGS "female-orgasms\.org" -SecRule HTTP_Referer|ARGS "femaleviagra\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "femto\.static\.net" -SecRule HTTP_Referer|ARGS "ficken.d4f\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "fidelityfunding\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "fidelityfunding\.net" -SecRule HTTP_Referer|ARGS "fielit\.de" -SecRule HTTP_Referer|ARGS "figa\.nu" -SecRule HTTP_Referer|ARGS "film456\.com" -SecRule HTTP_Referer|ARGS "film-porno\.us" -SecRule HTTP_Referer|ARGS "filthserver\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "filthserver\.com" -SecRule HTTP_Referer|ARGS "final-fantasy-hentai\.org" -SecRule HTTP_Referer|ARGS "finance-world\.net" -SecRule HTTP_Referer|ARGS "finanzen-marktplatz\.de" -SecRule HTTP_Referer|ARGS "findbestpills" -SecRule HTTP_Referer|ARGS "findbestpills\.com" -SecRule HTTP_Referer|ARGS "findbestshop\.com" -SecRule HTTP_Referer|ARGS "findbookmakers\.com" -SecRule HTTP_Referer|ARGS "find-cheap-dental-plans\.com" -SecRule HTTP_Referer|ARGS "finddatingsites\.com" -SecRule HTTP_Referer|ARGS "findish\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "find-it-buy-it\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "find-lesbian-porn\.com" -SecRule HTTP_Referer|ARGS "find-physician\.com" -SecRule HTTP_Referer|ARGS "findsexxx\.us" -SecRule HTTP_Referer|ARGS "find-u-that-mortgage\.com" -SecRule HTTP_Referer|ARGS "findyouruni\.com" -SecRule HTTP_Referer|ARGS "finger-bobs\.com" -SecRule HTTP_Referer|ARGS "fioricet4u" -SecRule HTTP_Referer|ARGS "fioricet\.batcave\.net" -SecRule HTTP_Referer|ARGS "fioricet\.bravehost\.com" -SecRule HTTP_Referer|ARGS "fioricet-dot\.com" -SecRule HTTP_Referer|ARGS "fioricet-online-here\.com" -SecRule HTTP_Referer|ARGS "fioricet\.st" -SecRule HTTP_Referer|ARGS "fioricet-web\.com" -SecRule HTTP_Referer|ARGS "firstchoicebanksandpremiercredit\.com" -SecRule HTTP_Referer|ARGS "first-poker\.com" -SecRule HTTP_Referer|ARGS "firsttimeaddition\.com" -SecRule HTTP_Referer|ARGS "first-time-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "firsttimeteadrinker\.com" -SecRule HTTP_Referer|ARGS "fishing\.net.ru" -SecRule HTTP_Referer|ARGS "fishoilmiracle\.com" -SecRule HTTP_Referer|ARGS "fitness-links\.net" -SecRule HTTP_Referer|ARGS "fitnessx\.net" -SecRule HTTP_Referer|ARGS "flafeber\.com" -SecRule HTTP_Referer|ARGS "flatbedshipping\.com" -SecRule HTTP_Referer|ARGS "flatwonkers\.com" -SecRule HTTP_Referer|ARGS "flecka\.org" -SecRule HTTP_Referer|ARGS "fleshlight\.org" -SecRule HTTP_Referer|ARGS "fleshlight\.ro" -SecRule HTTP_Referer|ARGS "flexeril-web\.com" -SecRule HTTP_Referer|ARGS "flirt08\.de" -SecRule HTTP_Referer|ARGS "flowertobj\.com" -SecRule HTTP_Referer|ARGS "fly-sky\.com" -SecRule HTTP_Referer|ARGS "football--betting\.net" -SecRule HTTP_Referer|ARGS "football-betting-nfl\.com" -SecRule HTTP_Referer|ARGS "forceful\.de" -SecRule HTTP_Referer|ARGS "foreskin-restoration\.net" -SecRule HTTP_Referer|ARGS "forex\.inc\.ru" -SecRule HTTP_Referer|ARGS "forexintroducer\.com" -SecRule HTTP_Referer|ARGS "forex-online-now\.com" -SecRule HTTP_Referer|ARGS "forlovedones\.com" -SecRule HTTP_Referer|ARGS "formula42\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "fortisenterprises\.co\.uk" -SecRule HTTP_Referer|ARGS "foto-gay\.us" -SecRule HTTP_Referer|ARGS "foto-porno\.us" -SecRule HTTP_Referer|ARGS "foto-porno\.ws" -SecRule HTTP_Referer|ARGS "frangelicasplace\.org" -SecRule HTTP_Referer|ARGS "frankpictures\.com" -SecRule HTTP_Referer|ARGS "freak-view\.com" -SecRule HTTP_Referer|ARGS "freakycheats\.com" -SecRule HTTP_Referer|ARGS "free-adult-chat-room\.com" -SecRule HTTP_Referer|ARGS "free-adult-check\.com" -SecRule HTTP_Referer|ARGS "freeadult\.de" -SecRule HTTP_Referer|ARGS "freeanalsex.nl" -SecRule HTTP_Referer|ARGS "\.freebb\.com" -SecRule HTTP_Referer|ARGS "free-blackjack-game\.us" -SecRule HTTP_Referer|ARGS "free-britney-spears-nude\.biz" -SecRule HTTP_Referer|ARGS "free-casino-games" -SecRule HTTP_Referer|ARGS "free-casino-games-000" -SecRule HTTP_Referer|ARGS "freecreampie\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "free-debt-consolidation-online\.us" -SecRule HTTP_Referer|ARGS "freedvdplayer\.cjb\.net" -SecRule HTTP_Referer|ARGS "freeeads\.co\.uk" -SecRule HTTP_Referer|ARGS "free-fast\.net" -SecRule HTTP_Referer|ARGS "free-games-links\.com" -SecRule HTTP_Referer|ARGS "free-gay-video-clip\.com" -SecRule HTTP_Referer|ARGS "freegovmoney\.net" -SecRule HTTP_Referer|ARGS "freegovmoney\.us" -SecRule HTTP_Referer|ARGS "free-hilton-paris-sex-video\.com" -SecRule HTTP_Referer|ARGS "free-horoscopes\.biz" -SecRule HTTP_Referer|ARGS "freehostingpeople\.com" -SecRule HTTP_Referer|ARGS "freehustlersex\.com" -SecRule HTTP_Referer|ARGS "free-incest-stories-site\.com" -SecRule HTTP_Referer|ARGS "freeminimacs\.com" -SecRule HTTP_Referer|ARGS "free-net-sex\.com" -SecRule HTTP_Referer|ARGS "freenetshopper\.com" -SecRule HTTP_Referer|ARGS "freenudecelebrity\.net" -SecRule HTTP_Referer|ARGS "freenudegallery\.org" -SecRule HTTP_Referer|ARGS "free--online--poker" -SecRule HTTP_Referer|ARGS "free-online-poker" -SecRule HTTP_Referer|ARGS "free--online-poker\.com" -SecRule HTTP_Referer|ARGS "free--online-poker\.us" -SecRule HTTP_Referer|ARGS "free-paris-nikki-hilton\.blogspot\.com" -SecRule HTTP_Referer|ARGS "freepicsdaily\.com" -SecRule HTTP_Referer|ARGS "free-poker-download-i\.com" -SecRule HTTP_Referer|ARGS "free-poker-great-value\.com" -SecRule HTTP_Referer|ARGS "free-poker-rooms\.us" -SecRule HTTP_Referer|ARGS "freepornday\.com" -SecRule HTTP_Referer|ARGS "free-preview.nl" -SecRule HTTP_Referer|ARGS "free-satellite-tv-directv-nocable\.com" -SecRule HTTP_Referer|ARGS "free-satellite-tv-now\.com" -SecRule HTTP_Referer|ARGS "free-sex\.com" -SecRule HTTP_Referer|ARGS "freeteenpicsandmovies\.com" -SecRule HTTP_Referer|ARGS "free-teens-galleries\.com" -SecRule HTTP_Referer|ARGS "free-texas-holdem" -SecRule HTTP_Referer|ARGS "free-texashold-em\.us" -SecRule HTTP_Referer|ARGS "free-texasholdem\.us" -SecRule HTTP_Referer|ARGS "free-traffic-generation\.com" -SecRule HTTP_Referer|ARGS "freeweb-hosting\.com" -SecRule HTTP_Referer|ARGS "freewebpage\.org" -SecRule HTTP_Referer|ARGS "freewebs\.com" -SecRule HTTP_Referer|ARGS "freewhileshopping\.com" -SecRule HTTP_Referer|ARGS "freexxxstuff\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "freshgirls\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "freshsexhosting\.com" -SecRule HTTP_Referer|ARGS "friko\.pl" -SecRule HTTP_Referer|ARGS "fsearch\.dtdns\.net" -SecRule HTTP_Referer|ARGS "fuck-animals\.com" -SecRule HTTP_Referer|ARGS "fuckfick\.net" -SecRule HTTP_Referer|ARGS "full-access\.net" -SecRule HTTP_Referer|ARGS "fumetti-porno\.org" -SecRule HTTP_Referer|ARGS "fumettiporno\.org" -SecRule HTTP_Referer|ARGS "fungays\.com" -SecRule HTTP_Referer|ARGS "furrios\.de" -SecRule HTTP_Referer|ARGS "furry-kinks-looking\.com" -SecRule HTTP_Referer|ARGS "furry-kinks-looking\.net" -SecRule HTTP_Referer|ARGS "future-2000\.net" -SecRule HTTP_Referer|ARGS "fw-lan\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "f-z-a\.com" -SecRule HTTP_Referer|ARGS "g4h5\.com" -SecRule HTTP_Referer|ARGS "gadless\.com" -SecRule HTTP_Referer|ARGS "gaggingwhores\.net" -SecRule HTTP_Referer|ARGS "gaggingwhores\.org" -SecRule HTTP_Referer|ARGS "gagnerargent\.com" -SecRule HTTP_Referer|ARGS "gainmoresize\.com" -SecRule HTTP_Referer|ARGS "galleries4free\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gallerylisting\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "galofu\.com" -SecRule HTTP_Referer|ARGS "gals4all\.com" -SecRule HTTP_Referer|ARGS "galsonbed\.com" -SecRule HTTP_Referer|ARGS "gambleguru\.net" -SecRule HTTP_Referer|ARGS "gamble-on-football-online\.com" -SecRule HTTP_Referer|ARGS "gambling-a\.us" -SecRule HTTP_Referer|ARGS "gambling-card\.ws" -SecRule HTTP_Referer|ARGS "gambling-casinos-trx\.com" -SecRule HTTP_Referer|ARGS "gamblingguidance\.co\.uk" -SecRule HTTP_Referer|ARGS "gambling-homepage\.com" -SecRule HTTP_Referer|ARGS "gamblingonline.nl" -SecRule HTTP_Referer|ARGS "gambling\Sgames.cc" -SecRule HTTP_Referer|ARGS "gamefinder\.de" -SecRule HTTP_Referer|ARGS "gamersclub.nl" -SecRule HTTP_Referer|ARGS "games-advanced\.de" -SecRule HTTP_Referer|ARGS "gamessites\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ganbarufanworks.org" -SecRule HTTP_Referer|ARGS "gangbangbusgallery\.com" -SecRule HTTP_Referer|ARGS "gang-rape\.org" -SecRule HTTP_Referer|ARGS "gargzdai\.net" -SecRule HTTP_Referer|ARGS "garment-china\.com" -SecRule HTTP_Referer|ARGS "gartenshopper\.de" -SecRule HTTP_Referer|ARGS "garthfans\.co\.uk" -SecRule HTTP_Referer|ARGS "gau42\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gay1ncest\.com" -SecRule HTTP_Referer|ARGS "gay-asian-porn\.com" -SecRule HTTP_Referer|ARGS "gay-b\.com" -SecRule HTTP_Referer|ARGS "gay-boy.nl" -SecRule HTTP_Referer|ARGS "gay-boy\.us" -SecRule HTTP_Referer|ARGS "gayfamilyincest\.net" -SecRule HTTP_Referer|ARGS "gayfunplaces\.com" -SecRule HTTP_Referer|ARGS "gay-male-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "gay-nude\.us" -SecRule HTTP_Referer|ARGS "gaypixpost.co.uk" -SecRule HTTP_Referer|ARGS "gay-sex-videos\.com" -SecRule HTTP_Referer|ARGS "gays-porno-men-twinks-boys-sex\.biz" -SecRule HTTP_Referer|ARGS "gays-sex-gay-sex-gays\.us" -SecRule HTTP_Referer|ARGS "gayteen" -SecRule HTTP_Referer|ARGS "gay-twinks-sex\.com" -SecRule HTTP_Referer|ARGS "gayx\.us" -SecRule HTTP_Referer|ARGS "student.*loans.*4free" -SecRule HTTP_Referer|ARGS "always-credit\.com" -SecRule HTTP_Referer|ARGS "great-money\.com" -SecRule HTTP_Referer|ARGS "auto-loan-calculator" -SecRule HTTP_Referer|ARGS "\.credit-dreams\.com" -SecRule HTTP_Referer|ARGS "cash-money\.html" -SecRule HTTP_Referer|ARGS "\.gb\.com" -SecRule HTTP_Referer|ARGS "gdgc\.org" -SecRule HTTP_Referer|ARGS "\.guarantee-money\.com" -SecRule HTTP_Referer|ARGS "\.thebrainstormer\.com" -SecRule HTTP_Referer|ARGS "\.op-clan\.com" -SecRule HTTP_Referer|ARGS "\.yelucie\.com" -SecRule HTTP_Referer|ARGS "\.excellent-health\.com" -SecRule HTTP_Referer|ARGS "\.computerxchange\.com" -SecRule HTTP_Referer|ARGS "\.lilaleemcrightrealty\.com" -SecRule HTTP_Referer|ARGS "\.zindagi\.us" -SecRule HTTP_Referer|ARGS "\.unitedinchristchurch\.org" -SecRule HTTP_Referer|ARGS "\.sheratonnorthcharleston\.com" -SecRule HTTP_Referer|ARGS "\.buy-pharmacy-pills\.com" -SecRule HTTP_Referer|ARGS "\.conjuratia\.com/" -SecRule HTTP_Referer|ARGS "\.health-livening\.com" -SecRule HTTP_Referer|ARGS "onlycelebs\.typepad\.com" -SecRule HTTP_Referer|ARGS "now-cash\.com" -SecRule HTTP_Referer|ARGS "\.strega\.us" -SecRule HTTP_Referer|ARGS "\.freakycheats\.com" -SecRule HTTP_Referer|ARGS "\.uaeecommerce\.com" -SecRule HTTP_Referer|ARGS "\.feedmelinks\.com" -SecRule HTTP_Referer|ARGS "\.meta-find\.us" -SecRule HTTP_Referer|ARGS "\.american-casino\.ws" -SecRule HTTP_Referer|ARGS "\.bingo-casino\.net" -SecRule HTTP_Referer|ARGS "\.bingo-game-trx\.com" -SecRule HTTP_Referer|ARGS "\.bingo-net\.com" -SecRule HTTP_Referer|ARGS "\.6q\.org" -SecRule HTTP_Referer|ARGS "geenslip.nl" -SecRule HTTP_Referer|ARGS "geile-wijven\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gelago\.de" -SecRule HTTP_Referer|ARGS "gem2\.de" -SecRule HTTP_Referer|ARGS "gemtienda\.co\.uk" -SecRule HTTP_Referer|ARGS "generic-propecia\.net" -SecRule HTTP_Referer|ARGS "generic-viagra.biz" -SecRule HTTP_Referer|ARGS "genimat\.220v\.org" -SecRule HTTP_Referer|ARGS "genimat\.cjb\.net" -SecRule HTTP_Referer|ARGS "geocities\.com/alexgolddphumanrbriar" -SecRule HTTP_Referer|ARGS "geocities\.com/avbmaxtirodpaulmatt" -SecRule HTTP_Referer|ARGS "geocities\.com/brandtdleffmatthias7" -SecRule HTTP_Referer|ARGS "geocities\.com/cclibrannar_rover" -SecRule HTTP_Referer|ARGS "geocities\.com/constpolonskaalniko7" -SecRule HTTP_Referer|ARGS "geocities\.com/forestavmiagdust" -SecRule HTTP_Referer|ARGS "geocities\.com/free_satellite_tv_dish_system" -SecRule HTTP_Referer|ARGS "geocities\.com/gehentaiqrst" -SecRule HTTP_Referer|ARGS "geocities\.com/gematureqrst" -SecRule HTTP_Referer|ARGS "geocities\.com/gerapeqrst" -SecRule HTTP_Referer|ARGS "geocities\.com/ofconvbdemikqfolium" -SecRule HTTP_Referer|ARGS "geocities\.com/pashkabandtvcom" -SecRule HTTP_Referer|ARGS "geocities\.com/pautovalexasha_kagal" -SecRule HTTP_Referer|ARGS "geocities\.com/reutovoalexeypetrovseverin5" -SecRule HTTP_Referer|ARGS "geocities\.com/timryancompassmedius" -SecRule HTTP_Referer|ARGS "germanyvacations\.net" -SecRule HTTP_Referer|ARGS "gesundheitsshop-kosmetik\.de" -SecRule HTTP_Referer|ARGS "gesundheit-total\.com" -SecRule HTTP_Referer|ARGS "getaprescription\.net" -SecRule HTTP_Referer|ARGS "get-cell-phone-accessories\.com" -SecRule HTTP_Referer|ARGS "getdomainsandhosting\.com" -SecRule HTTP_Referer|ARGS "get-free-catalogs\.com" -SecRule HTTP_Referer|ARGS "get-freetrial\.us" -SecRule HTTP_Referer|ARGS "get-hardcore-sex\.com" -SecRule HTTP_Referer|ARGS "gethelp24x7\.net" -SecRule HTTP_Referer|ARGS "get-insurance-quotes\.com" -SecRule HTTP_Referer|ARGS "getmoregiveless\.com" -SecRule HTTP_Referer|ARGS "getrxscripts\.biz" -SecRule HTTP_Referer|ARGS "get-satellite-tv-dish\.com" -SecRule HTTP_Referer|ARGS "getstarted24x7\.net" -SecRule HTTP_Referer|ARGS "get-your-dish-tv\.info" -SecRule HTTP_Referer|ARGS "getyourlyrics\.com" -SecRule HTTP_Referer|ARGS "get-zoo\.com" -SecRule HTTP_Referer|ARGS "gfind\.de" -SecRule HTTP_Referer|ARGS "gfy\.com" -SecRule HTTP_Referer|ARGS "gofuckyourself\.com" -SecRule HTTP_Referer|ARGS "ghettoinc\.com" -SecRule HTTP_Referer|ARGS "giantipps\.de" -SecRule HTTP_Referer|ARGS "gifs-clipart-smiley\.de" -SecRule HTTP_Referer|ARGS "giochi-hentai\.com" -SecRule HTTP_Referer|ARGS "giochi-online\.us" -SecRule HTTP_Referer|ARGS "giochix\.com" -SecRule HTTP_Referer|ARGS "girls-get-crazy\.org" -SecRule HTTP_Referer|ARGS "girlshost\.net" -SecRule HTTP_Referer|ARGS "girltime.co.uk" -SecRule HTTP_Referer|ARGS "giveramp\.com" -SecRule HTTP_Referer|ARGS "give-u-the-perfect-mortgage\.com" -SecRule HTTP_Referer|ARGS "glendajackson\.co\.uk" -SecRule HTTP_Referer|ARGS "global-verreisen\.de" -SecRule HTTP_Referer|ARGS "globalwebbrain\.com" -SecRule HTTP_Referer|ARGS "gloryhole-girls\.angelcities\.com" -SecRule HTTP_Referer|ARGS "glory-vision\.com" -SecRule HTTP_Referer|ARGS "glucophagepharmacy\.com" -SecRule HTTP_Referer|ARGS "goapplyonline\.com" -SecRule HTTP_Referer|ARGS "godere\.org" -SecRule HTTP_Referer|ARGS "godwebdesign\.com" -SecRule HTTP_Referer|ARGS "gofolks\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gogito\.com" -SecRule HTTP_Referer|ARGS "gogof-ck\.com" -SecRule HTTP_Referer|ARGS "gojerk\.com" -SecRule HTTP_Referer|ARGS "gokkastemulator\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "goldpills\.net" -SecRule HTTP_Referer|ARGS "golf-equipment\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gomvents\.com" -SecRule HTTP_Referer|ARGS "gongi\.pl" -SecRule HTTP_Referer|ARGS "goodlife2000-geheimtipp\.com" -SecRule HTTP_Referer|ARGS "goodsexy\.com" -SecRule HTTP_Referer|ARGS "goodtv\.cn" -SecRule HTTP_Referer|ARGS "google163\.net" -SecRule HTTP_Referer|ARGS "google8\.net" -SecRule HTTP_Referer|ARGS "gorilka\.atspace\.com" -SecRule HTTP_Referer|ARGS "gotooa\.com" -SecRule HTTP_Referer|ARGS "gotsw\.net" -SecRule HTTP_Referer|ARGS "gourmondo\.de" -SecRule HTTP_Referer|ARGS "govermentgrants\.net" -SecRule HTTP_Referer|ARGS "governmentalgrants\.com" -SecRule HTTP_Referer|ARGS "government-federal-grants\.com" -SecRule HTTP_Referer|ARGS "governmentfederalgrants\.com" -SecRule HTTP_Referer|ARGS "government--grant\.com" -SecRule HTTP_Referer|ARGS "government-grants\.org" -SecRule HTTP_Referer|ARGS "governmentgrantsresources\.com" -SecRule HTTP_Referer|ARGS "governmentgrants\.tv" -SecRule HTTP_Referer|ARGS "government-grants\.ws" -SecRule HTTP_Referer|ARGS "governmentgrants\.ws" -SecRule HTTP_Referer|ARGS "granadasexi\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "grannypictgp\.com" -SecRule HTTP_Referer|ARGS "grannysexthumbs\.com" -SecRule HTTP_Referer|ARGS "grants\.biz" -SecRule HTTP_Referer|ARGS "grantseekerpro" -SecRule HTTP_Referer|ARGS "gratisanaal.nl" -SecRule HTTP_Referer|ARGS "gratispartnersuche\.com" -SecRule HTTP_Referer|ARGS "gratissexdate.nl" -SecRule HTTP_Referer|ARGS "great-cialis\.com" -SecRule HTTP_Referer|ARGS "great-dish-tv-deals\.info" -SecRule HTTP_Referer|ARGS "greatnow\.com" -SecRule HTTP_Referer|ARGS "greecehotels-discount\.com" -SecRule HTTP_Referer|ARGS "green-tx\.com" -SecRule HTTP_Referer|ARGS "greenwood\.ddns\.ms" -SecRule HTTP_Referer|ARGS "group-eurosex\.com" -SecRule HTTP_Referer|ARGS "growshopalien\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "growtech\.cn" -SecRule HTTP_Referer|ARGS "growth-hormone\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "guardami\.org" -SecRule HTTP_Referer|ARGS "guenstige-krankenversicherung\.com" -SecRule HTTP_Referer|ARGS "guenstige-onlineshops\.de" -SecRule HTTP_Referer|ARGS "guenstige-sportartikel\.de" -SecRule HTTP_Referer|ARGS "guenstige-versicherungstarife\.de" -SecRule HTTP_Referer|ARGS "gunit\.gotdns\.com" -SecRule HTTP_Referer|ARGS "guttermag\.com" -SecRule HTTP_Referer|ARGS "hair-loss-cure\.net" -SecRule HTTP_Referer|ARGS "hair-loss-cure-x\.com" -SecRule HTTP_Referer|ARGS "hairy-pussy-sex\.net" -SecRule HTTP_Referer|ARGS "hallo-tierfreund\.de" -SecRule HTTP_Referer|ARGS "handjoblessons\.org" -SecRule HTTP_Referer|ARGS "hand-job\.us" -SecRule HTTP_Referer|ARGS "handmade2000\.co\.uk" -SecRule HTTP_Referer|ARGS "handsm\.servehttp\.com" -SecRule HTTP_Referer|ARGS "handwerksartikel-xxl\.de" -SecRule HTTP_Referer|ARGS "handy-klingeltoene\.eu\.tp" -SecRule HTTP_Referer|ARGS "handy-sms.biz" -SecRule HTTP_Referer|ARGS "handysprueche\.de" -SecRule HTTP_Referer|ARGS "handytone\.us" -SecRule HTTP_Referer|ARGS "hangchen\.cn" -SecRule HTTP_Referer|ARGS "hangchen\.com" -SecRule HTTP_Referer|ARGS "happyagency\.com" -SecRule HTTP_Referer|ARGS "happy-shopping-online\.com" -SecRule HTTP_Referer|ARGS "hard-boys\.com" -SecRule HTTP_Referer|ARGS "hardcorecash\.net" -SecRule HTTP_Referer|ARGS "hardcore-jpg\.com" -SecRule HTTP_Referer|ARGS "hardcore-junky\.us" -SecRule HTTP_Referer|ARGS "hardcore-pictures\.us" -SecRule HTTP_Referer|ARGS "hardcore-porn-links\.com" -SecRule HTTP_Referer|ARGS "hardcore-pussy\.us" -SecRule HTTP_Referer|ARGS "hardcore-sex\.bz" -SecRule HTTP_Referer|ARGS "hardcore-video\.us" -SecRule HTTP_Referer|ARGS "hard-sex-teen\.com" -SecRule HTTP_Referer|ARGS "hasslerenterprises\.net" -SecRule HTTP_Referer|ARGS "hasslerenterprises\.org" -SecRule HTTP_Referer|ARGS "hautesavoieimmobilier\.com" -SecRule HTTP_Referer|ARGS "hchcinc\.com" -SecRule HTTP_Referer|ARGS "hdic\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "hdic\.net" -SecRule HTTP_Referer|ARGS "hdic\.org" -SecRule HTTP_Referer|ARGS "headachetreatment\.net" -SecRule HTTP_Referer|ARGS "healhome\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "healthdangers\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "healthmore\.net" -SecRule HTTP_Referer|ARGS "health-pills\.net" -SecRule HTTP_Referer|ARGS "health-pills-online\.com" -SecRule HTTP_Referer|ARGS "healthrules\.org" -SecRule HTTP_Referer|ARGS "heartbeatofhealing\.org" -SecRule HTTP_Referer|ARGS "helpful-forum\.com" -SecRule HTTP_Referer|ARGS "helpful-pills-blog\.com" -SecRule HTTP_Referer|ARGS "henrythehunk\.com" -SecRule HTTP_Referer|ARGS "hentai-anime\.us" -SecRule HTTP_Referer|ARGS "hentaigratis\.net" -SecRule HTTP_Referer|ARGS "hentai-gratis\.us" -SecRule HTTP_Referer|ARGS "hentai-hard\.com" -SecRule HTTP_Referer|ARGS "hentaimanga\.us" -SecRule HTTP_Referer|ARGS "hentaiplayground\.com" -SecRule HTTP_Referer|ARGS "hentai-porno\.us" -SecRule HTTP_Referer|ARGS "hentaix\.net" -SecRule HTTP_Referer|ARGS "hentai-xxx\.us" -SecRule HTTP_Referer|ARGS "hentaixxx\.us" -SecRule HTTP_Referer|ARGS "hentay\.us" -SecRule HTTP_Referer|ARGS "herbal-source\.net" -SecRule HTTP_Referer|ARGS "hermosa\.us" -SecRule HTTP_Referer|ARGS "herpies\.net" -SecRule HTTP_Referer|ARGS "heydo\.com" -SecRule HTTP_Referer|ARGS "hghadvisor\.com" -SecRule HTTP_Referer|ARGS "hghplanet\.com" -SecRule HTTP_Referer|ARGS "hgxweb\.de" -SecRule HTTP_Referer|ARGS "\.hidden-place\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "hi-finder\.com" -SecRule HTTP_Referer|ARGS "highheelsmodels4fun\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "highprofitclub\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "highprofitclub\.com" -SecRule HTTP_Referer|ARGS "high-risk-merchant-account\.org" -SecRule HTTP_Referer|ARGS "hillsweb\.com" -SecRule HTTP_Referer|ARGS "hilton-nicky-paris\.blogspot\.com" -SecRule HTTP_Referer|ARGS "hilton-video" -SecRule HTTP_Referer|ARGS "hion\.cn" -SecRule HTTP_Referer|ARGS "historyintospace\.com" -SecRule HTTP_Referer|ARGS "hit-logo-klingelton\.com" -SecRule HTTP_Referer|ARGS "hit-logo-ringetone\.com" -SecRule HTTP_Referer|ARGS "hit-logo-ringtone\.com" -SecRule HTTP_Referer|ARGS "hit-logo-suoneria\.com" -SecRule HTTP_Referer|ARGS "hit-melodias\.com" -SecRule HTTP_Referer|ARGS "hits-logos-games\.com" -SecRule HTTP_Referer|ARGS "hitslogosgames\.com" -SecRule HTTP_Referer|ARGS "hits-logos-klingeltone\.com" -SecRule HTTP_Referer|ARGS "hit-sonnerie\.net" -SecRule HTTP_Referer|ARGS "hit-sonneries\.com" -SecRule HTTP_Referer|ARGS "hlopci\.w5\.pl" -SecRule HTTP_Referer|ARGS "hobbs-farm\.com" -SecRule HTTP_Referer|ARGS "hold-em-big\.com" -SecRule HTTP_Referer|ARGS "holdem-texaspoker\.com" -SecRule HTTP_Referer|ARGS "holding\.errorworld\.org" -SecRule HTTP_Referer|ARGS "hold-pok\.com" -SecRule HTTP_Referer|ARGS "homesbysellers\.(net|org|com|info|biz)" -SecRule HTTP_Referer|ARGS "home-design\.ws" -SecRule HTTP_Referer|ARGS "home-equity-loans-mortgage-refinancing\.com" -SecRule HTTP_Referer|ARGS "homelivecams\.com" -SecRule HTTP_Referer|ARGS "home-loans-inc\.com" -SecRule HTTP_Referer|ARGS "homenetworkingsolutions\.co\.uk" -SecRule HTTP_Referer|ARGS "home\.pages\.at" -SecRule HTTP_Referer|ARGS "home\.ro\b" -SecRule HTTP_Referer|ARGS "home-style\.ws" -SecRule HTTP_Referer|ARGS "hometeaminspection\.net" -SecRule HTTP_Referer|ARGS "hometeaminspection\.org" -SecRule HTTP_Referer|ARGS "home-videos\.net" -SecRule HTTP_Referer|ARGS "hoodia\.belleity\.com" -SecRule HTTP_Referer|ARGS "hoodia--gardonii\.com" -SecRule HTTP_Referer|ARGS "horizonultra\.com" -SecRule HTTP_Referer|ARGS "horny-honey\.com" -SecRule HTTP_Referer|ARGS "hornymoms\.net" -SecRule HTTP_Referer|ARGS "hornypages\.com" -SecRule HTTP_Referer|ARGS "horny-world\.com" -SecRule HTTP_Referer|ARGS "horoskop-auswertung\.de" -SecRule HTTP_Referer|ARGS "horse-racebetting\.com" -SecRule HTTP_Referer|ARGS "horse-racing--betting\.net" -SecRule HTTP_Referer|ARGS "horse-sex\.ws" -SecRule HTTP_Referer|ARGS "hostingplus\.com" -SecRule HTTP_Referer|ARGS "hostultra\.com" -SecRule HTTP_Referer|ARGS "hot-cialis\.com" -SecRule HTTP_Referer|ARGS "hotelbookingserver\.com" -SecRule HTTP_Referer|ARGS "hotel-bordeaux\.cjb\.net" -SecRule HTTP_Referer|ARGS "hotelhieress\.com" -SecRule HTTP_Referer|ARGS "hotelsaficionado\.com" -SecRule HTTP_Referer|ARGS "hotelsplustours\.com" -SecRule HTTP_Referer|ARGS "hot-escort-services\.com" -SecRule HTTP_Referer|ARGS "hotfunsingles\.com" -SecRule HTTP_Referer|ARGS "hotlivegirls.co.uk" -SecRule HTTP_Referer|ARGS "hotmatchup.co.uk" -SecRule HTTP_Referer|ARGS "hot-mates\.info" -SecRule HTTP_Referer|ARGS "hot-naked-guys\.net" -SecRule HTTP_Referer|ARGS "hotsexys\.com" -SecRule HTTP_Referer|ARGS "hotsing\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "hotusa\.org" -SecRule HTTP_Referer|ARGS "houseofsevengables\.com" -SecRule HTTP_Referer|ARGS "how-quit-smoking\.com" -SecRule HTTP_Referer|ARGS "how-to-play-poker-quick\.com" -SecRule HTTP_Referer|ARGS "how-to-stretch-your-penis" -SecRule HTTP_Referer|ARGS "hq-pictures\.org" -SecRule HTTP_Referer|ARGS "hs168\.com" -SecRule HTTP_Referer|ARGS "hswin\.com" -SecRule HTTP_Referer|ARGS "htmldiff\.com" -SecRule HTTP_Referer|ARGS "huazhangmba\.com" -SecRule HTTP_Referer|ARGS "humangrowthhormone\.org" -SecRule HTTP_Referer|ARGS "hunksandbabes\.com" -SecRule HTTP_Referer|ARGS "hurricane-ivan.blogspot\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "husler.co.uk" -SecRule HTTP_Referer|ARGS "hustlerbarelylegalteen\.com" -SecRule HTTP_Referer|ARGS "hustler\.bz" -SecRule HTTP_Referer|ARGS "hustlerw\.com" -SecRule HTTP_Referer|ARGS "hxlll\.net" -SecRule HTTP_Referer|ARGS "hyper-sex\.com" -SecRule HTTP_Referer|ARGS "hypnobabies\.co\.uk" -SecRule HTTP_Referer|ARGS "i-black-jack\.com" -SecRule HTTP_Referer|ARGS "i-butalbital-fioricet\.com" -SecRule HTTP_Referer|ARGS "i-buy-mortgage\.com" -SecRule HTTP_Referer|ARGS "i--cialis\.net" -SecRule HTTP_Referer|ARGS "idebtconsolidation\.org" -SecRule HTTP_Referer|ARGS "identity-theft\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "i-directv\.net" -SecRule HTTP_Referer|ARGS "i-dish-network\.org" -SecRule HTTP_Referer|ARGS "idp4u\.com" -SecRule HTTP_Referer|ARGS "i-flexeril\.com" -SecRule HTTP_Referer|ARGS "ifreepages\.com" -SecRule HTTP_Referer|ARGS "i-free-poker\.com" -SecRule HTTP_Referer|ARGS "i-horny\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "i-horny\.com" -SecRule HTTP_Referer|ARGS "i-ink-cartridges\.com" -SecRule HTTP_Referer|ARGS "ikbendom.nl" -SecRule HTTP_Referer|ARGS "ikbenkoel.nl" -SecRule HTTP_Referer|ARGS "illegalhome\.com" -SecRule HTTP_Referer|ARGS "illegalspace\.com" -SecRule HTTP_Referer|ARGS "iloveclicks\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ilya\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "imagenes-tops\.com\.mx" -SecRule HTTP_Referer|ARGS "imess\.net" -SecRule HTTP_Referer|ARGS "imitrex-web\.com" -SecRule HTTP_Referer|ARGS "immagini-hentai\.org" -SecRule HTTP_Referer|ARGS "immigrationattorney.ca" -SecRule HTTP_Referer|ARGS "immobilienangebote-auswahl\.de" -SecRule HTTP_Referer|ARGS "immobilien-auswaehlen\.de" -SecRule HTTP_Referer|ARGS "immobilienmakler-angebote\.de" -SecRule HTTP_Referer|ARGS "immobilienmakler-l\.de" -SecRule HTTP_Referer|ARGS "immobilienmarkt-grundstuecke\.de" -SecRule HTTP_Referer|ARGS "immobilierdessavoie\.com" -SecRule HTTP_Referer|ARGS "im-naked\.com" -SecRule HTTP_Referer|ARGS "imobissimo\.com" -SecRule HTTP_Referer|ARGS "i-mortgage-online\.com" -SecRule HTTP_Referer|ARGS "impotence-rx\.biz" -SecRule HTTP_Referer|ARGS "incest-movies-download\.com" -SecRule HTTP_Referer|ARGS "incest-photo\.com" -SecRule HTTP_Referer|ARGS "incest-photos-archive\.com" -SecRule HTTP_Referer|ARGS "incest-pics-gallery\.com" -SecRule HTTP_Referer|ARGS "incest-pics--incest\.com" -SecRule HTTP_Referer|ARGS "incest-reality\.com" -SecRule HTTP_Referer|ARGS "incest-relations\.com" -SecRule HTTP_Referer|ARGS "incest-stories\.biz" -SecRule HTTP_Referer|ARGS "incest-stories-library\.com" -SecRule HTTP_Referer|ARGS "inceststories\.ws" -SecRule HTTP_Referer|ARGS "incest-taboo\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "incest-taboo\.net" -SecRule HTTP_Referer|ARGS "incest-videos-collection\.com" -SecRule HTTP_Referer|ARGS "inclinetahoehomes\.com" -SecRule HTTP_Referer|ARGS "inc-magazine\.com" -SecRule HTTP_Referer|ARGS "incredishop\.com" -SecRule HTTP_Referer|ARGS "incsx\.com" -SecRule HTTP_Referer|ARGS "indian-sex-porno-movies-stories\.com" -SecRule HTTP_Referer|ARGS "indiasilk\.biz" -SecRule HTTP_Referer|ARGS "indiasilktradition\.com" -SecRule HTTP_Referer|ARGS "industrialresource\.biz" -SecRule HTTP_Referer|ARGS "industrial-testing-equipment\.com" -SecRule HTTP_Referer|ARGS "inescudna\.com" -SecRule HTTP_Referer|ARGS "inexpensiverx\.net" -SecRule HTTP_Referer|ARGS "infocenter-crm\.com" -SecRule HTTP_Referer|ARGS "inforceable\.com" -SecRule HTTP_Referer|ARGS "inforceables\.com" -SecRule HTTP_Referer|ARGS "ingyensms\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ingyensms\.net" -SecRule HTTP_Referer|ARGS "ingyensms\.org" -SecRule HTTP_Referer|ARGS "inkjet-toner-cartridge.info" -SecRule HTTP_Referer|ARGS "innfg\.de" -SecRule HTTP_Referer|ARGS "insatiablepussy\.com" -SecRule HTTP_Referer|ARGS "inside\.afraid\.org" -SecRule HTTP_Referer|ARGS "insidethevip.co.uk" -SecRule HTTP_Referer|ARGS "instant-quick-money-cash-advance-personal-loans-until-pay-day\.com" -SecRule HTTP_Referer|ARGS "instantsatellite\.com" -SecRule HTTP_Referer|ARGS "instant-webshop\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "insurancecompanies4you\.com" -SecRule HTTP_Referer|ARGS "insurancehere\.net" -SecRule HTTP_Referer|ARGS "insuranceinfo.biz" -SecRule HTTP_Referer|ARGS "insurance-quotes-fast\.com" -SecRule HTTP_Referer|ARGS "insurancequoteweb\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "interest-?only-?mortgage" -SecRule HTTP_Referer|ARGS "interiorproshop\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "international-candle-shop\.com" -SecRule HTTP_Referer|ARGS "international-cheese-shop\.com" -SecRule HTTP_Referer|ARGS "internet-job-nebenjob.de" -SecRule HTTP_Referer|ARGS "internet-meds\.biz" -SecRule HTTP_Referer|ARGS "internet-merchant-account-pro\.com" -SecRule HTTP_Referer|ARGS "internet-poker-online-4-u\.com" -SecRule HTTP_Referer|ARGS "internette-anbieter\.de" -SecRule HTTP_Referer|ARGS "interracial-sex\.ws" -SecRule HTTP_Referer|ARGS "inter-ross\.ru" -SecRule HTTP_Referer|ARGS "int-fed-aromatherapy\.co\.uk" -SecRule HTTP_Referer|ARGS "inthevip-4u\.com" -SecRule HTTP_Referer|ARGS "in-the-vip\.org" -SecRule HTTP_Referer|ARGS "inthevip-sex\.com" -SecRule HTTP_Referer|ARGS "intimplace\.com" -SecRule HTTP_Referer|ARGS "intymnie\.com" -SecRule HTTP_Referer|ARGS "inviare-mms\.net" -SecRule HTTP_Referer|ARGS "invio-mms\.us" -SecRule HTTP_Referer|ARGS "ionic-bonds\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "i-online-bingo\.com" -SecRule HTTP_Referer|ARGS "i-online-poker\.com" -SecRule HTTP_Referer|ARGS "ipaddressworld\.com" -SecRule HTTP_Referer|ARGS "ipharmacy\.com" -SecRule HTTP_Referer|ARGS "i-play-bingo\.com" -SecRule HTTP_Referer|ARGS "i-play-blackjack\.com" -SecRule HTTP_Referer|ARGS "i-play-casino\.com" -SecRule HTTP_Referer|ARGS "i-play-poker\.com" -SecRule HTTP_Referer|ARGS "i-play-poker-online\.biz" -SecRule HTTP_Referer|ARGS "i-play-poker-online\.com" -SecRule HTTP_Referer|ARGS "i-play-poker-online\.us" -SecRule HTTP_Referer|ARGS "ipmotor\.com" -SecRule HTTP_Referer|ARGS "ipsnihongo\.org" -SecRule HTTP_Referer|ARGS "ipupdater\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ipupdater\.com" -SecRule HTTP_Referer|ARGS "irianjaya\.co\.uk" -SecRule HTTP_Referer|ARGS "irs-us\.net" -SecRule HTTP_Referer|ARGS "i-ru\.net" -SecRule HTTP_Referer|ARGS "isacommie\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "isacommie\.com" -SecRule HTTP_Referer|ARGS "iservice\.eu\.com" -SecRule HTTP_Referer|ARGS "i-skelaxin\.com" -SecRule HTTP_Referer|ARGS "i-soma\.net" -SecRule HTTP_Referer|ARGS "isparkl\.com" -SecRule HTTP_Referer|ARGS "israelsex.nl" -SecRule HTTP_Referer|ARGS "istarthere\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "italiancharmsbracelets.info" -SecRule HTTP_Referer|ARGS "itgo\.com" -SecRule HTTP_Referer|ARGS "\.itsaol\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "iul-online\.de" -SecRule HTTP_Referer|ARGS "i-university-guide\.com" -SecRule HTTP_Referer|ARGS "iwas2\.(com|net)" -SecRule HTTP_Referer|ARGS "iwebbroker\.com" -SecRule HTTP_Referer|ARGS "i-wellbutrin\.com" -SecRule HTTP_Referer|ARGS "i-will-find-the-best-mortgage-lead\.com" -SecRule HTTP_Referer|ARGS "i-win-bingo\.com" -SecRule HTTP_Referer|ARGS "ixay\.com" -SecRule HTTP_Referer|ARGS "jacks-world\.com" -SecRule HTTP_Referer|ARGS "jack-x\.com" -SecRule HTTP_Referer|ARGS "jade\.bilder-i\.de" -SecRule HTTP_Referer|ARGS "jagk\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "japan-partner\.com" -SecRule HTTP_Referer|ARGS "jardimed\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "jegem\.com" -SecRule HTTP_Referer|ARGS "jenniferconnor\.com" -SecRule HTTP_Referer|ARGS "jenthony\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "jewelry4navel\.com" -SecRule HTTP_Referer|ARGS "jfcadvocacy\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "jfcadvocacy\.net" -SecRule HTTP_Referer|ARGS "jf-w\.com" -SecRule HTTP_Referer|ARGS "jinlong\.co\.uk" -SecRule HTTP_Referer|ARGS "jmsimonr\.com" -SecRule HTTP_Referer|ARGS "job-interview-questions-tips\.com" -SecRule HTTP_Referer|ARGS "jobsearchlegal\.com" -SecRule HTTP_Referer|ARGS "johnhowesatty\.com" -SecRule HTTP_Referer|ARGS "johnhuron\.com" -SecRule HTTP_Referer|ARGS "jokeria\.de" -SecRule HTTP_Referer|ARGS "jordanand\.topcities\.com" -SecRule HTTP_Referer|ARGS "josephlied\.com" -SecRule HTTP_Referer|ARGS "judahskateboards\.com" -SecRule HTTP_Referer|ARGS "juega-al-casino\.com" -SecRule HTTP_Referer|ARGS "juice-clit-licking\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "juliamiles\.co\.uk" -SecRule HTTP_Referer|ARGS "jungfrauen-sex\.com" -SecRule HTTP_Referer|ARGS "junyuan\.com\.cn" -SecRule HTTP_Referer|ARGS "jupiterstar\.com" -SecRule HTTP_Referer|ARGS "justasex\.com" -SecRule HTTP_Referer|ARGS "just-deals.info" -SecRule HTTP_Referer|ARGS "justsexstories\.com" -SecRule HTTP_Referer|ARGS "jytouch\.com" -SecRule HTTP_Referer|ARGS "kampelicka\.com" -SecRule HTTP_Referer|ARGS "kantorg\.h10\.ru" -SecRule HTTP_Referer|ARGS "kapitaalmarktrente\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kapsociety\.org" -SecRule HTTP_Referer|ARGS "kardtoons\.co\.uk" -SecRule HTTP_Referer|ARGS "karibubaskets\.com" -SecRule HTTP_Referer|ARGS "karmicdebtconsolidation\.com" -SecRule HTTP_Referer|ARGS "kat.za\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kcufrecnac\.com" -SecRule HTTP_Referer|ARGS "keikoasura\.com" -SecRule HTTP_Referer|ARGS "keithandrew\.co\.uk" -SecRule HTTP_Referer|ARGS "kerosinjunkie\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kewler\.net" -SecRule HTTP_Referer|ARGS "kewl-links\.com" -SecRule HTTP_Referer|ARGS "keywordmaster.de" -SecRule HTTP_Referer|ARGS "killasvideo\.com" -SecRule HTTP_Referer|ARGS "kinggimp\.org" -SecRule HTTP_Referer|ARGS "kinkyhosting\.com" -SecRule HTTP_Referer|ARGS "kinkykinky.nl" -SecRule HTTP_Referer|ARGS "kinky-teen-videos\.com" -SecRule HTTP_Referer|ARGS "kiranthakrar\.co\.uk" -SecRule HTTP_Referer|ARGS "kleinkinder-shop\.de" -SecRule HTTP_Referer|ARGS "klik-search\.com" -SecRule HTTP_Referer|ARGS "e-poker-2005\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.sigmapiscu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.pisangrebus\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker-hands" -SecRule HTTP_Referer|ARGS "klingeltoene-handylogos\.de\.be" -SecRule HTTP_Referer|ARGS "klingeltone-logo\.com" -SecRule HTTP_Referer|ARGS "klitoris\.ca" -SecRule HTTP_Referer|ARGS "kloony\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kmsenergy\.com" -SecRule HTTP_Referer|ARGS "kohost\.us" -SecRule HTTP_Referer|ARGS "koihoo\.com" -SecRule HTTP_Referer|ARGS "kontaktanzeigen-bild\.de\.ms" -SecRule HTTP_Referer|ARGS "kontaktlinsen-partner\.de" -SecRule HTTP_Referer|ARGS "kontaktpartnersuche\.com" -SecRule HTTP_Referer|ARGS "kontlikken\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kostenlose-sexkontakte\.org" -SecRule HTTP_Referer|ARGS "krantas\.org" -SecRule HTTP_Referer|ARGS "kraskidliavas\.ru" -SecRule HTTP_Referer|ARGS "kredite-kredit\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kredite-online\.de\.ms" -SecRule HTTP_Referer|ARGS "kredite-portal\.de" -SecRule HTTP_Referer|ARGS "kredite-sofortzusage\.de" -SecRule HTTP_Referer|ARGS "kreditkarten-sofort\.de\.ms" -SecRule HTTP_Referer|ARGS "kredit-ratenkredit-sofortkredit\.de" -SecRule HTTP_Referer|ARGS "kupibuket\.ru" -SecRule HTTP_Referer|ARGS "kwik\.static\.net" -SecRule HTTP_Referer|ARGS "kyfarmhouse\.org" -SecRule HTTP_Referer|ARGS "kylos\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "kylosnet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "lablog\.biz" -#SecRule HTTP_Referer|ARGS "labo.ac" -SecRule HTTP_Referer|ARGS "lacetongue\.com" -SecRule HTTP_Referer|ARGS "lach-ab\.de" -SecRule HTTP_Referer|ARGS "lakesideartonline\.com" -SecRule HTTP_Referer|ARGS "lambethcouncil\.com" -SecRule HTTP_Referer|ARGS "lambuschlamppen\.com" -SecRule HTTP_Referer|ARGS "landscape-painting\.as\.ro" -SecRule HTTP_Referer|ARGS "langsrestaurant\.com" -SecRule HTTP_Referer|ARGS "lanreport\.com" -SecRule HTTP_Referer|ARGS "laptopy\.biz\.pl" -SecRule HTTP_Referer|ARGS "lastminute-blitz\.de" -SecRule HTTP_Referer|ARGS "las-vegas-real-estate-1\.com" -SecRule HTTP_Referer|ARGS "lasvegas-real-estate\.net" -SecRule HTTP_Referer|ARGS "lasvegasrealtor\.com" -SecRule HTTP_Referer|ARGS "lasvegastourfinder\.com" -SecRule HTTP_Referer|ARGS "latina-hot-girls\.com" -SecRule HTTP_Referer|ARGS "latina-sex\.ws" -SecRule HTTP_Referer|ARGS "lavalifedating\.com" -SecRule HTTP_Referer|ARGS "leadbanx\.com" -SecRule HTTP_Referer|ARGS "learnhowtoplay\.com" -SecRule HTTP_Referer|ARGS "learningphpfast\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "learnthebiz\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "lebonpost\.com" -SecRule HTTP_Referer|ARGS "lechery-family\.com" -SecRule HTTP_Referer|ARGS "ledo-design\.com" -SecRule HTTP_Referer|ARGS "legalblonde\.com" -SecRule HTTP_Referer|ARGS "legfreak\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "lemonrider" -SecRule HTTP_Referer|ARGS "lepommeau\.com" -SecRule HTTP_Referer|ARGS "lesbian-girl\.us" -SecRule HTTP_Referer|ARGS "lesbian-sex-porn-pics-stories\.com" -SecRule HTTP_Referer|ARGS "lesbichex\.com" -SecRule HTTP_Referer|ARGS "lesbo-rama\.com" -SecRule HTTP_Referer|ARGS "leseratten-wunderland\.de" -SecRule HTTP_Referer|ARGS "letemgo\.de" -SecRule HTTP_Referer|ARGS "leveltendesign\.com" -SecRule HTTP_Referer|ARGS "lexapro-web\.com" -SecRule HTTP_Referer|ARGS "lexfinance\.com" -SecRule HTTP_Referer|ARGS "lgt-clan\.ru" -SecRule HTTP_Referer|ARGS "libr-animal\.com" -SecRule HTTP_Referer|ARGS "libraries.org.ru" -SecRule HTTP_Referer|ARGS "life-insurance-advisor\.com" -SecRule HTTP_Referer|ARGS "lifeinsurancefinders\.com" -SecRule HTTP_Referer|ARGS "\.liftyourself\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "likemynudebody.co.uk" -SecRule HTTP_Referer|ARGS "likesmature\.com" -SecRule HTTP_Referer|ARGS "likewaterlikewind\.com" -SecRule HTTP_Referer|ARGS "lingeriegirls.nl" -SecRule HTTP_Referer|ARGS "lingerie-land\.com" -SecRule HTTP_Referer|ARGS "link-dir\.com" -SecRule HTTP_Referer|ARGS "linkerdome\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "linkliste-geschenke\.de" -SecRule HTTP_Referer|ARGS "linseysworld\.com" -SecRule HTTP_Referer|ARGS "linuxwaves\.net" -SecRule HTTP_Referer|ARGS "lipitordiscount\.biz" -SecRule HTTP_Referer|ARGS "lipitordiscount\.com" -SecRule HTTP_Referer|ARGS "lisaber\.com" -SecRule HTTP_Referer|ARGS "list1st\.com" -SecRule HTTP_Referer|ARGS "listbanx\.com" -SecRule HTTP_Referer|ARGS "live-casino\.com" -SecRule HTTP_Referer|ARGS "livenet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "livetexasholdem\.com" -SecRule HTTP_Referer|ARGS "livetreff\.tv" -SecRule HTTP_Referer|ARGS "livevents\.de" -SecRule HTTP_Referer|ARGS "lizardofoz\.com" -SecRule HTTP_Referer|ARGS "\.dyndsl\.com" -SecRule HTTP_Referer|ARGS "lizziemills\.com" -SecRule HTTP_Referer|ARGS "loaninfotoday\.com" -SecRule HTTP_Referer|ARGS "loan-king\.com" -SecRule HTTP_Referer|ARGS "loans-4all\.com" -SecRule HTTP_Referer|ARGS "loans\.de\.vu" -SecRule HTTP_Referer|ARGS "loans-no-fax\.com" -SecRule HTTP_Referer|ARGS "loan-superstore\.com" -SecRule HTTP_Referer|ARGS "locationcorse\.free\.fr" -SecRule HTTP_Referer|ARGS "lockportlinks\.com" -SecRule HTTP_Referer|ARGS "logo-beltonen\.com" -SecRule HTTP_Referer|ARGS "logod-helinad-mangud\.com" -SecRule HTTP_Referer|ARGS "logoer-mobil\.com" -SecRule HTTP_Referer|ARGS "logo-free\.com" -SecRule HTTP_Referer|ARGS "logo-klingeltone\.com" -SecRule HTTP_Referer|ARGS "logo-max\.com" -SecRule HTTP_Referer|ARGS "logo-melodias\.com" -SecRule HTTP_Referer|ARGS "logo-mobiel\.com" -SecRule HTTP_Referer|ARGS "logo-mobile-repondeur\.com" -SecRule HTTP_Referer|ARGS "logo-moviles\.com" -SecRule HTTP_Referer|ARGS "logo-phones\.com" -SecRule HTTP_Referer|ARGS "logo-repondeur-mobile\.com" -SecRule HTTP_Referer|ARGS "logos-downloads\.com" -SecRule HTTP_Referer|ARGS "logos-free\.com" -SecRule HTTP_Referer|ARGS "logosik\.pl" -SecRule HTTP_Referer|ARGS "logos-logos\.be" -SecRule HTTP_Referer|ARGS "logos-melodijas-speles\.com" -SecRule HTTP_Referer|ARGS "logos-mobile-repondeurs\.com" -SecRule HTTP_Referer|ARGS "logo-sonneries-sonnerie\.com" -SecRule HTTP_Referer|ARGS "logos-phones\.com" -SecRule HTTP_Referer|ARGS "logo-spiele\.com" -SecRule HTTP_Referer|ARGS "logos-repondeurs-mobile\.com" -SecRule HTTP_Referer|ARGS "logos-sonneries-jeux\.com" -SecRule HTTP_Referer|ARGS "logos-sonneries-jeuxmobiles\.com" -SecRule HTTP_Referer|ARGS "logos-sonneries-sonnerie\.com" -SecRule HTTP_Referer|ARGS "logos-tone\.com" -SecRule HTTP_Referer|ARGS "logo-tones\.com" -SecRule HTTP_Referer|ARGS "logotyper-mobil\.com" -SecRule HTTP_Referer|ARGS "lolika\.net" -SecRule HTTP_Referer|ARGS "longslabofjoy\.com" -SecRule HTTP_Referer|ARGS "lookforukhotels\.com" -SecRule HTTP_Referer|ARGS "looking4you.nl" -SecRule HTTP_Referer|ARGS "lookingforyou.nl" -SecRule HTTP_Referer|ARGS "loraxe\.com" -SecRule HTTP_Referer|ARGS "lowclass\.de" -SecRule HTTP_Referer|ARGS "lowcost\.us\.com" -SecRule HTTP_Referer|ARGS "lowest-rates-mortgages\.com" -SecRule HTTP_Referer|ARGS "lowinterestratecreditcards\.net" -SecRule HTTP_Referer|ARGS "low-low-rates\.com" -SecRule HTTP_Referer|ARGS "lucalozzi\.com" -SecRule HTTP_Referer|ARGS "luffassociates\.co\.uk" -SecRule HTTP_Referer|ARGS "lutschraus\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "luxus-gourmetartikel\.de" -SecRule HTTP_Referer|ARGS "lvcpa\.net" -SecRule HTTP_Referer|ARGS "lvcpa\.org" -SecRule HTTP_Referer|ARGS "lvrealty\.net" -SecRule HTTP_Referer|ARGS "lynskey-admiration\.org\.uk" -SecRule HTTP_Referer|ARGS "bt-gambling\.ws" -SecRule HTTP_Referer|ARGS "lyriclovers\.com" -SecRule HTTP_Referer|ARGS "macinstruct\.net" -SecRule HTTP_Referer|ARGS "\.maclenet\.com" -SecRule HTTP_Referer|ARGS "mail333\.com" -SecRule HTTP_Referer|ARGS "mainentrypoint\.com" -SecRule HTTP_Referer|ARGS "mainjob\.ru" -SecRule HTTP_Referer|ARGS "majorapplewhite\.info" -SecRule HTTP_Referer|ARGS "make-money\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "makemoney\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "maki-e-pens\.com" -SecRule HTTP_Referer|ARGS "male-enhancement" -SecRule HTTP_Referer|ARGS "\.male-enlargement\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "male-enlargement\.com" -SecRule HTTP_Referer|ARGS "malenatural\.com" -SecRule HTTP_Referer|ARGS "malesizegenetics\.com" -SecRule HTTP_Referer|ARGS "mallorycoatings\.co\.uk" -SecRule HTTP_Referer|ARGS "maloylawn\.com" -SecRule HTTP_Referer|ARGS "mandysdiary\.biz" -SecRule HTTP_Referer|ARGS "mandysdiary\.ws" -SecRule HTTP_Referer|ARGS "manga-free\.net" -SecRule HTTP_Referer|ARGS "manga-free\.org" -SecRule HTTP_Referer|ARGS "manga-porn\.us" -SecRule HTTP_Referer|ARGS "manga-x\.biz" -SecRule HTTP_Referer|ARGS "manga-xxx\.org" -SecRule HTTP_Referer|ARGS "mannensex.nl" -SecRule HTTP_Referer|ARGS "manufacturers-blog\.com" -SecRule HTTP_Referer|ARGS "maps.org.ru" -SecRule HTTP_Referer|ARGS "march--madness\.biz" -SecRule HTTP_Referer|ARGS "march--madness\.info" -SecRule HTTP_Referer|ARGS "march--madness\.org" -SecRule HTTP_Referer|ARGS "marcomdeal\.com" -SecRule HTTP_Referer|ARGS "marshallsupersoft\.com" -SecRule HTTP_Referer|ARGS "marshallyachts\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "marshallyachts\.org" -SecRule HTTP_Referer|ARGS "marteq-on\.com" -SecRule HTTP_Referer|ARGS "masonry-services\.com" -SecRule HTTP_Referer|ARGS "mastheadwankers\.com" -SecRule HTTP_Referer|ARGS "match-me-up\.com" -SecRule HTTP_Referer|ARGS "matureacts\.com" -SecRule HTTP_Referer|ARGS "mature-big-tits\.net" -SecRule HTTP_Referer|ARGS "maturefolk\.com" -SecRule HTTP_Referer|ARGS "mature-hardy.info" -SecRule HTTP_Referer|ARGS "mature-old-mature\.com" -SecRule HTTP_Referer|ARGS "\.mature-passion\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mature-reality\.com" -SecRule HTTP_Referer|ARGS "mature-sex-moms-porn\.com" -SecRule HTTP_Referer|ARGS "maturetours\.com" -SecRule HTTP_Referer|ARGS "maxigenweb\.com" -SecRule HTTP_Referer|ARGS "maximumcash\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mbgeezers\.com" -SecRule HTTP_Referer|ARGS "mcdortaklar\.com" -SecRule HTTP_Referer|ARGS "mcfimortgage\.com" -SecRule HTTP_Referer|ARGS "mediaaustralia\.com\.au" -SecRule HTTP_Referer|ARGS "mediacentral\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mediavisor\.com" -SecRule HTTP_Referer|ARGS "medical4order\.com" -SecRule HTTP_Referer|ARGS "medications-4all\.com" -SecRule HTTP_Referer|ARGS "medicinecheaper\.com" -SecRule HTTP_Referer|ARGS "medicine-supply\.com" -SecRule HTTP_Referer|ARGS "medicinetrail\.org" -SecRule HTTP_Referer|ARGS "meds-pill\.com" -SecRule HTTP_Referer|ARGS "medweightloss" -SecRule HTTP_Referer|ARGS "medyep\.com" -SecRule HTTP_Referer|ARGS "\.mefound\.(com|net|org)" -SecRule HTTP_Referer|ARGS "megafrontier\.com" -SecRule HTTP_Referer|ARGS "megapornstation\.com" -SecRule HTTP_Referer|ARGS "mega-spass\.com" -SecRule HTTP_Referer|ARGS "melincs\.org" -SecRule HTTP_Referer|ARGS "melodias-logos-juegos\.com" -SecRule HTTP_Referer|ARGS "members\.fortunecity\.com/kennetharmstrong" -SecRule HTTP_Referer|ARGS "menexis\.com" -SecRule HTTP_Referer|ARGS "mengfuxiang\.com" -SecRule HTTP_Referer|ARGS "menguma\.com" -SecRule HTTP_Referer|ARGS "menguma\.co\.uk" -SecRule HTTP_Referer|ARGS "men-porn\.us" -SecRule HTTP_Referer|ARGS "menservers\.com" -SecRule HTTP_Referer|ARGS "men-sex\.us" -SecRule HTTP_Referer|ARGS "mens-health-pills\.com" -SecRule HTTP_Referer|ARGS "menzyme\.com" -SecRule HTTP_Referer|ARGS "merchantaccount\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "merditer\.com" -SecRule HTTP_Referer|ARGS "merseine\.nu" -SecRule HTTP_Referer|ARGS "mesothelioma-asbestos-help\.com" -SecRule HTTP_Referer|ARGS "mesothelioma-health\.com" -SecRule HTTP_Referer|ARGS "mesothelioma\.net" -SecRule HTTP_Referer|ARGS "metroshopperguide\.com" -SecRule HTTP_Referer|ARGS "mettle\.com\.cn" -SecRule HTTP_Referer|ARGS "miccel\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "micelebre\.com" -SecRule HTTP_Referer|ARGS "michigan-attorney\.lbgo\.com" -SecRule HTTP_Referer|ARGS "micrasci\.com" -SecRule HTTP_Referer|ARGS "microsoft-com\.us" -SecRule HTTP_Referer|ARGS "middlecay\.net" -SecRule HTTP_Referer|ARGS "middlecay\.org" -SecRule HTTP_Referer|ARGS "midget-porn-sex\.com" -SecRule HTTP_Referer|ARGS "mietangebote-domain\.de" -SecRule HTTP_Referer|ARGS "migraine-relief\.com" -SecRule HTTP_Referer|ARGS "mikebunton\.com" -SecRule HTTP_Referer|ARGS "milehighdiva\.blogdrive\.com" -SecRule HTTP_Referer|ARGS "milesscaffolding\.co\.uk" -SecRule HTTP_Referer|ARGS "milf-hardcore\.net" -SecRule HTTP_Referer|ARGS "milflessons\.(com|net|org)" -SecRule HTTP_Referer|ARGS "milfporn\.org" -SecRule HTTP_Referer|ARGS "milf-rider\.us" -SecRule HTTP_Referer|ARGS "milf-xxx-action\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mingholee\.com" -SecRule HTTP_Referer|ARGS "miracle-diet\.com" -SecRule HTTP_Referer|ARGS "misterwolf\.net" -SecRule HTTP_Referer|ARGS "mixtaperadio\.com" -SecRule HTTP_Referer|ARGS "mmorpg-headlines\.com" -SecRule HTTP_Referer|ARGS "mmsanimati\.com" -SecRule HTTP_Referer|ARGS "mneuron\.com" -SecRule HTTP_Referer|ARGS "mobilefamilydental\.com" -SecRule HTTP_Referer|ARGS "-mobile-phones\.org" -SecRule HTTP_Referer|ARGS "mobilequicksale\.com" -SecRule HTTP_Referer|ARGS "mobile-repondeur-logo\.com" -SecRule HTTP_Referer|ARGS "mobile-repondeurs-logos\.com" -SecRule HTTP_Referer|ARGS "mobilesandringtones\.com" -SecRule HTTP_Referer|ARGS "mode-domain\.de" -SecRule HTTP_Referer|ARGS "mode-einkaufsbummel\.de" -SecRule HTTP_Referer|ARGS "moltobene\.ru" -SecRule HTTP_Referer|ARGS "mominaction.info" -SecRule HTTP_Referer|ARGS "monavaletoys\.com" -SecRule HTTP_Referer|ARGS "mondialcoral\.com" -SecRule HTTP_Referer|ARGS "moneybg\.com" -SecRule HTTP_Referer|ARGS "money-cash-loans\.com" -SecRule HTTP_Referer|ARGS "moneylinebet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "money-room\.com" -SecRule HTTP_Referer|ARGS "montaguefineart\.com" -SecRule HTTP_Referer|ARGS "mookyong\.com" -SecRule HTTP_Referer|ARGS "moris-dada\.com" -SecRule HTTP_Referer|ARGS "mor-lite\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mor-lite\.net" -SecRule HTTP_Referer|ARGS "mor-lite\.org" -SecRule HTTP_Referer|ARGS "mortage-4all\.com" -SecRule HTTP_Referer|ARGS "mortgage-info-center\.com" -SecRule HTTP_Referer|ARGS "mortgagemarketinginc\.com" -SecRule HTTP_Referer|ARGS "mortgagequestaz\.com" -SecRule HTTP_Referer|ARGS "mortgage-(rate|loan)-calculator" -SecRule HTTP_Referer|ARGS "mortgagerates4all\.com" -SecRule HTTP_Referer|ARGS "mortgage-rates-guide\.net" -SecRule HTTP_Referer|ARGS "mortgagerefinancesite\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mortgages-links\.net" -SecRule HTTP_Referer|ARGS "mortloan\.com" -SecRule HTTP_Referer|ARGS "mostika\.us" -SecRule HTTP_Referer|ARGS "mother-son-incest-sex\.net" -SecRule HTTP_Referer|ARGS "motonet\.pl" -SecRule HTTP_Referer|ARGS "moviehits.nl" -SecRule HTTP_Referer|ARGS "movies6\.com" -SecRule HTTP_Referer|ARGS "mp3download\.bz" -SecRule HTTP_Referer|ARGS "mp3int\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mp3x\.biz" -SecRule HTTP_Referer|ARGS "mpeg2pci\.com" -SecRule HTTP_Referer|ARGS "mp-forum\.com" -SecRule HTTP_Referer|ARGS "mrgoicoechea\.com" -SecRule HTTP_Referer|ARGS "mrn\.vip\.sina\.com" -SecRule HTTP_Referer|ARGS "mrpiercing\.com" -SecRule HTTP_Referer|ARGS "multipurpose-plants\.net" -SecRule HTTP_Referer|ARGS "multiservers\.com" -SecRule HTTP_Referer|ARGS "musica-da-scaricare\.net" -SecRule HTTP_Referer|ARGS "musica-gratis\.biz" -SecRule HTTP_Referer|ARGS "musica-gratis\.org" -SecRule HTTP_Referer|ARGS "musica-karaoke\.net" -SecRule HTTP_Referer|ARGS "musica-mp3\.biz" -SecRule HTTP_Referer|ARGS "musicamp3\.us" -SecRule HTTP_Referer|ARGS "musicarchive.nl" -SecRule HTTP_Referer|ARGS "musicbox1\.com" -SecRule HTTP_Referer|ARGS "musicbox\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "musiccheap\.us" -SecRule HTTP_Referer|ARGS "music-downloads-links\.com" -SecRule HTTP_Referer|ARGS "musicenergy\.com" -SecRule HTTP_Referer|ARGS "muxa\.ru" -SecRule HTTP_Referer|ARGS "muziekhits.nl" -SecRule HTTP_Referer|ARGS "mxbearings\.com" -SecRule HTTP_Referer|ARGS "my-age\.net" -SecRule HTTP_Referer|ARGS "myasiahotels\.com" -SecRule HTTP_Referer|ARGS "mybestcasinos\.net" -SecRule HTTP_Referer|ARGS "mybestclick\.com" -SecRule HTTP_Referer|ARGS "mycasinohome\.com" -SecRule HTTP_Referer|ARGS "mycheapcigstore\.com" -SecRule HTTP_Referer|ARGS "mycialispharmacy\.com" -SecRule HTTP_Referer|ARGS "my-dating-agency\.com" -SecRule HTTP_Referer|ARGS "mydatingagency\.com" -SecRule HTTP_Referer|ARGS "mydietdoctor\.com" -SecRule HTTP_Referer|ARGS "my-discount-cigarettes\.com" -SecRule HTTP_Referer|ARGS "myeuropehotels\.com" -SecRule HTTP_Referer|ARGS "myfavlinks\.de" -SecRule HTTP_Referer|ARGS "my-fetishes\.com" -SecRule HTTP_Referer|ARGS "myfick.be" -SecRule HTTP_Referer|ARGS "mygays.nl" -SecRule HTTP_Referer|ARGS "mygenericrx\.com" -SecRule HTTP_Referer|ARGS "mygidi\.com" -SecRule HTTP_Referer|ARGS "myhomephonenumber\.com" -SecRule HTTP_Referer|ARGS "myrice\.com" -SecRule HTTP_Referer|ARGS "myrtlejones\.com" -SecRule HTTP_Referer|ARGS "my-sex-toys-store\.com" -SecRule HTTP_Referer|ARGS "myslimpatch\.com" -SecRule HTTP_Referer|ARGS "mysofia\.net" -SecRule HTTP_Referer|ARGS "mystify2001\.com" -SecRule HTTP_Referer|ARGS "naakte-meisjes\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "naar\.be" -SecRule HTTP_Referer|ARGS "nabm(il|li)or.com" -SecRule HTTP_Referer|ARGS "nabpak\.org" -SecRule HTTP_Referer|ARGS "nakedboysfirsttime\.com" -SecRule HTTP_Referer|ARGS "naked-gay\.us" -SecRule HTTP_Referer|ARGS "naked-pussy\.us" -SecRule HTTP_Referer|ARGS "naked-womens-wrestling-league-dvds\.com" -SecRule HTTP_Referer|ARGS "naked-womens-wrestling-league-videos\.com" -SecRule HTTP_Referer|ARGS "nancyflowerswilson\.com" -SecRule HTTP_Referer|ARGS "narod\.ru" -SecRule HTTP_Referer|ARGS "nasty-pages\.com" -SecRule HTTP_Referer|ARGS "natel-mobiles\.com" -SecRule HTTP_Referer|ARGS "natterratter\.com" -SecRule HTTP_Referer|ARGS "natural-barleygreen\.com" -SecRule HTTP_Referer|ARGS "natural-breasts-enhancement\.net" -SecRule HTTP_Referer|ARGS "naturalenhancement\.biz" -SecRule HTTP_Referer|ARGS "natural-enlarg.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "naturalenlarg.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "naturalenlargement\.biz" -SecRule HTTP_Referer|ARGS "natural-enlargement\.net" -SecRule HTTP_Referer|ARGS "naturalknockers\.net" -SecRule HTTP_Referer|ARGS "naturalpenis\.org" -SecRule HTTP_Referer|ARGS "nehrucollege\.org" -SecRule HTTP_Referer|ARGS "\.neighbour-wife-nude\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "neiladams\.org\.uk" -SecRule HTTP_Referer|ARGS "nestbeschmutzer\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "netdating.nl" -SecRule HTTP_Referer|ARGS "netdims\.com" -SecRule HTTP_Referer|ARGS "netizen\.org" -SecRule HTTP_Referer|ARGS "netleih\.de" -SecRule HTTP_Referer|ARGS "netlogo\.us" -SecRule HTTP_Referer|ARGS "net-mature\.com" -SecRule HTTP_Referer|ARGS "netsx\.org" -SecRule HTTP_Referer|ARGS "net-von-dir\.de" -SecRule HTTP_Referer|ARGS "neurogenics\.co\.uk" -SecRule HTTP_Referer|ARGS "new-cialis\.com" -SecRule HTTP_Referer|ARGS "neweighweb\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "neweighweb\.net" -SecRule HTTP_Referer|ARGS "neweighweb\.org" -SecRule HTTP_Referer|ARGS "newfurnishing\.com" -SecRule HTTP_Referer|ARGS "newgallery\.co\.uk" -SecRule HTTP_Referer|ARGS "newmail\.ru" -SecRule HTTP_Referer|ARGS "newprinceton\.com" -SecRule HTTP_Referer|ARGS "newsnewsmedia\.com" -SecRule HTTP_Referer|ARGS "newtruths\.com" -SecRule HTTP_Referer|ARGS "newxwave\.com" -SecRule HTTP_Referer|ARGS "nfl-football-tickets\.biz" -SecRule HTTP_Referer|ARGS "nicecreampie\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "nicepages\.biz" -SecRule HTTP_Referer|ARGS "nicepages\.net" -SecRule HTTP_Referer|ARGS "nicepages\.org" -SecRule HTTP_Referer|ARGS "nice-pussy\.us" -SecRule HTTP_Referer|ARGS "niceshemales\.net" -SecRule HTTP_Referer|ARGS "nichehit\.com" -SecRule HTTP_Referer|ARGS "nicolepeters\.com" -SecRule HTTP_Referer|ARGS "nieruchomosci\.biz\.pl" -SecRule HTTP_Referer|ARGS "nifty-erotic-story-archive\.blogspot\.com" -SecRule HTTP_Referer|ARGS "niibacca\.afraid\.org" -SecRule HTTP_Referer|ARGS "nikkiwilliams\.info" -SecRule HTTP_Referer|ARGS "njhma\.com" -SecRule HTTP_Referer|ARGS "njunite\.net" -SecRule HTTP_Referer|ARGS "no1pics\.com" -SecRule HTTP_Referer|ARGS "no-cavities\.com" -SecRule HTTP_Referer|ARGS "nohassle-loans\.com" -SecRule HTTP_Referer|ARGS "no-ip\.org" -SecRule HTTP_Referer|ARGS "nokia8310.revkom.ru" -SecRule HTTP_Referer|ARGS "noniexpert\.com" -SecRule HTTP_Referer|ARGS "noni-jungbrunnen\.com" -SecRule HTTP_Referer|ARGS "noni-top-chance\.com" -SecRule HTTP_Referer|ARGS "noni-vitalgetraenk\.com" -SecRule HTTP_Referer|ARGS "nonstop-casino\.com" -SecRule HTTP_Referer|ARGS "nonstopsex\.org" -SecRule HTTP_Referer|ARGS "noslip-picks\.com" -SecRule HTTP_Referer|ARGS "no-title\.de" -SecRule HTTP_Referer|ARGS "notlong\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "notsure\.de" -SecRule HTTP_Referer|ARGS "novacspacetravel\.com" -SecRule HTTP_Referer|ARGS "now-hiringsluts\.com" -SecRule HTTP_Referer|ARGS "nr-challenges\.org" -SecRule HTTP_Referer|ARGS "nude-black\.us" -SecRule HTTP_Referer|ARGS "nude.blogspot\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "nudecelebblogs\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "nude-celebrity-dvd\.com" -SecRule HTTP_Referer|ARGS "nude-movies\.us" -SecRule HTTP_Referer|ARGS "nude-teens\.name" -SecRule HTTP_Referer|ARGS "nude-video\.us" -SecRule HTTP_Referer|ARGS "nudevol\.us" -SecRule HTTP_Referer|ARGS "nullnix\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "nutritionalsupplementstoday\.com" -SecRule HTTP_Referer|ARGS "nutritional-supplements\.ws" -SecRule HTTP_Referer|ARGS "nutzu\.com" -SecRule HTTP_Referer|ARGS "nwwl-dvds\.com" -SecRule HTTP_Referer|ARGS "nwwl-videos\.com" -SecRule HTTP_Referer|ARGS "nxcailing\.com" -SecRule HTTP_Referer|ARGS "nylonex\.com" -SecRule HTTP_Referer|ARGS "nz\.com\.ua" -SecRule HTTP_Referer|ARGS "officexl\.de" -SecRule HTTP_Referer|ARGS "officezl\.com" -SecRule HTTP_Referer|ARGS "officialdarajoy\.com/wwwboard" -SecRule HTTP_Referer|ARGS "officialdentalplan\.com" -SecRule HTTP_Referer|ARGS "officialsatellitetv\.com" -SecRule HTTP_Referer|ARGS "offseasonelves\.com" -SecRule HTTP_Referer|ARGS "ohamerica\.org" -SecRule HTTP_Referer|ARGS "okuk\.org" -SecRule HTTP_Referer|ARGS "olderr\.4t\.com" -SecRule HTTP_Referer|ARGS "oldgrannyfucking\.com" -SecRule HTTP_Referer|ARGS "old-sexy-sluts\.com" -SecRule HTTP_Referer|ARGS "oliviagadamer\.com" -SecRule HTTP_Referer|ARGS "oma6.biz" -SecRule HTTP_Referer|ARGS "omega-fatty-acid\.com" -SecRule HTTP_Referer|ARGS "o-mygod\.com" -SecRule HTTP_Referer|ARGS "ondertiteling.info" -SecRule HTTP_Referer|ARGS "one-blackjack\.com" -SecRule HTTP_Referer|ARGS "one-cialis\.com" -SecRule HTTP_Referer|ARGS "one-debt-consolidation\.com" -SecRule HTTP_Referer|ARGS "oneoz\.com" -SecRule HTTP_Referer|ARGS "onepiecex\.net" -SecRule HTTP_Referer|ARGS "one-poker-online\.com" -SecRule HTTP_Referer|ARGS "one-propecia\.com" -SecRule HTTP_Referer|ARGS "oneseo\.com" -SecRule HTTP_Referer|ARGS "one-soma\.com" -SecRule HTTP_Referer|ARGS "onexone\.org" -SecRule HTTP_Referer|ARGS "online-auction-tricks\.com" -SecRule HTTP_Referer|ARGS "online-background-check\.biz" -SecRule HTTP_Referer|ARGS "online-black-jack-download\.com" -SecRule HTTP_Referer|ARGS "online--blackjack\.info" -SecRule HTTP_Referer|ARGS "online-blackjack-online\.com" -SecRule HTTP_Referer|ARGS "online-buy-plavix\.com" -SecRule HTTP_Referer|ARGS "on-line-casino-deutsch\.com" -SecRule HTTP_Referer|ARGS "on-line-casinos-online\.com" -SecRule HTTP_Referer|ARGS "on-line-casinos-online\.net" -SecRule HTTP_Referer|ARGS "online-credit-report-online\.com" -SecRule HTTP_Referer|ARGS "online-dating-com\.com" -SecRule HTTP_Referer|ARGS "online-dating-singles-service\.com" -SecRule HTTP_Referer|ARGS "online-deals99\.com" -SecRule HTTP_Referer|ARGS "onlinedegreehq\.com" -SecRule HTTP_Referer|ARGS "on-line-degree\.org" -SecRule HTTP_Referer|ARGS "online-dot\.com" -SecRule HTTP_Referer|ARGS "online-escort-service\.com" -SecRule HTTP_Referer|ARGS "online-flexeril\.com" -SecRule HTTP_Referer|ARGS "online-gambling-123\.biz" -SecRule HTTP_Referer|ARGS "online-gambling-123\.us" -SecRule HTTP_Referer|ARGS "online-gambling-online\.org" -SecRule HTTP_Referer|ARGS "online-games24x7\.com" -SecRule HTTP_Referer|ARGS "online-games24x7\.net" -SecRule HTTP_Referer|ARGS "online-games-links\.net" -SecRule HTTP_Referer|ARGS "onlinegamingassociation\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "onlinegamingassociation\.com" -SecRule HTTP_Referer|ARGS "online-generics-store" -SecRule HTTP_Referer|ARGS "onlinehgh\.com" -SecRule HTTP_Referer|ARGS "online-job-source\.com" -SecRule HTTP_Referer|ARGS "on-line-kasino-de\.com" -SecRule HTTP_Referer|ARGS "online-medications24x7\.com" -SecRule HTTP_Referer|ARGS "online-morphine\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "onlinepharmacy2004\.net" -SecRule HTTP_Referer|ARGS "online-pharmacy-24x7\.net" -SecRule HTTP_Referer|ARGS "online-pharmacy-online-pharmacies\.com" -SecRule HTTP_Referer|ARGS "online-pharmacy-order\.com" -SecRule HTTP_Referer|ARGS "online--pharmacy\.us" -SecRule HTTP_Referer|ARGS "online-photo-print\.com" -SecRule HTTP_Referer|ARGS "online-----poker" -SecRule HTTP_Referer|ARGS "online-poker-200" -SecRule HTTP_Referer|ARGS "online-poker-333\.com" -SecRule HTTP_Referer|ARGS "online-poker-555\.com" -SecRule HTTP_Referer|ARGS "online-poker-888" -SecRule HTTP_Referer|ARGS "online-poker-a\.com" -SecRule HTTP_Referer|ARGS "online-poker-big\.com" -SecRule HTTP_Referer|ARGS "online-poker-bonus\.us" -SecRule HTTP_Referer|ARGS "onlinepoker-dot\.com" -SecRule HTTP_Referer|ARGS "online-poker-free\.com" -SecRule HTTP_Referer|ARGS "online-poker-guide\.info" -SecRule HTTP_Referer|ARGS "onlinepoker-i\.com" -SecRule HTTP_Referer|ARGS "online-poker-kick-butt\.com" -SecRule HTTP_Referer|ARGS "online-poker-net\.com" -SecRule HTTP_Referer|ARGS "online-poker-online-poker" -SecRule HTTP_Referer|ARGS "online-poker-special\.com" -SecRule HTTP_Referer|ARGS "online-poker--tips\.com" -SecRule HTTP_Referer|ARGS "online-poker-top-rated\.com" -SecRule HTTP_Referer|ARGS "online-prescription-pharmacy\.com" -SecRule HTTP_Referer|ARGS "online-prescriptions-internet-pharmacy\.com" -SecRule HTTP_Referer|ARGS "online-prescription\.st" -SecRule HTTP_Referer|ARGS "online-propecia-buyer\.com" -SecRule HTTP_Referer|ARGS "onlineshop\.us\.com" -SecRule HTTP_Referer|ARGS "onlineslotsarcade\.com" -SecRule HTTP_Referer|ARGS "onlinesmoker\.com" -SecRule HTTP_Referer|ARGS "online-sports--betting" -SecRule HTTP_Referer|ARGS "online--sports-betting\.com" -SecRule HTTP_Referer|ARGS "online-sports-betting-source" -SecRule HTTP_Referer|ARGS "on-pok\.com" -SecRule HTTP_Referer|ARGS "opensorcerer\.org" -SecRule HTTP_Referer|ARGS "operazione-trionfo\.net" -SecRule HTTP_Referer|ARGS "optimumpenis\.com" -SecRule HTTP_Referer|ARGS "oral-sex-cum\.com" -SecRule HTTP_Referer|ARGS "order-claritin\.net" -SecRule HTTP_Referer|ARGS "order-effexor\.net" -SecRule HTTP_Referer|ARGS "ordernaturals\.com" -SecRule HTTP_Referer|ARGS "orlandodominguez\.com" -SecRule HTTP_Referer|ARGS "orospu\.us" -SecRule HTTP_Referer|ARGS "otito\.com" -SecRule HTTP_Referer|ARGS "ottawavalleyag\.org" -SecRule HTTP_Referer|ARGS "ourhealthylife\.net" -SecRule HTTP_Referer|ARGS "ourownweddingsong\.com" -SecRule HTTP_Referer|ARGS "our-planet\.org" -SecRule HTTP_Referer|ARGS "ourtownhelps\.org" -SecRule HTTP_Referer|ARGS "outertech\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "outoff\.de" -SecRule HTTP_Referer|ARGS "overseaspharmacy\.com" -SecRule HTTP_Referer|ARGS "ovulation-kit\.com" -SecRule HTTP_Referer|ARGS "owen-music\.com" -SecRule HTTP_Referer|ARGS "owns1\.com" -SecRule HTTP_Referer|ARGS "ownsthis\.com" -SecRule HTTP_Referer|ARGS "ozup\.com" -SecRule HTTP_Referer|ARGS "\.p[0-9]\.org\.uk" -SecRule HTTP_Referer|ARGS "pacific-poker-top-place\.com" -SecRule HTTP_Referer|ARGS "pages4people\.com" -SecRule HTTP_Referer|ARGS "pagetwo\.org" -SecRule HTTP_Referer|ARGS "paginadeautor\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pai-gow-keno\.com" -SecRule HTTP_Referer|ARGS "painkillersonline\.biz" -SecRule HTTP_Referer|ARGS "paisleydevelopmentassociation\.org" -SecRule HTTP_Referer|ARGS "pamperedchef-online\.com" -SecRule HTTP_Referer|ARGS "pantysex.nl" -SecRule HTTP_Referer|ARGS "paololinks\.porkyhost\.com" -SecRule HTTP_Referer|ARGS "paperscn\.com" -SecRule HTTP_Referer|ARGS "paramountseedfarms\.net" -SecRule HTTP_Referer|ARGS "paramountseedfarms\.org" -SecRule HTTP_Referer|ARGS "paris-and-nicky-hilton-pictures\.blogspot\.com" -SecRule HTTP_Referer|ARGS "paris-escort\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "parishilton\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "paris-hilton-video-blog\.com" -SecRule HTTP_Referer|ARGS "paris-hilton-videos\.biz" -SecRule HTTP_Referer|ARGS "paris-movie-hilton\.blogspot\.com" -SecRule HTTP_Referer|ARGS "paris-naked-hilton\.blogspot\.com" -SecRule HTTP_Referer|ARGS "paris-nicky-hilton\.blogspot\.com" -SecRule HTTP_Referer|ARGS "paris-nikki-hilton\.blogspot\.com" -SecRule HTTP_Referer|ARGS "parkviewsoccer\.net" -SecRule HTTP_Referer|ARGS "parkviewsoccer\.org" -SecRule HTTP_Referer|ARGS "partnerfuersleben\.com" -SecRule HTTP_Referer|ARGS "partnersmanager\.com" -SecRule HTTP_Referer|ARGS "partnersuche-partnervermittlung\.com" -SecRule HTTP_Referer|ARGS "partybingo\.com" -SecRule HTTP_Referer|ARGS "party-poker" -SecRule HTTP_Referer|ARGS "partypoker\.com" -SecRule HTTP_Referer|ARGS "party-poker-e\.com" -SecRule HTTP_Referer|ARGS "partypoker-i" -SecRule HTTP_Referer|ARGS "partypoker-i\.us" -SecRule HTTP_Referer|ARGS "party-poker-leading-site\.com" -SecRule HTTP_Referer|ARGS "party-poker-ltd\.com" -SecRule HTTP_Referer|ARGS "partypokeronline\.org" -SecRule HTTP_Referer|ARGS "party-poker-player\.com" -SecRule HTTP_Referer|ARGS "party-poker-x" -SecRule HTTP_Referer|ARGS "passende-klamotten\.de" -SecRule HTTP_Referer|ARGS "passwordspussynudity\.com" -SecRule HTTP_Referer|ARGS "pastramisandwich\.us" -SecRule HTTP_Referer|ARGS "pasuquinio\.com" -SecRule HTTP_Referer|ARGS "paycheck-loan\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pay-clic\.com" -SecRule HTTP_Referer|ARGS "payday-cash-loans" -SecRule HTTP_Referer|ARGS "paydayl0an\.com" -SecRule HTTP_Referer|ARGS "payday-loan" -SecRule HTTP_Referer|ARGS "payday-loan-payday\.com" -SecRule HTTP_Referer|ARGS "paylesspaydayloans\.com" -SecRule HTTP_Referer|ARGS "payment-processing\.com" -SecRule HTTP_Referer|ARGS "payshots\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "paysites\.info" -SecRule HTTP_Referer|ARGS "pc-choices\.com" -SecRule HTTP_Referer|ARGS "pcdweb\.com" -SecRule HTTP_Referer|ARGS "pedronetwork\.com" -SecRule HTTP_Referer|ARGS "peepingmoe.co.uk" -SecRule HTTP_Referer|ARGS "peepissing\.com" -SecRule HTTP_Referer|ARGS "pelikk\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "penelopeschenk\.com" -SecRule HTTP_Referer|ARGS "peni*(enlarg|enhanc|natural|pill|surgery|traction|male)" -SecRule HTTP_Referer|ARGS "peni*(enlarg|enhanc|natural|pill|surgery|traction|male).*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "penile-girth-enhancements" -SecRule HTTP_Referer|ARGS "penilestretch\.com" -SecRule HTTP_Referer|ARGS "penis-enlargment\.net" -SecRule HTTP_Referer|ARGS "penisimprovement\.com" -SecRule HTTP_Referer|ARGS "penis-male\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "penis-male\.com" -SecRule HTTP_Referer|ARGS "penisresearch\.com" -SecRule HTTP_Referer|ARGS "perdix.hu" -SecRule HTTP_Referer|ARGS "perfect-dedicated-server\.com" -SecRule HTTP_Referer|ARGS "perfect-mortgage-lead-4-u\.com" -SecRule HTTP_Referer|ARGS "perfume-cologne-discount.info" -SecRule HTTP_Referer|ARGS "perkyoneplace\.com" -SecRule HTTP_Referer|ARGS "personalads\.us\.com" -SecRule HTTP_Referer|ARGS "personales\.com" -SecRule HTTP_Referer|ARGS "personal-finance-tips\.com" -SecRule HTTP_Referer|ARGS "personal-injuries-law\.com" -SecRule HTTP_Referer|ARGS "personal-injury-lawyer\.us\.com" -SecRule HTTP_Referer|ARGS "personalserotic\.com" -SecRule HTTP_Referer|ARGS "personals-online-personals\.com" -SecRule HTTP_Referer|ARGS "perverted-dreams\.com" -SecRule HTTP_Referer|ARGS "peteband\.com" -SecRule HTTP_Referer|ARGS "petlesbians\.com" -SecRule HTTP_Referer|ARGS "petplusindia\.com" -SecRule HTTP_Referer|ARGS "petroglyphx\.com" -SecRule HTTP_Referer|ARGS "phantadu\.de" -SecRule HTTP_Referer|ARGS "pharmaceicall\.com" -SecRule HTTP_Referer|ARGS "pharmacy2003\.com" -SecRule HTTP_Referer|ARGS "pharmacy-links\.net" -SecRule HTTP_Referer|ARGS "pharmacyprices\.net" -SecRule HTTP_Referer|ARGS "pharmacyv\.com" -SecRule HTTP_Referer|ARGS "pharmm\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "philippestarckwatches\.co\.uk" -SecRule HTTP_Referer|ARGS "phone-cards-globe\.pushline\.com" -SecRule HTTP_Referer|ARGS "phono\.co\.il" -SecRule HTTP_Referer|ARGS "photobloggy\.buzznet\.com" -SecRule HTTP_Referer|ARGS "php5\.sk" -SecRule HTTP_Referer|ARGS "phrensy\.org" -SecRule HTTP_Referer|ARGS "pickabbw.co.uk" -SecRule HTTP_Referer|ARGS "picnic-basket\.more\.at" -SecRule HTTP_Referer|ARGS "pics-db\.com" -SecRule HTTP_Referer|ARGS "picsfreesex\.com" -SecRule HTTP_Referer|ARGS "pics--movies\.com" -SecRule HTTP_Referer|ARGS "pics-porn\.org" -SecRule HTTP_Referer|ARGS "pics-stories\.com" -SecRule HTTP_Referer|ARGS "picsteens\.com" -SecRule HTTP_Referer|ARGS "pics-videos\.net" -SecRule HTTP_Referer|ARGS "pictures6\.com" -SecRule HTTP_Referer|ARGS "pictures-and-videos\.com" -SecRule HTTP_Referer|ARGS "pictures-archive\.com" -SecRule HTTP_Referer|ARGS "pictures-movies\.net" -SecRule HTTP_Referer|ARGS "pictures-movies\.org" -SecRule HTTP_Referer|ARGS "piercing-auswaehlen\.de" -SecRule HTTP_Referer|ARGS "piercing-magic\.com" -SecRule HTTP_Referer|ARGS "piercingx\.com" -SecRule HTTP_Referer|ARGS "piggi\.descom\.es" -SecRule HTTP_Referer|ARGS "pillblue\.com" -SecRule HTTP_Referer|ARGS "pill-buy\.com" -SecRule HTTP_Referer|ARGS "pillchart\.com" -SecRule HTTP_Referer|ARGS "pillexchange\.net" -SecRule HTTP_Referer|ARGS "pillfever\.com" -SecRule HTTP_Referer|ARGS "pillgrowth\.com" -SecRule HTTP_Referer|ARGS "pillhub\.com" -SecRule HTTP_Referer|ARGS "pillhunt\.com" -SecRule HTTP_Referer|ARGS "pillinc\.com" -SecRule HTTP_Referer|ARGS "pillmarket\.net" -SecRule HTTP_Referer|ARGS "pills4order\.com" -SecRule HTTP_Referer|ARGS "pillsbestbuy\.com" -SecRule HTTP_Referer|ARGS "pillsdomain\.com" -SecRule HTTP_Referer|ARGS "pills-for-penis\.com" -SecRule HTTP_Referer|ARGS "pills-?(home|penis)\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pillsking\.com" -SecRule HTTP_Referer|ARGS "pillslim\.com" -SecRule HTTP_Referer|ARGS "pills.*order\.com" -SecRule HTTP_Referer|ARGS "pills-penis\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pillspenis\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pillspenis\.net" -SecRule HTTP_Referer|ARGS "pillspenis\.org" -SecRule HTTP_Referer|ARGS "pillsupplier\.com" -SecRule HTTP_Referer|ARGS "pilltip\.com" -SecRule HTTP_Referer|ARGS "pimpcasino\.com" -SecRule HTTP_Referer|ARGS "pimphos\.com" -SecRule HTTP_Referer|ARGS "pimpspace\.com" -SecRule HTTP_Referer|ARGS "pimrim\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pinkzoo\.com" -SecRule HTTP_Referer|ARGS "pi-o\.com" -SecRule HTTP_Referer|ARGS "piranho\.com" -SecRule HTTP_Referer|ARGS "pisangrebus\.com" -SecRule HTTP_Referer|ARGS "pj-city\.com" -SecRule HTTP_Referer|ARGS "planetluck\.com" -SecRule HTTP_Referer|ARGS "plasticmachinery\.net\.cn" -SecRule HTTP_Referer|ARGS "play-7-card-stud-poker\.com" -SecRule HTTP_Referer|ARGS "play-7-card-stud-poker\.us" -SecRule HTTP_Referer|ARGS "playandwin777\.com" -SecRule HTTP_Referer|ARGS "playandwinit777\.net" -SecRule HTTP_Referer|ARGS "play-cash-bingo-online\.com" -SecRule HTTP_Referer|ARGS "player-tech\.com" -SecRule HTTP_Referer|ARGS "play\.eu\.com" -SecRule HTTP_Referer|ARGS "playgay\.biz" -SecRule HTTP_Referer|ARGS "playmc\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "playmydvd\.com" -SecRule HTTP_Referer|ARGS "playnowpoker\.com" -SecRule HTTP_Referer|ARGS "play-online-poker-z\.com" -SecRule HTTP_Referer|ARGS "play-partypoker\.us" -SecRule HTTP_Referer|ARGS "play-poker-i\.com" -SecRule HTTP_Referer|ARGS "play-poker-onlie-kick-ass\.com" -SecRule HTTP_Referer|ARGS "play-poker-online-z\.com" -SecRule HTTP_Referer|ARGS "playweb\.blogspot\.com" -SecRule HTTP_Referer|ARGS "plongs\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "plygms\.de" -SecRule HTTP_Referer|ARGS "\.pochtamt\.ru" -SecRule HTTP_Referer|ARGS "pocketsound\.org" -SecRule HTTP_Referer|ARGS "\.pok[0-9]\.com" -SecRule HTTP_Referer|ARGS "\.pok2\.com" -SecRule HTTP_Referer|ARGS "pok7\.com" -SecRule HTTP_Referer|ARGS "pokemon-hentai\.com" -SecRule HTTP_Referer|ARGS "pokemonhentai\.net" -SecRule HTTP_Referer|ARGS "pokemon-hentai\.org" -SecRule HTTP_Referer|ARGS "pokemonx\.biz" -SecRule HTTP_Referer|ARGS "poker777game" -SecRule HTTP_Referer|ARGS "poker79\.com" -SecRule HTTP_Referer|ARGS "poker-888-e\.com" -SecRule HTTP_Referer|ARGS "poker-8\.com" -SecRule HTTP_Referer|ARGS ".*poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker-e-win\.com" -SecRule HTTP_Referer|ARGS "poker-e-wins\.com" -SecRule HTTP_Referer|ARGS "poker-games-bonus\.com" -SecRule HTTP_Referer|ARGS "poker-games\.cjb\.net" -SecRule HTTP_Referer|ARGS "poker-games-top-ranked\.com" -SecRule HTTP_Referer|ARGS "poker-hands-secrets\.com" -SecRule HTTP_Referer|ARGS "poker-homepage\.com" -SecRule HTTP_Referer|ARGS "poker-magic\.org" -SecRule HTTP_Referer|ARGS "poker-me-up\.com" -SecRule HTTP_Referer|ARGS "poker-(new|rooms|stadium)" -SecRule HTTP_Referer|ARGS "poker-online-anytime\.com" -SecRule HTTP_Referer|ARGS "poker-on-web\.com" -SecRule HTTP_Referer|ARGS "(poker)+[\w\-_.]*unique\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "pokerorg\.net" -SecRule HTTP_Referer|ARGS "pokerpage\.biz" -SecRule HTTP_Referer|ARGS "pokerpartnership\.com" -SecRule HTTP_Referer|ARGS "pokerqu\.com" -SecRule HTTP_Referer|ARGS "poker-rooms-777" -SecRule HTTP_Referer|ARGS "poker-rooms-777\.com" -SecRule HTTP_Referer|ARGS "poker-rules-easy-4u\.com" -SecRule HTTP_Referer|ARGS "poker-tables-best-deals\.com" -SecRule HTTP_Referer|ARGS "poker-w\.com" -SecRule HTTP_Referer|ARGS "pokerweb\.be" -SecRule HTTP_Referer|ARGS "poker-wsop-2005\.com" -SecRule HTTP_Referer|ARGS "polifoniczne\.org" -SecRule HTTP_Referer|ARGS "polyphone\.us" -SecRule HTTP_Referer|ARGS "pompini\.nu" -SecRule HTTP_Referer|ARGS "ponagansetpost\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "popusky\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "popwow\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "popwow\.com" -SecRule HTTP_Referer|ARGS "porevo\.lookin\.at" -SecRule HTTP_Referer|ARGS "porn-4u\.net" -SecRule HTTP_Referer|ARGS "porn-dvds-dot\.com" -SecRule HTTP_Referer|ARGS "pornevalution\.com" -SecRule HTTP_Referer|ARGS "porngrub\.com" -SecRule HTTP_Referer|ARGS "porn-house\.us" -SecRule HTTP_Referer|ARGS "pornlane\.com" -SecRule HTTP_Referer|ARGS "pornobilder.nl" -SecRule HTTP_Referer|ARGS "pornogratis\.bz" -SecRule HTTP_Referer|ARGS "porno-hackerz\.com" -SecRule HTTP_Referer|ARGS "pornosexbest\.com" -SecRule HTTP_Referer|ARGS "pornostars\.cc" -SecRule HTTP_Referer|ARGS "porno-v\.com" -SecRule HTTP_Referer|ARGS "pornovideos-versand\.com" -SecRule HTTP_Referer|ARGS "porn-sites-list\.com" -SecRule HTTP_Referer|ARGS "pornstar4all\.com" -SecRule HTTP_Referer|ARGS "porn-star-dvds\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "porn-stars\.org" -SecRule HTTP_Referer|ARGS "porn-stud-search\.org" -SecRule HTTP_Referer|ARGS "pornwizzard\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pornwww\.com" -SecRule HTTP_Referer|ARGS "poster-shop\.us" -SecRule HTTP_Referer|ARGS "postersshop\.us" -SecRule HTTP_Referer|ARGS "power-rico\.de" -SecRule HTTP_Referer|ARGS "p-partners\.com" -SecRule HTTP_Referer|ARGS "pregnant-sex-free\.us" -SecRule HTTP_Referer|ARGS "p-reise\.de" -SecRule HTTP_Referer|ARGS "preisvergleichsseite\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "prepaylegalinsurance\.com" -SecRule HTTP_Referer|ARGS "prescription-drugs\.st" -SecRule HTTP_Referer|ARGS "prescriptions\.md" -SecRule HTTP_Referer|ARGS "preteen-models\.biz" -SecRule HTTP_Referer|ARGS "preteen-sex\.info" -SecRule HTTP_Referer|ARGS "preteen-young\.net" -SecRule HTTP_Referer|ARGS "prettypiste\.com" -SecRule HTTP_Referer|ARGS "princeofprussia\.org" -SecRule HTTP_Referer|ARGS "printerinkseller\.com" -SecRule HTTP_Referer|ARGS "prism-lupus\.org" -SecRule HTTP_Referer|ARGS "privacy-online\.biz" -SecRule HTTP_Referer|ARGS "privatediet\.com" -SecRule HTTP_Referer|ARGS "private-krankenversicherung-uebersicht\.com" -SecRule HTTP_Referer|ARGS "private-network\.net" -SecRule HTTP_Referer|ARGS "private-web-cams\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "prive-hoeren\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "privevrouwen\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pro-collegefootballbetting\.com" -SecRule HTTP_Referer|ARGS "product-paradise\.com" -SecRule HTTP_Referer|ARGS "profitbooks\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "programs-for-you\.com" -SecRule HTTP_Referer|ARGS "projector-me\.com" -SecRule HTTP_Referer|ARGS "promindandbody\.com" -SecRule HTTP_Referer|ARGS "promoblitza\.com" -SecRule HTTP_Referer|ARGS "prom-prepared\.com" -SecRule HTTP_Referer|ARGS "propecia\.bravehost\.com" -SecRule HTTP_Referer|ARGS "propecia-depot\.com" -SecRule HTTP_Referer|ARGS "propecia-for-hair-loss\.com" -SecRule HTTP_Referer|ARGS "propecia-for-hair-loss\.net" -SecRule HTTP_Referer|ARGS "propecia-info\.net" -SecRule HTTP_Referer|ARGS "propeciaonline\.biz" -SecRule HTTP_Referer|ARGS "propeciapower\.com" -SecRule HTTP_Referer|ARGS "propecia-store\.com" -SecRule HTTP_Referer|ARGS "proproducts-usa\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pro-rolex-replica-watches" -SecRule HTTP_Referer|ARGS "pro-rolex-replica-watches\.com" -SecRule HTTP_Referer|ARGS "prosearchs\.com" -SecRule HTTP_Referer|ARGS "prosolution-enlargement.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pryporn\.com" -SecRule HTTP_Referer|ARGS "ps-eco\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pseudobreccia60\.tripod\.com\.ve" -SecRule HTTP_Referer|ARGS "psites\.biz" -SecRule HTTP_Referer|ARGS "psites\.net" -SecRule HTTP_Referer|ARGS "psites\.org" -SecRule HTTP_Referer|ARGS "psites\.us" -SecRule HTTP_Referer|ARGS "psnarones.org" -SecRule HTTP_Referer|ARGS "psxtreme\.com" -SecRule HTTP_Referer|ARGS "psychexams\.net" -SecRule HTTP_Referer|ARGS "psychexams\.org" -SecRule HTTP_Referer|ARGS "ptcgzone\.com" -SecRule HTTP_Referer|ARGS "punksongslyrics\.com" -SecRule HTTP_Referer|ARGS "puppyduk\.com" -SecRule HTTP_Referer|ARGS "pureteenz\.com" -SecRule HTTP_Referer|ARGS "pushline\.com" -SecRule HTTP_Referer|ARGS "pussy-cum\.us" -SecRule HTTP_Referer|ARGS "pussy-d\.com" -SecRule HTTP_Referer|ARGS "pussy-movies\.us" -SecRule HTTP_Referer|ARGS "qinsi\.com" -SecRule HTTP_Referer|ARGS "qqba\.com" -SecRule HTTP_Referer|ARGS "quangoweb\.com" -SecRule HTTP_Referer|ARGS "quickdomainnameregistration\.com" -SecRule HTTP_Referer|ARGS "quick-drugs\.biz" -SecRule HTTP_Referer|ARGS "quick-drugs\.com" -SecRule HTTP_Referer|ARGS "quickie-quotes\.com" -SecRule HTTP_Referer|ARGS "r00m\.com" -SecRule HTTP_Referer|ARGS "r-300\.com" -SecRule HTTP_Referer|ARGS "r-3100\.com" -SecRule HTTP_Referer|ARGS "r-400\.com" -SecRule HTTP_Referer|ARGS "r-4100\.com" -SecRule HTTP_Referer|ARGS "racconti-gay\.org" -SecRule HTTP_Referer|ARGS "radarmadness.info" -SecRule HTTP_Referer|ARGS "radsport-artikel\.de" -SecRule HTTP_Referer|ARGS "raf-ranking\.com" -SecRule HTTP_Referer|ARGS "ragazze\.bz" -SecRule HTTP_Referer|ARGS "rampantrabbitvibrator\.co\.uk" -SecRule HTTP_Referer|ARGS "randomfeeding\.com" -SecRule HTTP_Referer|ARGS "randppro-cuts\.com" -SecRule HTTP_Referer|ARGS "randyblue\.info" -SecRule HTTP_Referer|ARGS "randysrealtyreview\.com" -SecRule HTTP_Referer|ARGS "rape-art\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "rape-fantasy-pics\.com" -SecRule HTTP_Referer|ARGS "rape--stories" -SecRule HTTP_Referer|ARGS "rape-stories\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "rape-stories\.biz" -SecRule HTTP_Referer|ARGS "rapestoriespics" -SecRule HTTP_Referer|ARGS "rapid-merchant-account\.com" -SecRule HTTP_Referer|ARGS "rapid\.myserver\.org" -SecRule HTTP_Referer|ARGS "ratenkredit-center\.de" -SecRule HTTP_Referer|ARGS "ratenkredit-shop\.de" -SecRule HTTP_Referer|ARGS "raw-pussy\.us" -SecRule HTTP_Referer|ARGS "rbfanz\.com" -SecRule HTTP_Referer|ARGS "reachcasino\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "readyforsex.nl" -SecRule HTTP_Referer|ARGS "realestateslaws\.com" -SecRule HTTP_Referer|ARGS "realisticforeignpolicy\.org" -SecRule HTTP_Referer|ARGS "reality-porn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "reality-xxx\.biz" -SecRule HTTP_Referer|ARGS "reallyconfused\.com" -SecRule HTTP_Referer|ARGS "reallyhot\.org" -SecRule HTTP_Referer|ARGS "realmilfgangbang\.biz" -SecRule HTTP_Referer|ARGS "real-online-poker" -SecRule HTTP_Referer|ARGS "real-sex\.us" -SecRule HTTP_Referer|ARGS "realtickling\.com" -SecRule HTTP_Referer|ARGS "rebjorn\.co\.uk" -SecRule HTTP_Referer|ARGS "redcentre\.org" -SecRule HTTP_Referer|ARGS "redi\.tk" -SecRule HTTP_Referer|ARGS "referrer-script\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "refinance-home-mortgage" -SecRule HTTP_Referer|ARGS "refinance-mortgage-home-equity-loan\.com" -SecRule HTTP_Referer|ARGS "reggaeboyzfanz\.com" -SecRule HTTP_Referer|ARGS "registerxonline\.com" -SecRule HTTP_Referer|ARGS "registrarprice\.com" -SecRule HTTP_Referer|ARGS "reglament-np\.ru" -SecRule HTTP_Referer|ARGS "reisen-domain\.de" -SecRule HTTP_Referer|ARGS "relievepain\.org" -SecRule HTTP_Referer|ARGS "rental-2004\.com" -SecRule HTTP_Referer|ARGS "rentalcarsplus\.com" -SecRule HTTP_Referer|ARGS "rent-games-movies\.com" -SecRule HTTP_Referer|ARGS "repaircreditonline\.net" -SecRule HTTP_Referer|ARGS "repair-restore-bad-credit-report-identity-theft\.com" -SecRule HTTP_Referer|ARGS "(repair|restore|bad)+[\w\-_.]*credit" -SecRule HTTP_Referer|ARGS "repondeurs-logos-mobile\.com" -SecRule HTTP_Referer|ARGS "republika\.pl" -SecRule HTTP_Referer|ARGS "reservedining\.net" -SecRule HTTP_Referer|ARGS "reservedining\.org" -SecRule HTTP_Referer|ARGS "restaurant-l\.de" -SecRule HTTP_Referer|ARGS "rethyassociates\.net" -SecRule HTTP_Referer|ARGS "rethyassociates\.org" -SecRule HTTP_Referer|ARGS "reviewonlinedating\.com" -SecRule HTTP_Referer|ARGS "rhinoslinks\.com" -SecRule HTTP_Referer|ARGS "rhinosthumbs\.com" -SecRule HTTP_Referer|ARGS "rhonebodybuilding\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ricettegolose\.com" -SecRule HTTP_Referer|ARGS "richshemales\.com" -SecRule HTTP_Referer|ARGS "richtigflirten\.com" -SecRule HTTP_Referer|ARGS "rifp\.org" -SecRule HTTP_Referer|ARGS "rightdebt\.com" -SecRule HTTP_Referer|ARGS "rimpim\.com" -SecRule HTTP_Referer|ARGS "ringsignaler-ikon-spel\.com" -SecRule HTTP_Referer|ARGS "ringtone-logo-game\.com" -SecRule HTTP_Referer|ARGS "ringtoner-logoer-spill\.com" -SecRule HTTP_Referer|ARGS "ringtonespy\.com" -SecRule HTTP_Referer|ARGS "ritalin-pharmacy\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "rittenhouse\.ca" -SecRule HTTP_Referer|ARGS "rmg\.com\.cn" -SecRule HTTP_Referer|ARGS "ro7kalbe\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "robinson-entertainment\.com" -SecRule HTTP_Referer|ARGS "robosapiensource" -SecRule HTTP_Referer|ARGS "robosapiensource\.com" -SecRule HTTP_Referer|ARGS "roboticmilking\.com" -SecRule HTTP_Referer|ARGS "rohkalby\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "romane-buecher\.de" -SecRule HTTP_Referer|ARGS "romanticmaui\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "romeo-ent\.com" -SecRule HTTP_Referer|ARGS "ronnieazza\.com" -SecRule HTTP_Referer|ARGS "rooody\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "rossmann\.de" -SecRule HTTP_Referer|ARGS "roulette---online\.com" -SecRule HTTP_Referer|ARGS "roulette-w\.com" -SecRule HTTP_Referer|ARGS "rowdd\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "roxtet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "royaladult\.com" -SecRule HTTP_Referer|ARGS "royalfreehost\.com/teen/amymiller" -SecRule HTTP_Referer|ARGS "royalmailhotel\.com" -SecRule HTTP_Referer|ARGS "ru21\.to" -SecRule HTTP_Referer|ARGS "ruitai88\.com" -SecRule HTTP_Referer|ARGS "rulo\.biz" -SecRule HTTP_Referer|ARGS "runawayclicks\.com" -SecRule HTTP_Referer|ARGS "rx-central\.net" -SecRule HTTP_Referer|ARGS "rx-lexapro\.biz" -SecRule HTTP_Referer|ARGS "rxpainrelief\.net" -SecRule HTTP_Referer|ARGS "rxpills\.biz" -SecRule HTTP_Referer|ARGS "rx-pills-r\.us" -SecRule HTTP_Referer|ARGS "rx-store\.com" -SecRule HTTP_Referer|ARGS "rxweightloss\.org" -SecRule HTTP_Referer|ARGS "rydoncycles\.co\.uk" -SecRule HTTP_Referer|ARGS "safecreditonline\.com" -SecRule HTTP_Referer|ARGS "sailor-moon-hentai\.org" -SecRule HTTP_Referer|ARGS "sailor-moon-hentai\.us" -SecRule HTTP_Referer|ARGS "salcia\.co\.uk" -SecRule HTTP_Referer|ARGS "salute-bellezza\.net" -SecRule HTTP_Referer|ARGS "salute-bellezza\.org" -SecRule HTTP_Referer|ARGS "salute-benessere\.org" -SecRule HTTP_Referer|ARGS "salute-e-benessere\.net" -SecRule HTTP_Referer|ARGS "salute-igiene\.com" -SecRule HTTP_Referer|ARGS "salute-malattie\.com" -SecRule HTTP_Referer|ARGS "salute-malattie\.net" -SecRule HTTP_Referer|ARGS "samaraonline\.com" -SecRule HTTP_Referer|ARGS "samiuls\.com" -SecRule HTTP_Referer|ARGS "samuraidojo\.com" -SecRule HTTP_Referer|ARGS "sandhillaudio\.com" -SecRule HTTP_Referer|ARGS "sandrabre\.de" -SecRule HTTP_Referer|ARGS "sapphicerotica\.biz" -SecRule HTTP_Referer|ARGS "sapphic.nl" -SecRule HTTP_Referer|ARGS "sarennasworld\.com" -SecRule HTTP_Referer|ARGS "sasseminars\.com" -SecRule HTTP_Referer|ARGS "sat-direct\.net" -SecRule HTTP_Referer|ARGS "satellite\.bravehost\.com" -SecRule HTTP_Referer|ARGS "satellite-direct-for-you\.com" -SecRule HTTP_Referer|ARGS "satellite-network-tv\.com" -SecRule HTTP_Referer|ARGS "satellitetvboutique\.com" -SecRule HTTP_Referer|ARGS "satellite-tv\.cjb\.net" -SecRule HTTP_Referer|ARGS "satellitetv-reviewed\.tripod\.com" -SecRule HTTP_Referer|ARGS "\.savedme\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "saveondentalplans\.com" -SecRule HTTP_Referer|ARGS "saveonpills\.net" -SecRule HTTP_Referer|ARGS "sbdforum\.com" -SecRule HTTP_Referer|ARGS "sbt-scooter\.com" -SecRule HTTP_Referer|ARGS "sc10\.net" -SecRule HTTP_Referer|ARGS "scarica-mp3\.biz" -SecRule HTTP_Referer|ARGS "scarica-mp3\.com" -SecRule HTTP_Referer|ARGS "scaricamp3\.us" -SecRule HTTP_Referer|ARGS "scarica-musica\.com" -SecRule HTTP_Referer|ARGS "scarica-musica-mp3\.org" -SecRule HTTP_Referer|ARGS "scarica-musica\.org" -SecRule HTTP_Referer|ARGS "scaricare-canzoni\.com" -SecRule HTTP_Referer|ARGS "scaricare-canzoni\.net" -SecRule HTTP_Referer|ARGS "scaricare-canzoni\.org" -SecRule HTTP_Referer|ARGS "scaricare-mp3\.org" -SecRule HTTP_Referer|ARGS "scatporn\.info" -SecRule HTTP_Referer|ARGS "scent-shopper\.com" -SecRule HTTP_Referer|ARGS "schanee\.de" -SecRule HTTP_Referer|ARGS "schmuck-domain\.de" -SecRule HTTP_Referer|ARGS "scottneiss\.net" -SecRule HTTP_Referer|ARGS "se24h\.com" -SecRule HTTP_Referer|ARGS "search-1\.info" -SecRule HTTP_Referer|ARGS "search4hardcore\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "search722\.com" -SecRule HTTP_Referer|ARGS "search-engine-optimization-4-us\.com" -SecRule HTTP_Referer|ARGS "searchinsurance\.net" -SecRule HTTP_Referer|ARGS "search-milf\.com" -SecRule HTTP_Referer|ARGS "searchmybong\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "searchreel\.com" -SecRule HTTP_Referer|ARGS "searchtypo\.com" -SecRule HTTP_Referer|ARGS "seckur\.com" -SecRule HTTP_Referer|ARGS "secureroot\.org" -SecRule HTTP_Referer|ARGS "security-result\.com" -SecRule HTTP_Referer|ARGS "sedonaretreat\.org" -SecRule HTTP_Referer|ARGS "seekartist\.com" -SecRule HTTP_Referer|ARGS "seeker-milf\.com" -SecRule HTTP_Referer|ARGS "seitensprung-gratis\.com" -SecRule HTTP_Referer|ARGS "selectedsex\.com" -SecRule HTTP_Referer|ARGS "selena-u\.ru" -SecRule HTTP_Referer|ARGS "self-penis-enlargement" -SecRule HTTP_Referer|ARGS "\.seloza\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "selten-angeklickt\.de" -SecRule HTTP_Referer|ARGS "semax[0-9][0-9]\.info" -SecRule HTTP_Referer|ARGS "semax14\.info" -SecRule HTTP_Referer|ARGS "semax15\.info" -SecRule HTTP_Referer|ARGS "semax16\.info" -SecRule HTTP_Referer|ARGS "sempo-tahoe\.com" -SecRule HTTP_Referer|ARGS "senior\.mine\.nu" -SecRule HTTP_Referer|ARGS "seoy\.com" -SecRule HTTP_Referer|ARGS "servepics\.com" -SecRule HTTP_Referer|ARGS "servicesdating\.net" -SecRule HTTP_Referer|ARGS "sessoanalex\.com" -SecRule HTTP_Referer|ARGS "sesso-gratis\.cc" -SecRule HTTP_Referer|ARGS "sesso-online\.net" -SecRule HTTP_Referer|ARGS "sessox\.biz" -SecRule HTTP_Referer|ARGS "se-traf\.com" -SecRule HTTP_Referer|ARGS "seven-card-stud\.biz" -SecRule HTTP_Referer|ARGS "seven-card-stud\.us" -SecRule HTTP_Referer|ARGS "sewilla\.de" -SecRule HTTP_Referer|ARGS "sex4dollar\.com" -SecRule HTTP_Referer|ARGS "sex4singles\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sex-4you\.org" -SecRule HTTP_Referer|ARGS "sexadultdating\.com" -SecRule HTTP_Referer|ARGS "sexafspraken\.nl" -SecRule HTTP_Referer|ARGS "sex-bondagenet\.org" -SecRule HTTP_Referer|ARGS "sexbrides\.com" -SecRule HTTP_Referer|ARGS "sexchat\.ccx" -SecRule HTTP_Referer|ARGS "sexcia\.com" -SecRule HTTP_Referer|ARGS "sexcompany\." -SecRule HTTP_Referer|ARGS "sexe\.vc" -SecRule HTTP_Referer|ARGS "sex-friend\.info" -SecRule HTTP_Referer|ARGS "sex-gays\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sexglory\.com" -SecRule HTTP_Referer|ARGS "sexiestserver\.com" -SecRule HTTP_Referer|ARGS "sexingitup\.com" -SecRule HTTP_Referer|ARGS "sex-livecam-erotik\.net" -SecRule HTTP_Referer|ARGS "sex-lover\.org" -SecRule HTTP_Referer|ARGS "sex-manga\.us" -SecRule HTTP_Referer|ARGS "sex-mates\.info" -SecRule HTTP_Referer|ARGS "sexmuch\.com" -SecRule HTTP_Referer|ARGS "sexnet24\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sexnu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sexo9\.com" -SecRule HTTP_Referer|ARGS "sex-photos\.org" -SecRule HTTP_Referer|ARGS "sex-pic-sex\.com" -SecRule HTTP_Referer|ARGS "sexplaatjespagina\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sexplanets\.com" -SecRule HTTP_Referer|ARGS "sex-porn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sex-pussy\.us" -SecRule HTTP_Referer|ARGS "sexrelatie\.com" -SecRule HTTP_Referer|ARGS "sexschlucht\.de" -SecRule HTTP_Referer|ARGS "sexshop-sexeshop\.com" -SecRule HTTP_Referer|ARGS "sexshop\.tk" -SecRule HTTP_Referer|ARGS "sexsq\.com" -SecRule HTTP_Referer|ARGS "sexstartpages\.com" -SecRule HTTP_Referer|ARGS "sex-toys-next-day\.com" -SecRule HTTP_Referer|ARGS "sextoysportal\.com" -SecRule HTTP_Referer|ARGS "sextoyssexvideos\.com" -SecRule HTTP_Referer|ARGS "sextreem\.com" -SecRule HTTP_Referer|ARGS "sexual-shemales\.com" -SecRule HTTP_Referer|ARGS "sexual-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "sexushost\.com" -SecRule HTTP_Referer|ARGS "sexvoyager\.com" -SecRule HTTP_Referer|ARGS "sexwebclub\.com" -SecRule HTTP_Referer|ARGS "sexwebsites\.com" -SecRule HTTP_Referer|ARGS "sexy-ass\.us" -SecRule HTTP_Referer|ARGS "sexy-babes\.us" -SecRule HTTP_Referer|ARGS "sexy-celebrity-photos\.com" -SecRule HTTP_Referer|ARGS "sexy-girls\.org" -SecRule HTTP_Referer|ARGS "sexy-lesbian\.us" -SecRule HTTP_Referer|ARGS "sexynudea\.com" -SecRule HTTP_Referer|ARGS "sexy-pussy\.us" -SecRule HTTP_Referer|ARGS "sexyteen\.ws" -SecRule HTTP_Referer|ARGS "sfondi-desktop-gratis\.com" -SecRule HTTP_Referer|ARGS "sfondi--gratis\.com" -SecRule HTTP_Referer|ARGS "s-fuck\.com" -SecRule HTTP_Referer|ARGS "sgaico\.ch" -SecRule HTTP_Referer|ARGS "shadowbaneguides\.net" -SecRule HTTP_Referer|ARGS "shannon-e\.co\.uk" -SecRule HTTP_Referer|ARGS "shareint-store\.com" -SecRule HTTP_Referer|ARGS "sharks\.com\.ru" -SecRule HTTP_Referer|ARGS "shatteredreality\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "shemale-cum-tgp\.com" -SecRule HTTP_Referer|ARGS "shemale-girls\.com" -SecRule HTTP_Referer|ARGS "shemalesex\.biz" -SecRule HTTP_Referer|ARGS "shemalesland\.com" -SecRule HTTP_Referer|ARGS "shemalezhost\.com" -SecRule HTTP_Referer|ARGS "shemalki\.com" -SecRule HTTP_Referer|ARGS "shfx-bj\.com" -SecRule HTTP_Referer|ARGS "shhilight\.com" -SecRule HTTP_Referer|ARGS "shirts-hawaiian-shirt\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "shirts-t-shirts\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "shirts-t-shirts\.com" -SecRule HTTP_Referer|ARGS "shoesdiscount\.info" -SecRule HTTP_Referer|ARGS "shomayim\.org" -SecRule HTTP_Referer|ARGS "shop24x7\.net" -SecRule HTTP_Referer|ARGS "shop-4\.it" -SecRule HTTP_Referer|ARGS "shop-ecosafe\.com" -SecRule HTTP_Referer|ARGS "shop-opyt\.com" -SecRule HTTP_Referer|ARGS "shoppingideen-xxl\.de" -SecRule HTTP_Referer|ARGS "shopping-liste\.de" -SecRule HTTP_Referer|ARGS "shoppyix\.com" -SecRule HTTP_Referer|ARGS "shop\.tc" -SecRule HTTP_Referer|ARGS "showsontv\.com" -SecRule HTTP_Referer|ARGS "sicarrow\.co\.uk" -SecRule HTTP_Referer|ARGS "siezu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sigecc\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "silky-smooth-pussy\.com" -SecRule HTTP_Referer|ARGS "simon-scans\.com" -SecRule HTTP_Referer|ARGS "simplemeds\.com" -SecRule HTTP_Referer|ARGS "simple-pharmacy\.com" -SecRule HTTP_Referer|ARGS "simply-poker\.com" -SecRule HTTP_Referer|ARGS "simpsonowen\.co\.uk" -SecRule HTTP_Referer|ARGS "sindyhalliday\.com" -SecRule HTTP_Referer|ARGS "sinfree\.net" -SecRule HTTP_Referer|ARGS "-site\.info" -SecRule HTTP_Referer|ARGS "site-mortgage\.com" -SecRule HTTP_Referer|ARGS "sitesarchive\.com" -SecRule HTTP_Referer|ARGS "siti-porno\.us" -SecRule HTTP_Referer|ARGS "sizegenetics.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sizegenetics\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sizegeneticsenhancement\.com" -SecRule HTTP_Referer|ARGS "sizegeneticspenis\.com" -SecRule HTTP_Referer|ARGS "skidman\.com" -SecRule HTTP_Referer|ARGS "skipme\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "ski-resorts-guide\.com" -SecRule HTTP_Referer|ARGS "slatersdvds\.co\.uk" -SecRule HTTP_Referer|ARGS "slavensex\.nl" -SecRule HTTP_Referer|ARGS "slng\.de" -SecRule HTTP_Referer|ARGS "slotmachinesguide\.net" -SecRule HTTP_Referer|ARGS "slot-machines-slots\.com" -SecRule HTTP_Referer|ARGS "slots-8\.com" -SecRule HTTP_Referer|ARGS "slotsjockey\.com" -SecRule HTTP_Referer|ARGS "slots-w\.com" -SecRule HTTP_Referer|ARGS "slowdownrelax\.com" -SecRule HTTP_Referer|ARGS "slutcities\.com" -SecRule HTTP_Referer|ARGS "slut-wife-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "small-business-grants\.biz" -SecRule HTTP_Referer|ARGS "smallbusinessgrants\.biz" -SecRule HTTP_Referer|ARGS "s-marche\.com" -SecRule HTTP_Referer|ARGS "smart-debt-consolidation-and-credit-services\.com" -SecRule HTTP_Referer|ARGS "smartdot\.com" -SecRule HTTP_Referer|ARGS "smartonlineshop\.com" -SecRule HTTP_Referer|ARGS "smerfy\.pl" -SecRule HTTP_Referer|ARGS "smpagina\.nl" -SecRule HTTP_Referer|ARGS "sms\.pl" -SecRule HTTP_Referer|ARGS "sms-sms-sms\.org" -SecRule HTTP_Referer|ARGS "sms-sprueche-4fun\.de" -SecRule HTTP_Referer|ARGS "sms-sprueche\.com" -SecRule HTTP_Referer|ARGS "smutwebsites\.com" -SecRule HTTP_Referer|ARGS "sneakysleuth\.com" -SecRule HTTP_Referer|ARGS "snellesex\.com" -SecRule HTTP_Referer|ARGS "socoplan\.org" -SecRule HTTP_Referer|ARGS "sofortkredit-tipps\.de" -SecRule HTTP_Referer|ARGS "sofort-mitgewinnen\.de" -SecRule HTTP_Referer|ARGS "soft\.center\.prv\.pl" -SecRule HTTP_Referer|ARGS "soft-industry\.com" -SecRule HTTP_Referer|ARGS "softwaredevelopmentindia\.com" -SecRule HTTP_Referer|ARGS "software-einkaufsmarkt\.de" -SecRule HTTP_Referer|ARGS "software-linkliste\.de" -SecRule HTTP_Referer|ARGS "software-review-center\.org" -SecRule HTTP_Referer|ARGS "software\.thedir\.net" -SecRule HTTP_Referer|ARGS "soittoaanet-logot-peli\.com" -SecRule HTTP_Referer|ARGS "\.solar-porn" -SecRule HTTP_Referer|ARGS "sol-web\.de" -SecRule HTTP_Referer|ARGS "somacheap" -SecRule HTTP_Referer|ARGS "soma-cheap-soma\.com" -SecRule HTTP_Referer|ARGS "soma-solution\.com" -SecRule HTTP_Referer|ARGS "somaspot\.com" -SecRule HTTP_Referer|ARGS "soma\.st" -SecRule HTTP_Referer|ARGS "soma-web\.com" -SecRule HTTP_Referer|ARGS "sommerreisen-2004\.de" -SecRule HTTP_Referer|ARGS "sonderpreis\.de\.com" -SecRule HTTP_Referer|ARGS "sonnerie-compositeur\.com" -SecRule HTTP_Referer|ARGS "sonnerie-hifi-sms\.com" -SecRule HTTP_Referer|ARGS "sonnerie-logo-jeu\.com" -SecRule HTTP_Referer|ARGS "sonnerie-logos\.be" -SecRule HTTP_Referer|ARGS "sonnerie-logo-sonneries\.com" -SecRule HTTP_Referer|ARGS "sonnerie-logos-sonneries\.com" -SecRule HTTP_Referer|ARGS "sonnerie-max\.com" -SecRule HTTP_Referer|ARGS "sonnerie\.net" -SecRule HTTP_Referer|ARGS "sonnerie-portable\.be" -SecRule HTTP_Referer|ARGS "sonnerie-portable-composer\.com" -SecRule HTTP_Referer|ARGS "sonneries\.fr" -SecRule HTTP_Referer|ARGS "sonneries-gsm-sms\.com" -SecRule HTTP_Referer|ARGS "sonnerie-sonneries-logo\.com" -SecRule HTTP_Referer|ARGS "sonnerie-sonneries-logos\.com" -SecRule HTTP_Referer|ARGS "sonnerie-sonneries\.net" -SecRule HTTP_Referer|ARGS "sonneries-sonnerie-logo\.com" -SecRule HTTP_Referer|ARGS "sonneries-sonnerie-logos\.com" -SecRule HTTP_Referer|ARGS "sophiesplace\.net" -SecRule HTTP_Referer|ARGS "sorglos-kredit\.de" -SecRule HTTP_Referer|ARGS "soulfulstencils\.com" -SecRule HTTP_Referer|ARGS "southbeachdietrecipe\.biz" -SecRule HTTP_Referer|ARGS "southbeachdiet\.us\.com" -SecRule HTTP_Referer|ARGS "spacige-domains\.de" -SecRule HTTP_Referer|ARGS "spannende-spiele\.de" -SecRule HTTP_Referer|ARGS "spassmaker\.de" -SecRule HTTP_Referer|ARGS "specialfreaker\.com" -SecRule HTTP_Referer|ARGS "speedsurf\.to" -SecRule HTTP_Referer|ARGS "speedy-insurance-quotes\.com" -SecRule HTTP_Referer|ARGS "spermincreasingpills\.com" -SecRule HTTP_Referer|ARGS "spermswapping\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "spiele-kostenlose\.com" -SecRule HTTP_Referer|ARGS "spiele-planet\.com" -SecRule HTTP_Referer|ARGS "splong\.net" -SecRule HTTP_Referer|ARGS "spoodles\.com" -SecRule HTTP_Referer|ARGS "sportartikel-auswahl\.de" -SecRule HTTP_Referer|ARGS "sportecdigital\.com" -SecRule HTTP_Referer|ARGS "sportingcolors\.org" -SecRule HTTP_Referer|ARGS "sportlich-chic\.de" -SecRule HTTP_Referer|ARGS "sports-betting-" -SecRule HTTP_Referer|ARGS "sports-betting-a\.com" -SecRule HTTP_Referer|ARGS "sports---betting\.com" -SecRule HTTP_Referer|ARGS "sportsbettingexpert\.com" -SecRule HTTP_Referer|ARGS "sports-inter-action\.com" -SecRule HTTP_Referer|ARGS "sportsorg\.biz" -SecRule HTTP_Referer|ARGS "sportsparent\.com" -SecRule HTTP_Referer|ARGS "sporty.org\.ru" -SecRule HTTP_Referer|ARGS "spp-net\.de" -SecRule HTTP_Referer|ARGS "spy-patrol\.com" -SecRule HTTP_Referer|ARGS "spyshots\.bpa\.nu" -SecRule HTTP_Referer|ARGS "spyware-links\.com" -SecRule HTTP_Referer|ARGS "s-sites\.net" -SecRule HTTP_Referer|ARGS "staffordshires\.net" -SecRule HTTP_Referer|ARGS "standard-casino\.com" -SecRule HTTP_Referer|ARGS "staplethis\.de" -SecRule HTTP_Referer|ARGS "starpills\.com" -SecRule HTTP_Referer|ARGS "startseek\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.static\.net" -SecRule HTTP_Referer|ARGS "static\.net" -SecRule HTTP_Referer|ARGS "statusforsale\.de" -SecRule HTTP_Referer|ARGS "steelstockholder\.co\.uk" -SecRule HTTP_Referer|ARGS "stellenangebote-checken\.de" -SecRule HTTP_Referer|ARGS "stellenangebote-l\.de" -SecRule HTTP_Referer|ARGS "stephjones\.com" -SecRule HTTP_Referer|ARGS "stevespoliceequipment\.com" -SecRule HTTP_Referer|ARGS "stfc-isc\.org" -SecRule HTTP_Referer|ARGS "sting\.cc" -SecRule HTTP_Referer|ARGS "stmaryonline\.org" -SecRule HTTP_Referer|ARGS "stock-power\.com" -SecRule HTTP_Referer|ARGS "stolb\.net" -SecRule HTTP_Referer|ARGS "stop-depression\.com" -SecRule HTTP_Referer|ARGS "stopp-hier\.de" -SecRule HTTP_Referer|ARGS "stop-snoring\.crpublish\.com" -SecRule HTTP_Referer|ARGS "stopthatfilthyhabit\.com" -SecRule HTTP_Referer|ARGS "stories-adult\.net" -SecRule HTTP_Referer|ARGS "stories--archive\.com" -SecRule HTTP_Referer|ARGS "stories-inc\.com" -SecRule HTTP_Referer|ARGS "stories-on-cd\.net" -SecRule HTTP_Referer|ARGS "stories-on-cd\.org" -SecRule HTTP_Referer|ARGS "storiespics" -SecRule HTTP_Referer|ARGS "storiespics\.game-host\.org" -SecRule HTTP_Referer|ARGS "storiespics\.game-server\.cc" -SecRule HTTP_Referer|ARGS "storiespics\.gotdns\.com" -SecRule HTTP_Referer|ARGS "storiespics\.gotdns\.org" -SecRule HTTP_Referer|ARGS "storiespics\.ham-radio-op\.net" -SecRule HTTP_Referer|ARGS "storiespics\.homedns\.org" -SecRule HTTP_Referer|ARGS "storiespics\.homeftp\.net" -SecRule HTTP_Referer|ARGS "storiespics\.homeftp\.org" -SecRule HTTP_Referer|ARGS "storiespics\.homeip\.net" -SecRule HTTP_Referer|ARGS "storiespics\.homelinux\.com" -SecRule HTTP_Referer|ARGS "storiespics\.homelinux\.net" -SecRule HTTP_Referer|ARGS "storiespics\.homelinux\.org" -SecRule HTTP_Referer|ARGS "storiespics\.homeunix\.com" -SecRule HTTP_Referer|ARGS "storiespics\.homeunix\.net" -SecRule HTTP_Referer|ARGS "storiespics\.homeunix\.org" -SecRule HTTP_Referer|ARGS "stormhit\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "striemline\.de" -SecRule HTTP_Referer|ARGS "stripclubexposed\.info" -SecRule HTTP_Referer|ARGS "striptrends\.com" -SecRule HTTP_Referer|ARGS "strivectinsd\.com" -SecRule HTTP_Referer|ARGS "studio-b-darmstadt.de" -SecRule HTTP_Referer|ARGS "studiomoney\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "stunningsextoys\.com" -SecRule HTTP_Referer|ARGS "styrax-benzoin\.com" -SecRule HTTP_Referer|ARGS "subtitel.nl" -SecRule HTTP_Referer|ARGS "success-biz-replica\.com" -SecRule HTTP_Referer|ARGS "sufficientlife\.com" -SecRule HTTP_Referer|ARGS "sugarnights\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "suma-eintragen\.de" -SecRule HTTP_Referer|ARGS "sumaeintrag-xxl\.de" -SecRule HTTP_Referer|ARGS "sunbandits\.com" -SecRule HTTP_Referer|ARGS "sundayafternoonsmack\.com" -SecRule HTTP_Referer|ARGS "sung-mo\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sunnyby\.com" -SecRule HTTP_Referer|ARGS "suonerie-center\.com" -SecRule HTTP_Referer|ARGS "suonerie-download\.com" -SecRule HTTP_Referer|ARGS "suonerie-loghi-gratis\.com" -SecRule HTTP_Referer|ARGS "suonerieloghix\.com" -SecRule HTTP_Referer|ARGS "suoneriex\.net" -SecRule HTTP_Referer|ARGS "suoyan\.com" -SecRule HTTP_Referer|ARGS "super-bowl-bet\.biz" -SecRule HTTP_Referer|ARGS "superbowl--betting\.com" -SecRule HTTP_Referer|ARGS "super-celebs\.com" -SecRule HTTP_Referer|ARGS "super-cialis\.com" -SecRule HTTP_Referer|ARGS "superdolphins\.org" -SecRule HTTP_Referer|ARGS "superpornlist\.com" -SecRule HTTP_Referer|ARGS "surfe-und-staune\.de" -SecRule HTTP_Referer|ARGS "surgery.go\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "susiewildin\.com" -SecRule HTTP_Referer|ARGS "sutra-sex\.com" -SecRule HTTP_Referer|ARGS "suttonjames\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "suttonjames\.net" -SecRule HTTP_Referer|ARGS "suttonjames\.org" -SecRule HTTP_Referer|ARGS "svitonline\.com" -SecRule HTTP_Referer|ARGS "swedenet\.com" -SecRule HTTP_Referer|ARGS "swedenetwork\.com" -SecRule HTTP_Referer|ARGS "sweetbuyz\.com" -SecRule HTTP_Referer|ARGS "sweet-horny\.com" -SecRule HTTP_Referer|ARGS "sweethotgirls\.com" -SecRule HTTP_Referer|ARGS "sweetteenbodies\.com" -SecRule HTTP_Referer|ARGS "swingersadult\.net" -SecRule HTTP_Referer|ARGS "swinger-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "swingersunidos\.com" -SecRule HTTP_Referer|ARGS "sydney-harbour\.info" -SecRule HTTP_Referer|ARGS "sylphiel\.org" -SecRule HTTP_Referer|ARGS "sylviapanda\.com" -SecRule HTTP_Referer|ARGS "syntryx\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sysaud\.com" -SecRule HTTP_Referer|ARGS "syscom-" -SecRule HTTP_Referer|ARGS "syscon-" -SecRule HTTP_Referer|ARGS "t35\.com" -SecRule HTTP_Referer|ARGS "t3n\.org" -SecRule HTTP_Referer|ARGS "tabsinc\.com" -SecRule HTTP_Referer|ARGS "take-credit-cards\.com" -SecRule HTTP_Referer|ARGS "taliesinfellows\.org" -SecRule HTTP_Referer|ARGS "talktobabes\.com" -SecRule HTTP_Referer|ARGS "tanganyikan-cichlids\.co\.uk" -SecRule HTTP_Referer|ARGS "tapbuster\.co\.uk" -SecRule HTTP_Referer|ARGS "taremociecall\.com" -SecRule HTTP_Referer|ARGS "targetindustries\.net" -SecRule HTTP_Referer|ARGS "targetingpain\.net" -SecRule HTTP_Referer|ARGS "tattoo-entwuerfe\.de" -SecRule HTTP_Referer|ARGS "tatuaggi\.cc" -SecRule HTTP_Referer|ARGS "tatuaggi-gratis\.com" -SecRule HTTP_Referer|ARGS "tatuaggi-piercing\.org" -SecRule HTTP_Referer|ARGS "tatuaggi-tribali\.com" -SecRule HTTP_Referer|ARGS "tatuaggitribali\.com" -SecRule HTTP_Referer|ARGS "tatuaggi\.us" -SecRule HTTP_Referer|ARGS "tclighting\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "tclighting\.net" -SecRule HTTP_Referer|ARGS "tclighting\.org" -SecRule HTTP_Referer|ARGS "tdk-n\.com" -SecRule HTTP_Referer|ARGS "teambeck\.org" -SecRule HTTP_Referer|ARGS "teamregules\.com" -SecRule HTTP_Referer|ARGS "tecrep-inc\.net" -SecRule HTTP_Referer|ARGS "tecrep-inc\.org" -SecRule HTTP_Referer|ARGS "teddbot\.com" -SecRule HTTP_Referer|ARGS "teddnetwork\.com" -SecRule HTTP_Referer|ARGS "teenagerzone\.com" -SecRule HTTP_Referer|ARGS "teen-babes\.us" -SecRule HTTP_Referer|ARGS "teen-boys-fuck-paysite\.com" -SecRule HTTP_Referer|ARGS "teenbrazil\.info" -SecRule HTTP_Referer|ARGS "teenbrazil\.ws" -SecRule HTTP_Referer|ARGS "teen-d\.com" -SecRule HTTP_Referer|ARGS "teen-hentai\.us" -SecRule HTTP_Referer|ARGS "teen-movie\.us" -SecRule HTTP_Referer|ARGS "teen-porn-movie\.net" -SecRule HTTP_Referer|ARGS "teensexcollection\.com" -SecRule HTTP_Referer|ARGS "teen-sex-porn-models\.com" -SecRule HTTP_Referer|ARGS "teensluts\.org" -SecRule HTTP_Referer|ARGS "teens\.wox\.org" -SecRule HTTP_Referer|ARGS "teentopanga\.name" -SecRule HTTP_Referer|ARGS "teen-video\.us" -SecRule HTTP_Referer|ARGS "teenxxxpix\.net" -SecRule HTTP_Referer|ARGS "teen-xxx\.us" -SecRule HTTP_Referer|ARGS "telechargement-logiciel\.com" -SecRule HTTP_Referer|ARGS "terminator-sales\.com" -SecRule HTTP_Referer|ARGS "terra\.es/personal2/dee7boquo" -SecRule HTTP_Referer|ARGS "terra\.es/personal2/markus69" -SecRule HTTP_Referer|ARGS "testi-canzoni\.com" -SecRule HTTP_Referer|ARGS "testi-canzoni\.net" -SecRule HTTP_Referer|ARGS "testi\.cc" -SecRule HTTP_Referer|ARGS "testi-musicali\.com" -SecRule HTTP_Referer|ARGS "testi-musicali\.net" -SecRule HTTP_Referer|ARGS "tests-shop\.com" -SecRule HTTP_Referer|ARGS "tette\.bz" -SecRule HTTP_Referer|ARGS "tettone\.cc" -SecRule HTTP_Referer|ARGS "texasholdem" -SecRule HTTP_Referer|ARGS "texas-holdem" -SecRule HTTP_Referer|ARGS "texas--holdem" -SecRule HTTP_Referer|ARGS "texas--hold-em" -SecRule HTTP_Referer|ARGS "texas--hold--em" -SecRule HTTP_Referer|ARGS "texas-hold-em" -SecRule HTTP_Referer|ARGS "texas-poker" -SecRule HTTP_Referer|ARGS "texasproptax\.com" -SecRule HTTP_Referer|ARGS "tgplist\.us" -SecRule HTTP_Referer|ARGS "thatwhichis\.com" -SecRule HTTP_Referer|ARGS "the1930shome\.co\.uk" -SecRule HTTP_Referer|ARGS "thebans\.com" -SecRule HTTP_Referer|ARGS "thebestofnet\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "theblackfoxes\.com" -SecRule HTTP_Referer|ARGS "the-boysfirsttime\.com" -SecRule HTTP_Referer|ARGS "the-boys-first-time\.net" -SecRule HTTP_Referer|ARGS "theceleb\.com" -SecRule HTTP_Referer|ARGS "thecraftersgallery\.com" -SecRule HTTP_Referer|ARGS "the-date\.com" -SecRule HTTP_Referer|ARGS "theendofthesummit\.com" -SecRule HTTP_Referer|ARGS "the-first-time-auditions" -SecRule HTTP_Referer|ARGS "thefreecellphone\.com" -SecRule HTTP_Referer|ARGS "thehadhams\.net" -SecRule HTTP_Referer|ARGS "the-hun-site\.com" -SecRule HTTP_Referer|ARGS "the-hun-yellow-page-tgp\.com" -SecRule HTTP_Referer|ARGS "themadpiper\.net" -SecRule HTTP_Referer|ARGS "the-pill-bottle\.com" -SecRule HTTP_Referer|ARGS "thepornhost\.com" -SecRule HTTP_Referer|ARGS "the-proxy\.com" -SecRule HTTP_Referer|ARGS "thepurplepitch\.com" -SecRule HTTP_Referer|ARGS "therosygarden\.com" -SecRule HTTP_Referer|ARGS "thesoftwaregarage\.co\.uk" -SecRule HTTP_Referer|ARGS "thespecialweb\.com" -SecRule HTTP_Referer|ARGS "thewebbrains\.com" -SecRule HTTP_Referer|ARGS "thorcarlson\.com" -SecRule HTTP_Referer|ARGS "thosethosethose" -SecRule HTTP_Referer|ARGS "thumbscape\.com" -SecRule HTTP_Referer|ARGS "ticket-marktplatz\.de" -SecRule HTTP_Referer|ARGS "tickets4events\.de" -SecRule HTTP_Referer|ARGS "tiere-futter\.de" -SecRule HTTP_Referer|ARGS "tiesearch\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "tiffany-towers\.com" -SecRule HTTP_Referer|ARGS "tiffinsdeli\.com" -SecRule HTTP_Referer|ARGS "tigerspice\.com" -SecRule HTTP_Referer|ARGS "tikattack\.com" -SecRule HTTP_Referer|ARGS "timescooter\.com" -SecRule HTTP_Referer|ARGS "tina4re\.com" -SecRule HTTP_Referer|ARGS "tinytops\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "tips-1a\.de" -SecRule HTTP_Referer|ARGS "tits-center\.com" -SecRule HTTP_Referer|ARGS "tits-cumshots\.net" -SecRule HTTP_Referer|ARGS "tm258\.com" -SecRule HTTP_Referer|ARGS "tmsathai\.org" -SecRule HTTP_Referer|ARGS "tofik\.pl" -SecRule HTTP_Referer|ARGS "tokyojoes\.info" -SecRule HTTP_Referer|ARGS "tonius\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "tonos-celulares\.com\.mx" -SecRule HTTP_Referer|ARGS "tonos-nokia\.com\.mx" -SecRule HTTP_Referer|ARGS "tooporno\.net" -SecRule HTTP_Referer|ARGS "\.top07\.com" -SecRule HTTP_Referer|ARGS "topaktuelle-tattos\.de" -SecRule HTTP_Referer|ARGS "top-blackjack-game" -SecRule HTTP_Referer|ARGS "top-blackjack\.net" -SecRule HTTP_Referer|ARGS "top-casinos-net\.com" -SecRule HTTP_Referer|ARGS "top-cialis\.com" -SecRule HTTP_Referer|ARGS "topcialis\.com" -SecRule HTTP_Referer|ARGS "top-deals-online-pharmacy" -SecRule HTTP_Referer|ARGS "top-deals-pills" -SecRule HTTP_Referer|ARGS "top-deals-pills\.info" -SecRule HTTP_Referer|ARGS "top-deals-viagra" -SecRule HTTP_Referer|ARGS "top-dedicated-servers\.com" -SecRule HTTP_Referer|ARGS "top-des-rencontres\.com" -SecRule HTTP_Referer|ARGS "top-fioricet\.com" -SecRule HTTP_Referer|ARGS "top.gb\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "top-internet-blackjack\.com" -SecRule HTTP_Referer|ARGS "topmeds\.net" -SecRule HTTP_Referer|ARGS "top-milf\.com" -SecRule HTTP_Referer|ARGS "top-of-best\.de" -SecRule HTTP_Referer|ARGS "top-online-poker-bonuses" -SecRule HTTP_Referer|ARGS "top-online-slots\.com" -SecRule HTTP_Referer|ARGS "top-pharmacy\.net" -SecRule HTTP_Referer|ARGS "top-poker-21\.com" -SecRule HTTP_Referer|ARGS "top-sex-base\.com" -SecRule HTTP_Referer|ARGS "top-skelaxin\.com" -SecRule HTTP_Referer|ARGS "top-soma\.com" -SecRule HTTP_Referer|ARGS "top-the-best\.de" -SecRule HTTP_Referer|ARGS "top-video-poker\.info" -SecRule HTTP_Referer|ARGS "top-wins-2005\.com" -SecRule HTTP_Referer|ARGS "toques-logos-jogos\.com" -SecRule HTTP_Referer|ARGS "toshain\.com" -SecRule HTTP_Referer|ARGS "totallyfreecreditreport\.org" -SecRule HTTP_Referer|ARGS "total-verspielt\.de" -SecRule HTTP_Referer|ARGS "touchwoodmagazine\.org\.uk" -SecRule HTTP_Referer|ARGS "tournamentpoker\.biz" -SecRule HTTP_Referer|ARGS "towneluxury\.com" -SecRule HTTP_Referer|ARGS "traffixer\.com" -SecRule HTTP_Referer|ARGS "training-one\.co\.uk" -SecRule HTTP_Referer|ARGS "trannies\.angelcities\.com" -SecRule HTTP_Referer|ARGS "tranny\.150m\.com" -SecRule HTTP_Referer|ARGS "tranny-pic-free\.com" -SecRule HTTP_Referer|ARGS "trannys\.blowsearch\.ws" -SecRule HTTP_Referer|ARGS "tranny-sex-clips\.com" -SecRule HTTP_Referer|ARGS "trannysexmovie\.com" -SecRule HTTP_Referer|ARGS "transbestporn\.com" -SecRule HTTP_Referer|ARGS "transestore\.com" -SecRule HTTP_Referer|ARGS "transpire\.de" -SecRule HTTP_Referer|ARGS "traum-pcs\.de" -SecRule HTTP_Referer|ARGS "traveltogermany.info" -SecRule HTTP_Referer|ARGS "treocat\.com" -SecRule HTTP_Referer|ARGS "triadindustries\.co\.uk" -SecRule HTTP_Referer|ARGS "tribal-penis-stretch" -SecRule HTTP_Referer|ARGS "triodating.nl" -SecRule HTTP_Referer|ARGS "trixieteen\.org" -SecRule HTTP_Referer|ARGS "troggen\.de" -SecRule HTTP_Referer|ARGS "troie\.bz" -SecRule HTTP_Referer|ARGS "trolliges\.de" -SecRule HTTP_Referer|ARGS "trucchi-giochi\.us" -SecRule HTTP_Referer|ARGS "trueuninstall\.com" -SecRule HTTP_Referer|ARGS "trumpetmission\.org" -SecRule HTTP_Referer|ARGS "tt33tt\.com" -SecRule HTTP_Referer|ARGS "tt7\.org" -SecRule HTTP_Referer|ARGS "tubegator\.com" -SecRule HTTP_Referer|ARGS "tugjobs\.(com|net|biz|org|info)" -SecRule HTTP_Referer|ARGS "tuff-enuff\.fnpsites\.com" -SecRule HTTP_Referer|ARGS "turist\.com\.pl" -SecRule HTTP_Referer|ARGS "tvforum\.org" -SecRule HTTP_Referer|ARGS "twinky\.org" -SecRule HTTP_Referer|ARGS "tygef\.org" -SecRule HTTP_Referer|ARGS "typo[0-9]\.com" -SecRule HTTP_Referer|ARGS "uaeecommerce\.com" -SecRule HTTP_Referer|ARGS "ufosearch\.net" -SecRule HTTP_Referer|ARGS "ukrainewife\.net" -SecRule HTTP_Referer|ARGS "uk-virtual-office-solutions\.com" -SecRule HTTP_Referer|ARGS "ultracet-web\.com" -SecRule HTTP_Referer|ARGS "ultrampharmacy\.com" -SecRule HTTP_Referer|ARGS "ultra-shop\.info" -SecRule HTTP_Referer|ARGS "unbeatablecellphones\.com" -SecRule HTTP_Referer|ARGS "unbeatablemobiles\.co\.uk" -SecRule HTTP_Referer|ARGS "unbeatablerx\.com" -SecRule HTTP_Referer|ARGS "unccd\.ch" -SecRule HTTP_Referer|ARGS "underage-pussy\.net" -SecRule HTTP_Referer|ARGS "undonet\.com" -SecRule HTTP_Referer|ARGS "unfinished-desires\.com" -SecRule HTTP_Referer|ARGS "uni-card\.ru" -SecRule HTTP_Referer|ARGS "unionvillefire\.com" -SecRule HTTP_Referer|ARGS "unitedarchive\.com" -SecRule HTTP_Referer|ARGS "united-cash\.com" -SecRule HTTP_Referer|ARGS "unrisd\.com" -SecRule HTTP_Referer|ARGS "unscramble\.de" -SecRule HTTP_Referer|ARGS "unterm-rock\.us" -SecRule HTTP_Referer|ARGS "upsandowns\.com" -SecRule HTTP_Referer|ARGS "upsms\.de" -SecRule HTTP_Referer|ARGS "upthekazoo\.com" -SecRule HTTP_Referer|ARGS "urlaubssonne-tanken\.de" -SecRule HTTP_Referer|ARGS "usa-birthday-flowers\.com" -SecRule HTTP_Referer|ARGS "usa-car-insurance\.com" -SecRule HTTP_Referer|ARGS "usa-car-loans\.com" -SecRule HTTP_Referer|ARGS "usa-cash-advance\.com" -SecRule HTTP_Referer|ARGS "usa-election.blogspot\.com" -SecRule HTTP_Referer|ARGS "usa-escorts-123\.com" -SecRule HTTP_Referer|ARGS "usbitches\.com" -SecRule HTTP_Referer|ARGS "us-cash\.com" -SecRule HTTP_Referer|ARGS "uscashloan\.com" -SecRule HTTP_Referer|ARGS "usedcarsforsale" -SecRule HTTP_Referer|ARGS "us-meds\.com" -SecRule HTTP_Referer|ARGS "u-w-m\.ru" -SecRule HTTP_Referer|ARGS "uzha\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "v27\.net" -SecRule HTTP_Referer|ARGS "v29\.net" -SecRule HTTP_Referer|ARGS "v3\.be" -SecRule HTTP_Referer|ARGS "vacation-rentals-guide\.com" -SecRule HTTP_Referer|ARGS "vakantiesex\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "valeofglamorganconservatives\.org" -SecRule HTTP_Referer|ARGS "vandr\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vcialis\.com" -SecRule HTTP_Referer|ARGS "venera-agency\.com" -SecRule HTTP_Referer|ARGS "veranstaltungs-tickets\.de" -SecRule HTTP_Referer|ARGS "vergleich-versicherungsangebote\.de" -SecRule HTTP_Referer|ARGS "versicherungsangebote-vergleichen\.de" -SecRule HTTP_Referer|ARGS "versicherungsvergleiche-xxl\.de" -SecRule HTTP_Referer|ARGS "versicherungsvergleich-pkv\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "versteigerungs-festival\.de" -SecRule HTTP_Referer|ARGS "verybrowse\.com" -SecRule HTTP_Referer|ARGS "verycd\.com" -SecRule HTTP_Referer|ARGS "verycheapdentalinsurance\.com" -SecRule HTTP_Referer|ARGS "viaggix\.com" -SecRule HTTP_Referer|ARGS "viagrafemale" -SecRule HTTP_Referer|ARGS "viapaxton\.com" -SecRule HTTP_Referer|ARGS "videohentai\.org" -SecRule HTTP_Referer|ARGS "video-n\.com" -SecRule HTTP_Referer|ARGS "video-poker" -SecRule HTTP_Referer|ARGS "video-poker-dot\.com" -SecRule HTTP_Referer|ARGS "video-poker-world\.net" -SecRule HTTP_Referer|ARGS "video-porno\.nu" -SecRule HTTP_Referer|ARGS "videoportfolios\.com" -SecRule HTTP_Referer|ARGS "vieille-dame-ici\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vierminuseins\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vietnamdatingservices\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vilentium\.de" -SecRule HTTP_Referer|ARGS "villagesx\.com" -SecRule HTTP_Referer|ARGS "vimax\.lx\.ro" -SecRule HTTP_Referer|ARGS "vimax\.topcities\.com" -SecRule HTTP_Referer|ARGS "vinhas\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vip-condom\.com" -SecRule HTTP_Referer|ARGS "vip-online-pharmacy\.com" -SecRule HTTP_Referer|ARGS "virtuellereiseburo\.com" -SecRule HTTP_Referer|ARGS "vitamins-for-each\.com" -SecRule HTTP_Referer|ARGS "vivalatinmag\.com" -SecRule HTTP_Referer|ARGS "vivlart\.com" -SecRule HTTP_Referer|ARGS "vixensisland\.com" -SecRule HTTP_Referer|ARGS "vk1.biz" -SecRule HTTP_Referer|ARGS "vladgorlum\.gotdns\.com" -SecRule HTTP_Referer|ARGS "vladstepanov\.brunst\.dk" -SecRule HTTP_Referer|ARGS "vnladiesdatingservices\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vod-solutions\.com" -SecRule HTTP_Referer|ARGS "voiphone\.cn" -SecRule HTTP_Referer|ARGS "vomitandbusted\.com" -SecRule HTTP_Referer|ARGS "vonormytexas\.us" -SecRule HTTP_Referer|ARGS "vpmt\.com" -SecRule HTTP_Referer|ARGS "vpshs\.com" -SecRule HTTP_Referer|ARGS "\.casino-go\.com" -SecRule HTTP_Referer|ARGS "vrajitor\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "vtsae\.org" -SecRule HTTP_Referer|ARGS "\.finestrealty\.net" -SecRule HTTP_Referer|ARGS "w5\.pl" -SecRule HTTP_Referer|ARGS "wake\.rlights\.com" -SecRule HTTP_Referer|ARGS "waldner-msa\.co\.uk" -SecRule HTTP_Referer|ARGS "wancheng\.cn" -SecRule HTTP_Referer|ARGS "warblog\.net" -SecRule HTTP_Referer|ARGS "washere\.de" -SecRule HTTP_Referer|ARGS "wastedpartygirls\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "watches-sales\.com" -SecRule HTTP_Referer|ARGS "waterbeds-dot\.com" -SecRule HTTP_Referer|ARGS "wayshell\.co\.uk" -SecRule HTTP_Referer|ARGS "wazzup\.dnip\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "wblogs\.com" -SecRule HTTP_Referer|ARGS "wcgaaa\.org" -SecRule HTTP_Referer|ARGS "weareconfused\.org\.uk" -SecRule HTTP_Referer|ARGS "wearethechampions\.com" -SecRule HTTP_Referer|ARGS "web-aks\.com" -SecRule HTTP_Referer|ARGS "webanfragen\.de" -SecRule HTTP_Referer|ARGS "webblogs\.biz" -SecRule HTTP_Referer|ARGS "web-cam-101\.com" -SecRule HTTP_Referer|ARGS "webcam-erotiche\.com" -SecRule HTTP_Referer|ARGS "web-cam-porn\.net" -SecRule HTTP_Referer|ARGS "webcenter\.pl" -SecRule HTTP_Referer|ARGS "web-cialis\.com" -SecRule HTTP_Referer|ARGS "webcindario\.com" -SecRule HTTP_Referer|ARGS "webcopywizard\.net" -SecRule HTTP_Referer|ARGS "webhgh\.com" -SecRule HTTP_Referer|ARGS "webimagineer\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "w-ebony\.com" -SecRule HTTP_Referer|ARGS "webpark\.pl" -SecRule HTTP_Referer|ARGS "webrank\.cn" -SecRule HTTP_Referer|ARGS "web-revenue\.com" -SecRule HTTP_Referer|ARGS "websitedesigningpromotion\.com" -SecRule HTTP_Referer|ARGS "webwarper\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "weddings-info\.com" -SecRule HTTP_Referer|ARGS "weddings-links\.com" -SecRule HTTP_Referer|ARGS "weekend-cialis" -SecRule HTTP_Referer|ARGS "weighlessrx\.com" -SecRule HTTP_Referer|ARGS "weight-loss-central\.org" -SecRule HTTP_Referer|ARGS "weight-loss-links\.net" -SecRule HTTP_Referer|ARGS "weightlossplace\.net" -SecRule HTTP_Referer|ARGS "weitere-stellenangebote\.de" -SecRule HTTP_Referer|ARGS "we-live-together-4u\.com" -SecRule HTTP_Referer|ARGS "wellness-getraenk\.de" -SecRule HTTP_Referer|ARGS "wet-4all\.com" -SecRule HTTP_Referer|ARGS "wethorny\.com" -SecRule HTTP_Referer|ARGS "wet-pantie\.net" -SecRule HTTP_Referer|ARGS "wet-pussy\.us" -SecRule HTTP_Referer|ARGS "whackingpud\.com" -SecRule HTTP_Referer|ARGS "whales\.com.ru" -SecRule HTTP_Referer|ARGS "whincer\.net" -SecRule HTTP_Referer|ARGS "whitehouse\.com" -SecRule HTTP_Referer|ARGS "white-shadow-nasty-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "whizzkidsuk\.co\.uk" -SecRule HTTP_Referer|ARGS "wholesalepocketbike\.com" -SecRule HTTP_Referer|ARGS "wild-porno-girls\.com" -SecRule HTTP_Referer|ARGS "willcommen\.de" -SecRule HTTP_Referer|ARGS "wincmd\.ru" -SecRule HTTP_Referer|ARGS "wincrestal\.com" -SecRule HTTP_Referer|ARGS "windcomesdown\.com" -SecRule HTTP_Referer|ARGS "wingtchun\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "win-in-poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "win-in-poker\.com" -SecRule HTTP_Referer|ARGS "wirenorth\.com" -SecRule HTTP_Referer|ARGS "wiset-online\.com" -SecRule HTTP_Referer|ARGS "wisskie\.cx" -SecRule HTTP_Referer|ARGS "witch-watch\.com" -SecRule HTTP_Referer|ARGS "witz-net\.de" -SecRule HTTP_Referer|ARGS "wizardsoul\.com" -SecRule HTTP_Referer|ARGS "wonderfultits\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "woodyracing\.co\.uk" -SecRule HTTP_Referer|ARGS "workfromhome-homebasedbusiness\.com" -SecRule HTTP_Referer|ARGS "world-candle\.com" -SecRule HTTP_Referer|ARGS "world-cheese\.com" -SecRule HTTP_Referer|ARGS "worldmusic\.com" -SecRule HTTP_Referer|ARGS "world-series-of-poker-1996\.com" -SecRule HTTP_Referer|ARGS "worldsexi\.com" -SecRule HTTP_Referer|ARGS "worldwidecasinosearch\.com" -SecRule HTTP_Referer|ARGS "worldwide-deals\.net" -SecRule HTTP_Referer|ARGS "worldwide-games\.net" -SecRule HTTP_Referer|ARGS "worldwide-holdem\.com" -SecRule HTTP_Referer|ARGS "worldwide-online-pharmacy\.net" -SecRule HTTP_Referer|ARGS "worldwide-sources\.com" -SecRule HTTP_Referer|ARGS "wotcher\.de" -SecRule HTTP_Referer|ARGS "www\.pcpages\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "www-sesso" -SecRule HTTP_Referer|ARGS "www\.sizegeneticspenis\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "www-webspace\.de" -SecRule HTTP_Referer|ARGS "x24hr\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "xadultpersonals\.com" -SecRule HTTP_Referer|ARGS "xaper\.com" -SecRule HTTP_Referer|ARGS "x-baccarat\.com" -SecRule HTTP_Referer|ARGS "x-baccarat\.us" -SecRule HTTP_Referer|ARGS "x-beat\.com" -SecRule HTTP_Referer|ARGS "x-bingo\.com" -SecRule HTTP_Referer|ARGS "x-craps\.com" -SecRule HTTP_Referer|ARGS "x-craps\.us" -SecRule HTTP_Referer|ARGS "xdolar\.com" -SecRule HTTP_Referer|ARGS "x-fioricet\.com" -SecRule HTTP_Referer|ARGS "x-free-casino-games\.com" -SecRule HTTP_Referer|ARGS "xfreehosting\.com" -SecRule HTTP_Referer|ARGS "xgsmhlhc\.com" -SecRule HTTP_Referer|ARGS "xgsm\.org" -SecRule HTTP_Referer|ARGS "xingzhiye\.com" -SecRule HTTP_Referer|ARGS "x-internet-casino\.com" -SecRule HTTP_Referer|ARGS "xin-web\.de" -SecRule HTTP_Referer|ARGS "x-jack\.us" -SecRule HTTP_Referer|ARGS "xlboobs\.net" -SecRule HTTP_Referer|ARGS "xmilf\.us" -SecRule HTTP_Referer|ARGS "xmix\.net" -SecRule HTTP_Referer|ARGS "xnxxx\.com" -SecRule HTTP_Referer|ARGS "xondemand\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "xopy\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "x-pictures\.net" -SecRule HTTP_Referer|ARGS "x-pictures\.org" -SecRule HTTP_Referer|ARGS "xpictx\.com" -SecRule HTTP_Referer|ARGS "xprescription\.com" -SecRule HTTP_Referer|ARGS "xprv\.com" -SecRule HTTP_Referer|ARGS "xratedcities\.com" -SecRule HTTP_Referer|ARGS "xrated-midgets\.com" -SecRule HTTP_Referer|ARGS "x-ring-tones\.com" -SecRule HTTP_Referer|ARGS "x-ringtones\.com" -SecRule HTTP_Referer|ARGS "x-roulette\.com" -SecRule HTTP_Referer|ARGS "x-roulette\.us" -SecRule HTTP_Referer|ARGS "x-roullete\.com" -SecRule HTTP_Referer|ARGS "xsesso\.biz" -SecRule HTTP_Referer|ARGS "x-slots\.com" -SecRule HTTP_Referer|ARGS "x-slots\.us" -SecRule HTTP_Referer|ARGS "x-stories\.org" -SecRule HTTP_Referer|ARGS "xuev\.net" -SecRule HTTP_Referer|ARGS "x-video-poker\.com" -SecRule HTTP_Referer|ARGS "x-video-poker\.us" -SecRule HTTP_Referer|ARGS "xxshopadult\.com" -SecRule HTTP_Referer|ARGS "xxx-alt-sex-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxxchan\.com" -SecRule HTTP_Referer|ARGS "xxx-database\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "xxx-database\.com" -SecRule HTTP_Referer|ARGS "xxx-dvd\.biz" -SecRule HTTP_Referer|ARGS "xxx-erotic-sex-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-first-time-sex-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-free-erotic-sex-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-gay-sex-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-girls-sex\.com" -SecRule HTTP_Referer|ARGS "xxxlivewebcams\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "xxx-password-web\.com" -SecRule HTTP_Referer|ARGS "xxx-pussy\.us" -SecRule HTTP_Referer|ARGS "xxxseeker\.com" -SecRule HTTP_Referer|ARGS "xxx-sex-movies\.org" -SecRule HTTP_Referer|ARGS "xxx-sex-story-post\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-spanking-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxx-stories\.net" -SecRule HTTP_Referer|ARGS "xxx-story\.blogspot\.com" -SecRule HTTP_Referer|ARGS "xxxwashington\.com" -SecRule HTTP_Referer|ARGS "xz9\.com" -SecRule HTTP_Referer|ARGS "yaninediaz\.com" -SecRule HTTP_Referer|ARGS "ybuano\.org" -SecRule HTTP_Referer|ARGS "yellowmonkey2\.com" -SecRule HTTP_Referer|ARGS "yellowmonkey55\.com" -SecRule HTTP_Referer|ARGS "yellowmonkey\.com" -SecRule HTTP_Referer|ARGS "yelucie\.com" -SecRule HTTP_Referer|ARGS "yf8\.com" -SecRule HTTP_Referer|ARGS "yisosky\.vip\.sina\.com" -SecRule HTTP_Referer|ARGS "ymf\.name" -SecRule HTTP_Referer|ARGS "yoga-mats\.freeservers\.com" -SecRule HTTP_Referer|ARGS "yoll\.net" -SecRule HTTP_Referer|ARGS "you-date\.com" -SecRule HTTP_Referer|ARGS "young-ass\.us" -SecRule HTTP_Referer|ARGS "yourcialis\.info" -SecRule HTTP_Referer|ARGS "yourdentalinsuranceonline\.com" -SecRule HTTP_Referer|ARGS "yourowncolours\.co\.uk" -SecRule HTTP_Referer|ARGS "yourserver\.com" -SecRule HTTP_Referer|ARGS "your-tattoo\.de" -SecRule HTTP_Referer|ARGS "ypoker\.net" -SecRule HTTP_Referer|ARGS "yubatech\.com" -SecRule HTTP_Referer|ARGS "yukka\.inc\.ru" -SecRule HTTP_Referer|ARGS "zalaszentgrot\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "zalaszentgrot\.com" -SecRule HTTP_Referer|ARGS "zaotao\.com" -SecRule HTTP_Referer|ARGS "zapto\.org" -SecRule HTTP_Referer|ARGS "zazlibrary\.com" -SecRule HTTP_Referer|ARGS "zenno\.info" -SecRule HTTP_Referer|ARGS "zfgfz\.net" -SecRule HTTP_Referer|ARGS "zipcodedownload\.com" -SecRule HTTP_Referer|ARGS "zipcodesmap\.com" -SecRule HTTP_Referer|ARGS "zithromax-online\.net" -SecRule HTTP_Referer|ARGS "zj\.com" -SecRule HTTP_Referer|ARGS "zone-b51\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "zone-b51\.com" -SecRule HTTP_Referer|ARGS "zooeurope\.com" -SecRule HTTP_Referer|ARGS "zoofil\.com" -SecRule HTTP_Referer|ARGS "zoofilia-fotos\.com" -SecRule HTTP_Referer|ARGS "zoomaniz\.flnet\.org" -SecRule HTTP_Referer|ARGS "zoo-sex\.biz" -SecRule HTTP_Referer|ARGS "zoo-sex\.info" -SecRule HTTP_Referer|ARGS "zoosex-motion-videos\.com" -SecRule HTTP_Referer|ARGS "zoo-sex-pics\.com" -SecRule HTTP_Referer|ARGS "zoosex-pictures\.com" -SecRule HTTP_Referer|ARGS "zoosx\.net" -SecRule HTTP_Referer|ARGS "zoo-zone\.com" -SecRule HTTP_Referer|ARGS "zpics\.net" -SecRule HTTP_Referer|ARGS "zt148\.com" -SecRule HTTP_Referer|ARGS "zum-bestpreis\.de" -SecRule HTTP_Referer|ARGS "zweree\.com" -SecRule HTTP_Referer|ARGS "zwiebelbacke\.com" -SecRule HTTP_Referer|ARGS "zxyzxy\.com" -SecRule HTTP_Referer|ARGS "thetrafficproject\.com" -SecRule HTTP_Referer|ARGS "www\.linkboxed\.com" -SecRule HTTP_Referer|ARGS "online-casino-tfx\.com" -SecRule HTTP_Referer|ARGS "taylorbow\.com" -SecRule HTTP_Referer "/t[0-9]/pps=wm/$" -SecRule HTTP_Referer|ARGS "search-ok.com" -SecRule HTTP_Referer|ARGS "\.acfair\.org" -SecRule HTTP_Referer|ARGS "take-poker\.com" -SecRule HTTP_Referer|ARGS "\.bignews\.com" -SecRule HTTP_Referer|ARGS "\.wieler-forum\.nl" -SecRule HTTP_Referer|ARGS "\.monstersofcock\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.ablejobs\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.unanimedicine\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.twinstatesnetwork\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.mentorsverige\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.gacicuba\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*(real)+[\w\-_.]*(estate+)[\w\-_.]*(sale)+\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "antiquejunkyard\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "antiquemarketplace*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "antique.*place*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(poker|(hold)+[\w\-_.]*em)+[\w\-_.]*(bonus|refill|party)" -SecRule HTTP_Referer|ARGS "nemasoft\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "pillspenis\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "bitlocker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(party|bonus|refill|(hold)+[\w\-_.]*em)+[\w\-_.]poker" -SecRule HTTP_Referer|ARGS "01housing\.com" -SecRule HTTP_Referer|ARGS "01housing\.net" -SecRule HTTP_Referer|ARGS "02refi\.net" -SecRule HTTP_Referer|ARGS "03housing\.com" -SecRule HTTP_Referer|ARGS "0p3nbsd\.com" -SecRule HTTP_Referer|ARGS "12081240chicks\.info" -SecRule HTTP_Referer|ARGS "12321412chicks\.info" -SecRule HTTP_Referer|ARGS "12321chicks\.info" -SecRule HTTP_Referer|ARGS "123adv\.info" -SecRule HTTP_Referer|ARGS "1241chicks\.info" -SecRule HTTP_Referer|ARGS "1244281hotties\.info" -SecRule HTTP_Referer|ARGS "12484821hottones\.info" -SecRule HTTP_Referer|ARGS "13-yaochu\.com" -SecRule HTTP_Referer|ARGS "132412414hotchicks\.info" -SecRule HTTP_Referer|ARGS "1primeonlineawarduklott0\.com" -SecRule HTTP_Referer|ARGS "1stedaytrader\.com" -SecRule HTTP_Referer|ARGS "2000greetingsnews\.com" -SecRule HTTP_Referer|ARGS "247andmore\.com" -SecRule HTTP_Referer|ARGS "247extraz\.info" -SecRule HTTP_Referer|ARGS "3-ankou\.com" -SecRule HTTP_Referer|ARGS "3-bai-man\.com" -SecRule HTTP_Referer|ARGS "3-cha\.com" -SecRule HTTP_Referer|ARGS "3-doupon\.com" -SecRule HTTP_Referer|ARGS "3bs0fnsfas\.com" -SecRule HTTP_Referer|ARGS "3jnbsabwkd\.com" -SecRule HTTP_Referer|ARGS "4-ankou\.com" -SecRule HTTP_Referer|ARGS "50-cent\.biz" -SecRule HTTP_Referer|ARGS "62mort\.net" -SecRule HTTP_Referer|ARGS "73hsg\.info" -SecRule HTTP_Referer|ARGS "77holisticretreat\.com" -SecRule HTTP_Referer|ARGS "7start\.com" -SecRule HTTP_Referer|ARGS "a11-1\.com" -SecRule HTTP_Referer|ARGS "a11-4\.com" -SecRule HTTP_Referer|ARGS "a4-1\.com" -SecRule HTTP_Referer|ARGS "a92ms\.info" -SecRule HTTP_Referer|ARGS "aaadfdf\.info" -SecRule HTTP_Referer|ARGS "aadlfjdl\.info" -SecRule HTTP_Referer|ARGS "aanddproperties\.com" -SecRule HTTP_Referer|ARGS "aanetsolutions\.com" -SecRule HTTP_Referer|ARGS "aaronfostergallery\.com" -SecRule HTTP_Referer|ARGS "abbeynationaladmin\.com" -SecRule HTTP_Referer|ARGS "abbeynetservices\.com" -SecRule HTTP_Referer|ARGS "abcdhouse\.com" -SecRule HTTP_Referer|ARGS "aboritel\.com" -SecRule HTTP_Referer|ARGS "about-online-dating\.net" -SecRule HTTP_Referer|ARGS "aboutali\.info" -SecRule HTTP_Referer|ARGS "abouthandwashing\.com" -SecRule HTTP_Referer|ARGS "aboutthedirection\.com" -SecRule HTTP_Referer|ARGS "abscind\.info" -SecRule HTTP_Referer|ARGS "absoluteandfabulous\.com" -SecRule HTTP_Referer|ARGS "abundantmail\.net" -SecRule HTTP_Referer|ARGS "abvbs\.com" -SecRule HTTP_Referer|ARGS "abxwt\.com" -SecRule HTTP_Referer|ARGS "acashcownow\.com" -SecRule HTTP_Referer|ARGS "acception\.info" -SecRule HTTP_Referer|ARGS "acclaimedia\.biz" -SecRule HTTP_Referer|ARGS "accordingtocorbin\.com" -SecRule HTTP_Referer|ARGS "accsplus\.com" -SecRule HTTP_Referer|ARGS "acehardwarexport\.com" -SecRule HTTP_Referer|ARGS "acewest\.info" -SecRule HTTP_Referer|ARGS "achievefinancialsolutions\.com" -SecRule HTTP_Referer|ARGS "achievevibranthealth\.com" -SecRule HTTP_Referer|ARGS "achop\.com" -SecRule HTTP_Referer|ARGS "achtakolivseg\.biz" -SecRule HTTP_Referer|ARGS "ackridge\.com" -SecRule HTTP_Referer|ARGS "acopiollc\.com" -SecRule HTTP_Referer|ARGS "acsnm\.com" -SecRule HTTP_Referer|ARGS "action-enterprises\.net" -SecRule HTTP_Referer|ARGS "actionnasty\.com" -SecRule HTTP_Referer|ARGS "adcomakerkk\.com" -SecRule HTTP_Referer|ARGS "addirectline\.com" -SecRule HTTP_Referer|ARGS "adedea\.com" -SecRule HTTP_Referer|ARGS "adherences\.net" -SecRule HTTP_Referer|ARGS "adidasgolftest\.com" -SecRule HTTP_Referer|ARGS "adipredweb\.com" -SecRule HTTP_Referer|ARGS "adrianahowse\.com" -SecRule HTTP_Referer|ARGS "adrugstoreandmore\.us" -SecRule HTTP_Referer|ARGS "adtricity\.com" -SecRule HTTP_Referer|ARGS "aduicn\.com" -SecRule HTTP_Referer|ARGS "adult-news-info\.biz" -SecRule HTTP_Referer|ARGS "adult-news-info\.info" -SecRule HTTP_Referer|ARGS "adultmobileclub\.net" -SecRule HTTP_Referer|ARGS "adultpro\.biz" -SecRule HTTP_Referer|ARGS "advancedastro\.com" -SecRule HTTP_Referer|ARGS "advanceddrugstores\.us" -SecRule HTTP_Referer|ARGS "advantagedrugstore\.us" -SecRule HTTP_Referer|ARGS "advantageprimarycare\.com" -SecRule HTTP_Referer|ARGS "advertisingsignsthatwork\.com" -SecRule HTTP_Referer|ARGS "aeropark\.info" -SecRule HTTP_Referer|ARGS "aetilogis\.com" -SecRule HTTP_Referer|ARGS "affinitydrugstore\.us" -SecRule HTTP_Referer|ARGS "affinitydrugstores\.us" -SecRule HTTP_Referer|ARGS "affinityinvest\.com" -SecRule HTTP_Referer|ARGS "affordable-drugstore\.us" -SecRule HTTP_Referer|ARGS "afridbank\.com" -SecRule HTTP_Referer|ARGS "afsclub\.com" -SecRule HTTP_Referer|ARGS "afstunn\.com" -SecRule HTTP_Referer|ARGS "agentnine\.info" -SecRule HTTP_Referer|ARGS "agitatedly\.net" -SecRule HTTP_Referer|ARGS "agn-03h\.com" -SecRule HTTP_Referer|ARGS "airmember\.info" -SecRule HTTP_Referer|ARGS "aj2n\.info" -SecRule HTTP_Referer|ARGS "akeliihoomalu\.org" -SecRule HTTP_Referer|ARGS "alaac\.com" -SecRule HTTP_Referer|ARGS "alamassahafa\.com" -SecRule HTTP_Referer|ARGS "albinawholesale\.com" -SecRule HTTP_Referer|ARGS "albuenoair\.net" -SecRule HTTP_Referer|ARGS "alehsantradingco\.com" -SecRule HTTP_Referer|ARGS "alewasogly\.com" -SecRule HTTP_Referer|ARGS "alexeifam\.com" -SecRule HTTP_Referer|ARGS "alienahyes\.com" -SecRule HTTP_Referer|ARGS "alksjdhkjadf\.com" -SecRule HTTP_Referer|ARGS "alloemsale\.com" -SecRule HTTP_Referer|ARGS "alloemsale\.net" -SecRule HTTP_Referer|ARGS "allplayershere\.com" -SecRule HTTP_Referer|ARGS "allyouasked2\.com" -SecRule HTTP_Referer|ARGS "almaghrabiaw\.com" -SecRule HTTP_Referer|ARGS "alpinegirl\.info" -SecRule HTTP_Referer|ARGS "alsgo\.com" -SecRule HTTP_Referer|ARGS "alt-l0ve\.com" -SecRule HTTP_Referer|ARGS "alternatieva\.com" -SecRule HTTP_Referer|ARGS "alternative-l0ve\.com" -SecRule HTTP_Referer|ARGS "altintsol\.com" -SecRule HTTP_Referer|ARGS "alutop\.de" -SecRule HTTP_Referer|ARGS "amazingwebdeals\.biz" -SecRule HTTP_Referer|ARGS "ambcommercial\.com" -SecRule HTTP_Referer|ARGS "ambrobankplc\.com" -SecRule HTTP_Referer|ARGS "ameland-online\.com" -SecRule HTTP_Referer|ARGS "americanimagedomain\.com" -SecRule HTTP_Referer|ARGS "amerid\.info" -SecRule HTTP_Referer|ARGS "amerik\.info" -SecRule HTTP_Referer|ARGS "ameril\.info" -SecRule HTTP_Referer|ARGS "amerip\.info" -SecRule HTTP_Referer|ARGS "aminisen\.com" -SecRule HTTP_Referer|ARGS "aminobenzoic\.info" -SecRule HTTP_Referer|ARGS "amturiam\.com" -SecRule HTTP_Referer|ARGS "an-fm03\.com" -SecRule HTTP_Referer|ARGS "analoholic\.com" -SecRule HTTP_Referer|ARGS "anarecruciato\.com" -SecRule HTTP_Referer|ARGS "ancakacon\.com" -SecRule HTTP_Referer|ARGS "anchorbounce\.com" -SecRule HTTP_Referer|ARGS "anchorreplyto\.com" -SecRule HTTP_Referer|ARGS "andyplatinum\.com" -SecRule HTTP_Referer|ARGS "angajatori\.net" -SecRule HTTP_Referer|ARGS "angelsthegroup\.com" -SecRule HTTP_Referer|ARGS "anionic\.info" -SecRule HTTP_Referer|ARGS "annabaty\.info" -SecRule HTTP_Referer|ARGS "ansiidia\.com" -SecRule HTTP_Referer|ARGS "answersdirect\.net" -SecRule HTTP_Referer|ARGS "antanawy\.com" -SecRule HTTP_Referer|ARGS "antillenschool\.com" -SecRule HTTP_Referer|ARGS "antique-mirror\.com" -SecRule HTTP_Referer|ARGS "antonshill\.com" -SecRule HTTP_Referer|ARGS "any-trans\.com" -SecRule HTTP_Referer|ARGS "anycallloan\.net" -SecRule HTTP_Referer|ARGS "anyshop\.org" -SecRule HTTP_Referer|ARGS "ap-fly\.com" -SecRule HTTP_Referer|ARGS "apaceweb\.com" -SecRule HTTP_Referer|ARGS "aplinemak\.com" -SecRule HTTP_Referer|ARGS "apolloniakl\.com" -SecRule HTTP_Referer|ARGS "appeases\.net" -SecRule HTTP_Referer|ARGS "applcash\.net" -SecRule HTTP_Referer|ARGS "applemailer\.com" -SecRule HTTP_Referer|ARGS "applystatus\.info" -SecRule HTTP_Referer|ARGS "applytosave\.net" -SecRule HTTP_Referer|ARGS "aprilnews\.info" -SecRule HTTP_Referer|ARGS "aran-technologies\.com" -SecRule HTTP_Referer|ARGS "archivewrap\.com" -SecRule HTTP_Referer|ARGS "arcvt\.info" -SecRule HTTP_Referer|ARGS "arew1\.com" -SecRule HTTP_Referer|ARGS "arew2\.com" -SecRule HTTP_Referer|ARGS "areyousmoker\.com" -SecRule HTTP_Referer|ARGS "argusdv\.com" -SecRule HTTP_Referer|ARGS "arigatouo\.net" -SecRule HTTP_Referer|ARGS "artberber\.com" -SecRule HTTP_Referer|ARGS "articulators\.com" -SecRule HTTP_Referer|ARGS "asdhasdh\.info" -SecRule HTTP_Referer|ARGS "asdjss\.info" -SecRule HTTP_Referer|ARGS "asdokawo\.com" -SecRule HTTP_Referer|ARGS "aseanxxx\.com" -SecRule HTTP_Referer|ARGS "ashaliterary\.com" -SecRule HTTP_Referer|ARGS "asinojet\.com" -SecRule HTTP_Referer|ARGS "asioidoi\.info" -SecRule HTTP_Referer|ARGS "aslannis\.com" -SecRule HTTP_Referer|ARGS "associate-finance\.com" -SecRule HTTP_Referer|ARGS "atfon\.info" -SecRule HTTP_Referer|ARGS "atimepiece\.net" -SecRule HTTP_Referer|ARGS "atlanticexportandimportcompany\.net" -SecRule HTTP_Referer|ARGS "atomicoffers\.com" -SecRule HTTP_Referer|ARGS "atressys\.com" -SecRule HTTP_Referer|ARGS "atrinargete\.com" -SecRule HTTP_Referer|ARGS "attorneybrianwilliams\.com" -SecRule HTTP_Referer|ARGS "atyana\.info" -SecRule HTTP_Referer|ARGS "auditorr\.net" -SecRule HTTP_Referer|ARGS "austindirectimpact\.com" -SecRule HTTP_Referer|ARGS "autoforsx\.com" -SecRule HTTP_Referer|ARGS "automaticlandingcorp\.com" -SecRule HTTP_Referer|ARGS "autorik\.com" -SecRule HTTP_Referer|ARGS "avablecants\.com" -SecRule HTTP_Referer|ARGS "avatexwoolgroups\.biz" -SecRule HTTP_Referer|ARGS "avaunts\.net" -SecRule HTTP_Referer|ARGS "averaged\.info" -SecRule HTTP_Referer|ARGS "avhappy\.net" -SecRule HTTP_Referer|ARGS "avicomnet\.net" -SecRule HTTP_Referer|ARGS "avidlender\.com" -SecRule HTTP_Referer|ARGS "avillestins\.com" -SecRule HTTP_Referer|ARGS "avinetcom\.net" -SecRule HTTP_Referer|ARGS "avole\.info" -SecRule HTTP_Referer|ARGS "avonelpaso\.com" -SecRule HTTP_Referer|ARGS "avysnamiinderte\.biz" -SecRule HTTP_Referer|ARGS "awg5\.net" -SecRule HTTP_Referer|ARGS "awhile\.info" -SecRule HTTP_Referer|ARGS "axece\.info" -SecRule HTTP_Referer|ARGS "aztlantrainingcenter\.com" -SecRule HTTP_Referer|ARGS "b-i-l\.com" -SecRule HTTP_Referer|ARGS "b2bfeatures\.com" -SecRule HTTP_Referer|ARGS "b3fcv2\.com" -SecRule HTTP_Referer|ARGS "babescan\.info" -SecRule HTTP_Referer|ARGS "back2schoolgiftcard\.com" -SecRule HTTP_Referer|ARGS "badrun\.info" -SecRule HTTP_Referer|ARGS "bai-man\.com" -SecRule HTTP_Referer|ARGS "baldermistletoenail\.com" -SecRule HTTP_Referer|ARGS "ballershockcaller\.com" -SecRule HTTP_Referer|ARGS "ballknowsall\.net" -SecRule HTTP_Referer|ARGS "ballmilitary\.com" -SecRule HTTP_Referer|ARGS "bamaft\.net" -SecRule HTTP_Referer|ARGS "banging1214chicks\.info" -SecRule HTTP_Referer|ARGS "bankerbreath\.com" -SecRule HTTP_Referer|ARGS "bankofthewestcorp\.com" -SecRule HTTP_Referer|ARGS "baplayer2\.com" -SecRule HTTP_Referer|ARGS "barbaraken\.info" -SecRule HTTP_Referer|ARGS "barclaysbankzone\.net" -SecRule HTTP_Referer|ARGS "barclaysbankzoneworld\.net" -SecRule HTTP_Referer|ARGS "barearth\.com" -SecRule HTTP_Referer|ARGS "barreforhirst\.com" -SecRule HTTP_Referer|ARGS "barristeradamswalters\.com" -SecRule HTTP_Referer|ARGS "barristerjamesibe\.com" -SecRule HTTP_Referer|ARGS "barrytigers\.com" -SecRule HTTP_Referer|ARGS "barsaroundtown\.info" -SecRule HTTP_Referer|ARGS "basdaf\.com" -SecRule HTTP_Referer|ARGS "base-poker\.com" -SecRule HTTP_Referer|ARGS "basesof\.com" -SecRule HTTP_Referer|ARGS "bataksrc\.com" -SecRule HTTP_Referer|ARGS "batch-tracker\.com" -SecRule HTTP_Referer|ARGS "batejebubu\.net" -SecRule HTTP_Referer|ARGS "bcccmpl\.com" -SecRule HTTP_Referer|ARGS "bdls-company\.com" -SecRule HTTP_Referer|ARGS "beatleblitz8\.com" -SecRule HTTP_Referer|ARGS "becali\.biz" -SecRule HTTP_Referer|ARGS "becauseco\.com" -SecRule HTTP_Referer|ARGS "bedkx\.com" -SecRule HTTP_Referer|ARGS "bednight\.info" -SecRule HTTP_Referer|ARGS "bedroom-fun\.net" -SecRule HTTP_Referer|ARGS "bedroom-times\.net" -SecRule HTTP_Referer|ARGS "bedroomsecret\.net" -SecRule HTTP_Referer|ARGS "beenzonline\.com" -SecRule HTTP_Referer|ARGS "behaviormetrix\.com" -SecRule HTTP_Referer|ARGS "belleone\.info" -SecRule HTTP_Referer|ARGS "bemeboqu\.com" -SecRule HTTP_Referer|ARGS "benlight\.com" -SecRule HTTP_Referer|ARGS "bensonbluesenterprises\.com" -SecRule HTTP_Referer|ARGS "bentleyrealty\.net" -SecRule HTTP_Referer|ARGS "ber3csa\.com" -SecRule HTTP_Referer|ARGS "bereu\.info" -SecRule HTTP_Referer|ARGS "besosepoqagi\.info" -SecRule HTTP_Referer|ARGS "best-car-insurance-offer\.com" -SecRule HTTP_Referer|ARGS "best-hosting-offer\.com" -SecRule HTTP_Referer|ARGS "bestadena\.net" -SecRule HTTP_Referer|ARGS "bestannual\.com" -SecRule HTTP_Referer|ARGS "bestbuyingshoppers\.com" -SecRule HTTP_Referer|ARGS "bestmailcenter\.net" -SecRule HTTP_Referer|ARGS "bestmarketwatch\.com" -SecRule HTTP_Referer|ARGS "bestpricewatch\.net" -SecRule HTTP_Referer|ARGS "bestrates-4-you\.net" -SecRule HTTP_Referer|ARGS "besttimeisnow\.com" -SecRule HTTP_Referer|ARGS "bestwatchbuy\.net" -SecRule HTTP_Referer|ARGS "bestwatchdealers\.net" -SecRule HTTP_Referer|ARGS "bestwecanofferyou\.com" -SecRule HTTP_Referer|ARGS "bethroy\.info" -SecRule HTTP_Referer|ARGS "betifulpate\.com" -SecRule HTTP_Referer|ARGS "betr\.info" -SecRule HTTP_Referer|ARGS "bettercheaper\.info" -SecRule HTTP_Referer|ARGS "betteroffers\.info" -SecRule HTTP_Referer|ARGS "betuqepo\.com" -SecRule HTTP_Referer|ARGS "bewarepotholes\.net" -SecRule HTTP_Referer|ARGS "bfjdo\.com" -SecRule HTTP_Referer|ARGS "bhaaglehighrealtor\.com" -SecRule HTTP_Referer|ARGS "bibtree\.info" -SecRule HTTP_Referer|ARGS "bigboynegroup\.info" -SecRule HTTP_Referer|ARGS "bigflux\.net" -SecRule HTTP_Referer|ARGS "bigpinktoys\.com" -SecRule HTTP_Referer|ARGS "bigresourcescorp\.info" -SecRule HTTP_Referer|ARGS "bigtoyraffle\.com" -SecRule HTTP_Referer|ARGS "bil-promo-announce\.net" -SecRule HTTP_Referer|ARGS "binghamcounty\.org" -SecRule HTTP_Referer|ARGS "bioplasm\.net" -SecRule HTTP_Referer|ARGS "bis2626\.com" -SecRule HTTP_Referer|ARGS "bitmash\.info" -SecRule HTTP_Referer|ARGS "bizwhiteteeth\.com" -SecRule HTTP_Referer|ARGS "blackhelicoptervideo\.com" -SecRule HTTP_Referer|ARGS "blankink\.com" -SecRule HTTP_Referer|ARGS "blankmafia\.com" -SecRule HTTP_Referer|ARGS "blankroom\.com" -SecRule HTTP_Referer|ARGS "blanksugar\.com" -SecRule HTTP_Referer|ARGS "blayway\.com" -SecRule HTTP_Referer|ARGS "bleachyourteethwhite\.com" -SecRule HTTP_Referer|ARGS "blendeddifyingyang\.com" -SecRule HTTP_Referer|ARGS "blest-poker\.com" -SecRule HTTP_Referer|ARGS "blisses\.net" -SecRule HTTP_Referer|ARGS "bloats\.net" -SecRule HTTP_Referer|ARGS "blog-whore\.info" -SecRule HTTP_Referer|ARGS "bloodily\.net" -SecRule HTTP_Referer|ARGS "bloxster\.net" -SecRule HTTP_Referer|ARGS "bluehopscotch\.net" -SecRule HTTP_Referer|ARGS "bluewadeline\.com" -SecRule HTTP_Referer|ARGS "blummanroadcorp\.com" -SecRule HTTP_Referer|ARGS "blurbb\.net" -SecRule HTTP_Referer|ARGS "blutjung\.de" -SecRule HTTP_Referer|ARGS "bmort\.net" -SecRule HTTP_Referer|ARGS "bmwnicecar\.com" -SecRule HTTP_Referer|ARGS "bnewoei\.com" -SecRule HTTP_Referer|ARGS "bojeu\.info" -SecRule HTTP_Referer|ARGS "bookacab\.net" -SecRule HTTP_Referer|ARGS "bookwhiteteeth\.com" -SecRule HTTP_Referer|ARGS "borderbulkfoods-company-au\.net" -SecRule HTTP_Referer|ARGS "borderbulkfoodscompanyltd\.com" -SecRule HTTP_Referer|ARGS "boredofdirctors\.com" -SecRule HTTP_Referer|ARGS "born2-invest\.com" -SecRule HTTP_Referer|ARGS "bounding\.net" -SecRule HTTP_Referer|ARGS "bowemalovory\.com" -SecRule HTTP_Referer|ARGS "boysenberrymailer\.com" -SecRule HTTP_Referer|ARGS "bradastew\.com" -SecRule HTTP_Referer|ARGS "brainery\.org" -SecRule HTTP_Referer|ARGS "brainsforever\.info" -SecRule HTTP_Referer|ARGS "branddamage\.org" -SecRule HTTP_Referer|ARGS "brandvalu\.com" -SecRule HTTP_Referer|ARGS "brassed\.net" -SecRule HTTP_Referer|ARGS "brbberney\.com" -SecRule HTTP_Referer|ARGS "breetreebree\.com" -SecRule HTTP_Referer|ARGS "brefasatake\.com" -SecRule HTTP_Referer|ARGS "bride-anna\.net" -SecRule HTTP_Referer|ARGS "bride-julia\.com" -SecRule HTTP_Referer|ARGS "bride-julia\.net" -SecRule HTTP_Referer|ARGS "bride-maria\.com" -SecRule HTTP_Referer|ARGS "bride-olga\.net" -SecRule HTTP_Referer|ARGS "bridgeunion\.info" -SecRule HTTP_Referer|ARGS "brit-online-lot-uk\.net" -SecRule HTTP_Referer|ARGS "british-lottrey\.net" -SecRule HTTP_Referer|ARGS "british-online-lot-uk\.com" -SecRule HTTP_Referer|ARGS "britishconsulateoffice\.com" -SecRule HTTP_Referer|ARGS "britishnotice\.com" -SecRule HTTP_Referer|ARGS "broadeners\.net" -SecRule HTTP_Referer|ARGS "broadwayviewenterprises\.com" -SecRule HTTP_Referer|ARGS "broozledmnej\.com" -SecRule HTTP_Referer|ARGS "brotherse\.com" -SecRule HTTP_Referer|ARGS "browsebnus\.com" -SecRule HTTP_Referer|ARGS "browsebonus\.com" -SecRule HTTP_Referer|ARGS "brwsebonus\.com" -SecRule HTTP_Referer|ARGS "bryantsevws\.net" -SecRule HTTP_Referer|ARGS "bstonnte\.com" -SecRule HTTP_Referer|ARGS "btcitogo\.com" -SecRule HTTP_Referer|ARGS "btl-onlinedraw\.com" -SecRule HTTP_Referer|ARGS "btlfoundation\.com" -SecRule HTTP_Referer|ARGS "btlottery2005intl\.biz" -SecRule HTTP_Referer|ARGS "bucketed\.net" -SecRule HTTP_Referer|ARGS "budetvsyasvoit\.biz" -SecRule HTTP_Referer|ARGS "bullringer\.com" -SecRule HTTP_Referer|ARGS "bullyontheblock\.net" -SecRule HTTP_Referer|ARGS "buy-playernow\.com" -SecRule HTTP_Referer|ARGS "buyhealthseek\.com" -SecRule HTTP_Referer|ARGS "buymaxxlength\.info" -SecRule HTTP_Referer|ARGS "buymultiorgasm\.info" -SecRule HTTP_Referer|ARGS "buzzadoass\.com" -SecRule HTTP_Referer|ARGS "bvet\.info" -SecRule HTTP_Referer|ARGS "bwst\.us" -SecRule HTTP_Referer|ARGS "bwv361\.com" -SecRule HTTP_Referer|ARGS "byego\.com" -SecRule HTTP_Referer|ARGS "byfunapago\.com" -SecRule HTTP_Referer|ARGS "bymadydepy\.info" -SecRule HTTP_Referer|ARGS "bypynowu\.info" -SecRule HTTP_Referer|ARGS "c1ass4you2day\.com" -SecRule HTTP_Referer|ARGS "cajatrustsecurity\.org" -SecRule HTTP_Referer|ARGS "calecotusm\.com" -SecRule HTTP_Referer|ARGS "camagueyrealestate\.com" -SecRule HTTP_Referer|ARGS "camellianews\.com" -SecRule HTTP_Referer|ARGS "campinile\.info" -SecRule HTTP_Referer|ARGS "campoave\.com" -SecRule HTTP_Referer|ARGS "camptiger\.info" -SecRule HTTP_Referer|ARGS "canarycigar\.info" -SecRule HTTP_Referer|ARGS "candydavis\.info" -SecRule HTTP_Referer|ARGS "canportal\.info" -SecRule HTTP_Referer|ARGS "canvasmasterpieces\.net" -SecRule HTTP_Referer|ARGS "capacitashar\.com" -SecRule HTTP_Referer|ARGS "caplifeinsurance\.com" -SecRule HTTP_Referer|ARGS "carehero\.info" -SecRule HTTP_Referer|ARGS "caricepice\.com" -SecRule HTTP_Referer|ARGS "carrycot\.net" -SecRule HTTP_Referer|ARGS "carvali\.info" -SecRule HTTP_Referer|ARGS "cash-advance-offer\.com" -SecRule HTTP_Referer|ARGS "cashif\.info" -SecRule HTTP_Referer|ARGS "cassigear\.com" -SecRule HTTP_Referer|ARGS "castlepinesn\.com" -SecRule HTTP_Referer|ARGS "caticcar\.com" -SecRule HTTP_Referer|ARGS "cavugejyty\.com" -SecRule HTTP_Referer|ARGS "ccarefi\.net" -SecRule HTTP_Referer|ARGS "ccgonline\.biz" -SecRule HTTP_Referer|ARGS "cegabyqo\.com" -SecRule HTTP_Referer|ARGS "centralbankgovernor-nigr\.com" -SecRule HTTP_Referer|ARGS "centralbankplcworld\.net" -SecRule HTTP_Referer|ARGS "cesunoqumo\.org" -SecRule HTTP_Referer|ARGS "cetai\.info" -SecRule HTTP_Referer|ARGS "ceth\.info" -SecRule HTTP_Referer|ARGS "cevefemozety\.com" -SecRule HTTP_Referer|ARGS "cfbsworld\.net" -SecRule HTTP_Referer|ARGS "cgi3-ebay-billing-accounts-updating\.com" -SecRule HTTP_Referer|ARGS "chadlane\.net" -SecRule HTTP_Referer|ARGS "chaepro\.info" -SecRule HTTP_Referer|ARGS "challiend\.com" -SecRule HTTP_Referer|ARGS "chan-ja\.com" -SecRule HTTP_Referer|ARGS "chan-ta\.com" -SecRule HTTP_Referer|ARGS "chaojinvsheng\.com" -SecRule HTTP_Referer|ARGS "chap8\.com" -SecRule HTTP_Referer|ARGS "charles-bizey\.com" -SecRule HTTP_Referer|ARGS "charlestownsales\.com" -SecRule HTTP_Referer|ARGS "charliegrove\.info" -SecRule HTTP_Referer|ARGS "chasecargocompanyltd\.com" -SecRule HTTP_Referer|ARGS "cheaperbetter\.info" -SecRule HTTP_Referer|ARGS "cheaphealthsite\.com" -SecRule HTTP_Referer|ARGS "cheappricing\.com" -SecRule HTTP_Referer|ARGS "cheapwatchez\.net" -SecRule HTTP_Referer|ARGS "checkingmarkets\.com" -SecRule HTTP_Referer|ARGS "checkrefinance\.com" -SecRule HTTP_Referer|ARGS "cheesier\.net" -SecRule HTTP_Referer|ARGS "chemistry-of-love\.biz" -SecRule HTTP_Referer|ARGS "chemistry-of-love\.net" -SecRule HTTP_Referer|ARGS "chestiest\.net" -SecRule HTTP_Referer|ARGS "chieftan\.net" -SecRule HTTP_Referer|ARGS "chinchicks\.info" -SecRule HTTP_Referer|ARGS "chinese-viagra\.com" -SecRule HTTP_Referer|ARGS "chipblank\.com" -SecRule HTTP_Referer|ARGS "chmielj\.org" -SecRule HTTP_Referer|ARGS "choosesupportenterprises\.com" -SecRule HTTP_Referer|ARGS "chrysippus\.com" -SecRule HTTP_Referer|ARGS "chrysurus\.net" -SecRule HTTP_Referer|ARGS "chshayef\.com" -SecRule HTTP_Referer|ARGS "chstmmtg\.com" -SecRule HTTP_Referer|ARGS "ci-block\.com" -SecRule HTTP_Referer|ARGS "cialka\.com" -SecRule HTTP_Referer|ARGS "cihewymo\.com" -SecRule HTTP_Referer|ARGS "ciliform\.com" -SecRule HTTP_Referer|ARGS "citibankplc-uk\.net" -SecRule HTTP_Referer|ARGS "citrusmailmarketing\.com" -SecRule HTTP_Referer|ARGS "citytrustbankworld\.com" -SecRule HTTP_Referer|ARGS "ckfinger\.com" -SecRule HTTP_Referer|ARGS "cklonket\.com" -SecRule HTTP_Referer|ARGS "cl988\.cn" -SecRule HTTP_Referer|ARGS "cl988\.com" -SecRule HTTP_Referer|ARGS "cl988\.net" -SecRule HTTP_Referer|ARGS "cl988\.org" -SecRule HTTP_Referer|ARGS "claim-winningnotification-promogames\.com" -SecRule HTTP_Referer|ARGS "clambering\.com" -SecRule HTTP_Referer|ARGS "cleaningbabes\.info" -SecRule HTTP_Referer|ARGS "cleftrighthandleading\.com" -SecRule HTTP_Referer|ARGS "cleralerar\.com" -SecRule HTTP_Referer|ARGS "cleverbuyz0\.com" -SecRule HTTP_Referer|ARGS "clickandtag\.com" -SecRule HTTP_Referer|ARGS "clickforalldeals\.com" -SecRule HTTP_Referer|ARGS "client-1bsmsend\.com" -SecRule HTTP_Referer|ARGS "client-2bsmsend\.com" -SecRule HTTP_Referer|ARGS "client-3bsmsend\.com" -SecRule HTTP_Referer|ARGS "clientswinnersnotification\.com" -SecRule HTTP_Referer|ARGS "clke\.com" -SecRule HTTP_Referer|ARGS "closetbabes\.info" -SecRule HTTP_Referer|ARGS "cloudberrymailer\.com" -SecRule HTTP_Referer|ARGS "clubcamila\.info" -SecRule HTTP_Referer|ARGS "clubsimona\.info" -SecRule HTTP_Referer|ARGS "cludorsaf\.com" -SecRule HTTP_Referer|ARGS "cmagicbox\.com" -SecRule HTTP_Referer|ARGS "cnaciec\.net" -SecRule HTTP_Referer|ARGS "cnbwatches\.com" -SecRule HTTP_Referer|ARGS "cncbx\.info" -SecRule HTTP_Referer|ARGS "cndreamer\.com" -SecRule HTTP_Referer|ARGS "co3usc\.com" -SecRule HTTP_Referer|ARGS "cobaltblueenterprises\.com" -SecRule HTTP_Referer|ARGS "coccis\.net" -SecRule HTTP_Referer|ARGS "coforabith\.com" -SecRule HTTP_Referer|ARGS "cofywuhimiki\.com" -SecRule HTTP_Referer|ARGS "cogeon\.info" -SecRule HTTP_Referer|ARGS "cognizotent\.com" -SecRule HTTP_Referer|ARGS "cogoth\.info" -SecRule HTTP_Referer|ARGS "cogozyzatiky\.info" -SecRule HTTP_Referer|ARGS "coherently\.net" -SecRule HTTP_Referer|ARGS "coinfishing\.com" -SecRule HTTP_Referer|ARGS "cole-adams\.com" -SecRule HTTP_Referer|ARGS "com-ws-ilislpall-dll\.com" -SecRule HTTP_Referer|ARGS "com-ws-llisipalli-dll\.com" -SecRule HTTP_Referer|ARGS "comcasti\.com" -SecRule HTTP_Referer|ARGS "comchalliend\.com" -SecRule HTTP_Referer|ARGS "come-date-me\.com" -SecRule HTTP_Referer|ARGS "comegetsome\.biz" -SecRule HTTP_Referer|ARGS "comeoverthere\.com" -SecRule HTTP_Referer|ARGS "commercialplaza\.net" -SecRule HTTP_Referer|ARGS "commhidphns\.com" -SecRule HTTP_Referer|ARGS "commission-nig\.com" -SecRule HTTP_Referer|ARGS "compensates\.us" -SecRule HTTP_Referer|ARGS "confirmpaypals\.com" -SecRule HTTP_Referer|ARGS "congrategnant\.com" -SecRule HTTP_Referer|ARGS "conithmoni\.com" -SecRule HTTP_Referer|ARGS "connectwrap\.com" -SecRule HTTP_Referer|ARGS "conroled\.com" -SecRule HTTP_Referer|ARGS "consumings\.net" -SecRule HTTP_Referer|ARGS "contactsite\.net" -SecRule HTTP_Referer|ARGS "contemple\.info" -SecRule HTTP_Referer|ARGS "contractor2k\.com" -SecRule HTTP_Referer|ARGS "contracttrade\.com" -SecRule HTTP_Referer|ARGS "controlledgraphics\.com" -SecRule HTTP_Referer|ARGS "contuses\.com" -SecRule HTTP_Referer|ARGS "conuterimp\.com" -SecRule HTTP_Referer|ARGS "coolklogs\.com" -SecRule HTTP_Referer|ARGS "coolstuffemails\.com" -SecRule HTTP_Referer|ARGS "coolteenzzz\.info" -SecRule HTTP_Referer|ARGS "coolthinkings\.com" -SecRule HTTP_Referer|ARGS "coolwebthings\.net" -SecRule HTTP_Referer|ARGS "cooperstowndeals\.com" -SecRule HTTP_Referer|ARGS "cooslx\.com" -SecRule HTTP_Referer|ARGS "copoxaluloji\.com" -SecRule HTTP_Referer|ARGS "corepleasure\.com" -SecRule HTTP_Referer|ARGS "corillito\.com" -SecRule HTTP_Referer|ARGS "cornier\.net" -SecRule HTTP_Referer|ARGS "counenefrastruc\.com" -SecRule HTTP_Referer|ARGS "countink\.com" -SecRule HTTP_Referer|ARGS "countryma\.com" -SecRule HTTP_Referer|ARGS "couponstump\.com" -SecRule HTTP_Referer|ARGS "craer\.info" -SecRule HTTP_Referer|ARGS "craigthepostie\.com" -SecRule HTTP_Referer|ARGS "cranberrymailer\.com" -SecRule HTTP_Referer|ARGS "cratestingleamerican\.com" -SecRule HTTP_Referer|ARGS "crazeeshopperz\.info" -SecRule HTTP_Referer|ARGS "crazy-mall\.net" -SecRule HTTP_Referer|ARGS "crazybargainz\.com" -SecRule HTTP_Referer|ARGS "crazydollarz\.com" -SecRule HTTP_Referer|ARGS "crazyreduceddeals\.com" -SecRule HTTP_Referer|ARGS "creativeplayerinc\.net" -SecRule HTTP_Referer|ARGS "creativeplayerinc\.org" -SecRule HTTP_Referer|ARGS "crehistoref\.com" -SecRule HTTP_Referer|ARGS "creoleskentons\.com" -SecRule HTTP_Referer|ARGS "crewstudents\.com" -SecRule HTTP_Referer|ARGS "crocheted\.net" -SecRule HTTP_Referer|ARGS "crowsnestviews\.com" -SecRule HTTP_Referer|ARGS "cruis3\.com" -SecRule HTTP_Referer|ARGS "cruis3\.net" -SecRule HTTP_Referer|ARGS "culinaryheadquarters\.com" -SecRule HTTP_Referer|ARGS "culinaryqacentral\.com" -SecRule HTTP_Referer|ARGS "curantmailer\.com" -SecRule HTTP_Referer|ARGS "curbishoreprod\.com" -SecRule HTTP_Referer|ARGS "curding\.net" -SecRule HTTP_Referer|ARGS "customdcomputers\.com" -SecRule HTTP_Referer|ARGS "customerdigest\.com" -SecRule HTTP_Referer|ARGS "custrew2\.com" -SecRule HTTP_Referer|ARGS "cutebabepics\.com" -SecRule HTTP_Referer|ARGS "cvb23ra\.com" -SecRule HTTP_Referer|ARGS "cvetolaoranser\.biz" -SecRule HTTP_Referer|ARGS "cxvb21\.com" -SecRule HTTP_Referer|ARGS "cyber-sweetie\.net" -SecRule HTTP_Referer|ARGS "cyhasibuzy\.com" -SecRule HTTP_Referer|ARGS "cyjucetu\.com" -SecRule HTTP_Referer|ARGS "cyzykeqotepe\.com" -SecRule HTTP_Referer|ARGS "dalastpayment\.com" -SecRule HTTP_Referer|ARGS "dandrentra\.com" -SecRule HTTP_Referer|ARGS "danehyqyputo\.com" -SecRule HTTP_Referer|ARGS "danskferie\.net" -SecRule HTTP_Referer|ARGS "date-nice-girls\.com" -SecRule HTTP_Referer|ARGS "datejyxerifi\.com" -SecRule HTTP_Referer|ARGS "datingdarlings\.com" -SecRule HTTP_Referer|ARGS "datingfouryou\.com" -SecRule HTTP_Referer|ARGS "david22\.com" -SecRule HTTP_Referer|ARGS "dayanaa\.info" -SecRule HTTP_Referer|ARGS "dayour\.info" -SecRule HTTP_Referer|ARGS "dayzz\.info" -SecRule HTTP_Referer|ARGS "dazzlingnewsmile\.com" -SecRule HTTP_Referer|ARGS "dcbatchelorparty\.com" -SecRule HTTP_Referer|ARGS "dclenterprises\.com" -SecRule HTTP_Referer|ARGS "ddingxiangg\.com" -SecRule HTTP_Referer|ARGS "de-crescendo\.com" -SecRule HTTP_Referer|ARGS "dealofalifetime\.info" -SecRule HTTP_Referer|ARGS "dealsdealsdeals\.info" -SecRule HTTP_Referer|ARGS "dealsdrop\.com" -SecRule HTTP_Referer|ARGS "dealzdealzdealz\.info" -SecRule HTTP_Referer|ARGS "dealzforyou\.info" -SecRule HTTP_Referer|ARGS "deanok\.com" -SecRule HTTP_Referer|ARGS "debragast\.info" -SecRule HTTP_Referer|ARGS "decendine\.com" -SecRule HTTP_Referer|ARGS "decession\.net" -SecRule HTTP_Referer|ARGS "decgloves\.com" -SecRule HTTP_Referer|ARGS "dedafofadoxu\.com" -SecRule HTTP_Referer|ARGS "deels-source\.com" -SecRule HTTP_Referer|ARGS "deepwebsonar\.com" -SecRule HTTP_Referer|ARGS "defeater\.net" -SecRule HTTP_Referer|ARGS "deflapsescorp\.com" -SecRule HTTP_Referer|ARGS "delamenaystersfo\.biz" -SecRule HTTP_Referer|ARGS "delfelder\.org" -SecRule HTTP_Referer|ARGS "delightedw\.org" -SecRule HTTP_Referer|ARGS "delineloom\.com" -SecRule HTTP_Referer|ARGS "deliveronew\.com" -SecRule HTTP_Referer|ARGS "delphiniggled\.com" -SecRule HTTP_Referer|ARGS "dentromil\.com" -SecRule HTTP_Referer|ARGS "design-holiday\.com" -SecRule HTTP_Referer|ARGS "designed-holiday\.com" -SecRule HTTP_Referer|ARGS "designmirror\.com" -SecRule HTTP_Referer|ARGS "designs-in-motion\.com" -SecRule HTTP_Referer|ARGS "detilebilit\.com" -SecRule HTTP_Referer|ARGS "deutcshe-bank\.com" -SecRule HTTP_Referer|ARGS "deutsche-ebank\.com" -SecRule HTTP_Referer|ARGS "df2bh3\.com" -SecRule HTTP_Referer|ARGS "dffgloves\.com" -SecRule HTTP_Referer|ARGS "dfga2\.com" -SecRule HTTP_Referer|ARGS "dfgh3c\.com" -SecRule HTTP_Referer|ARGS "dgshedmanhf\.com" -SecRule HTTP_Referer|ARGS "dialamazon\.info" -SecRule HTTP_Referer|ARGS "diggingdawg\.com" -SecRule HTTP_Referer|ARGS "digitalbluechipbay\.com" -SecRule HTTP_Referer|ARGS "digitalbluechipview\.com" -SecRule HTTP_Referer|ARGS "digitalwadeline\.com" -SecRule HTTP_Referer|ARGS "diloxi\.com" -SecRule HTTP_Referer|ARGS "dimeadozen3\.com" -SecRule HTTP_Referer|ARGS "directadvertisingsolutions\.com" -SecRule HTTP_Referer|ARGS "directbuysolutions\.com" -SecRule HTTP_Referer|ARGS "dirtyactions\.com" -SecRule HTTP_Referer|ARGS "disarolitic\.com" -SecRule HTTP_Referer|ARGS "discountedmerchindise\.com" -SecRule HTTP_Referer|ARGS "discountticketsnet\.com" -SecRule HTTP_Referer|ARGS "disetalbot\.com" -SecRule HTTP_Referer|ARGS "disowning\.net" -SecRule HTTP_Referer|ARGS "ditlandis\.com" -SecRule HTTP_Referer|ARGS "diversiontechnology\.com" -SecRule HTTP_Referer|ARGS "dksbaikianfl\.com" -SecRule HTTP_Referer|ARGS "dlsoftnow\.com" -SecRule HTTP_Referer|ARGS "dlsoftnow\.net" -SecRule HTTP_Referer|ARGS "dmshaiti\.com" -SecRule HTTP_Referer|ARGS "dns-redir\.com" -SecRule HTTP_Referer|ARGS "doctorrxonline\.com" -SecRule HTTP_Referer|ARGS "dogdayfight\.com" -SecRule HTTP_Referer|ARGS "dolnb\.com" -SecRule HTTP_Referer|ARGS "domesticmailincentive\.net" -SecRule HTTP_Referer|ARGS "domesticmailing\.net" -SecRule HTTP_Referer|ARGS "domesticmaillisting\.net" -SecRule HTTP_Referer|ARGS "domesticmailmall\.net" -SecRule HTTP_Referer|ARGS "dominowef\.com" -SecRule HTTP_Referer|ARGS "domys\.info" -SecRule HTTP_Referer|ARGS "dongbucable\.net" -SecRule HTTP_Referer|ARGS "donitikuci\.com" -SecRule HTTP_Referer|ARGS "donotbeafraidofwater\.net" -SecRule HTTP_Referer|ARGS "donskojh\.net" -SecRule HTTP_Referer|ARGS "dorfelite\.info" -SecRule HTTP_Referer|ARGS "doughinadvance\.com" -SecRule HTTP_Referer|ARGS "douglaszone\.net" -SecRule HTTP_Referer|ARGS "downoint\.com" -SecRule HTTP_Referer|ARGS "drachenbali\.com" -SecRule HTTP_Referer|ARGS "dramurns\.com" -SecRule HTTP_Referer|ARGS "dreamersofthegood\.com" -SecRule HTTP_Referer|ARGS "dreamthegood\.com" -SecRule HTTP_Referer|ARGS "drgnboat\.com" -SecRule HTTP_Referer|ARGS "dropn4u\.com" -SecRule HTTP_Referer|ARGS "drsophialoren\.com" -SecRule HTTP_Referer|ARGS "drumbethron\.com" -SecRule HTTP_Referer|ARGS "drunkenpixiepie\.com" -SecRule HTTP_Referer|ARGS "ducatiart\.com" -SecRule HTTP_Referer|ARGS "duse\.info" -SecRule HTTP_Referer|ARGS "duskiness\.com" -SecRule HTTP_Referer|ARGS "duskiness\.net" -SecRule HTTP_Referer|ARGS "duzewutohe\.info" -SecRule HTTP_Referer|ARGS "dvdsitcoms\.com" -SecRule HTTP_Referer|ARGS "dvdstorm\.info" -SecRule HTTP_Referer|ARGS "dwindlefeaver\.com" -SecRule HTTP_Referer|ARGS "dxicorp\.com" -SecRule HTTP_Referer|ARGS "e-frankmaduchambers\.com" -SecRule HTTP_Referer|ARGS "e-greeks\.net" -SecRule HTTP_Referer|ARGS "e-media-solutions\.co\.uk" -SecRule HTTP_Referer|ARGS "e-mrktg-net\.net" -SecRule HTTP_Referer|ARGS "e-net77\.com" -SecRule HTTP_Referer|ARGS "e-refinancings\.net" -SecRule HTTP_Referer|ARGS "e131\.com" -SecRule HTTP_Referer|ARGS "e140\.com" -SecRule HTTP_Referer|ARGS "e161\.com" -SecRule HTTP_Referer|ARGS "eaglesurf\.com" -SecRule HTTP_Referer|ARGS "eameri\.info" -SecRule HTTP_Referer|ARGS "earlisorning\.com" -SecRule HTTP_Referer|ARGS "earnyourshape\.com" -SecRule HTTP_Referer|ARGS "easewinonline\.com" -SecRule HTTP_Referer|ARGS "easterncurioshangai\.net" -SecRule HTTP_Referer|ARGS "eastonequity\.com" -SecRule HTTP_Referer|ARGS "easy2fuck\.com" -SecRule HTTP_Referer|ARGS "easylittlejob\.net" -SecRule HTTP_Referer|ARGS "easypctuition\.com" -SecRule HTTP_Referer|ARGS "easyquote\.info" -SecRule HTTP_Referer|ARGS "eatmytoenails\.com" -SecRule HTTP_Referer|ARGS "eaunglossyim\.com" -SecRule HTTP_Referer|ARGS "ebike-world\.com" -SecRule HTTP_Referer|ARGS "ebonyhairstore\.com" -SecRule HTTP_Referer|ARGS "ebooks-500\.com" -SecRule HTTP_Referer|ARGS "ebuddylist\.com" -SecRule HTTP_Referer|ARGS "echistrionnh\.com" -SecRule HTTP_Referer|ARGS "ed11vancedwanow45right\.com" -SecRule HTTP_Referer|ARGS "editdisk\.info" -SecRule HTTP_Referer|ARGS "edv17ancedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edva15ncedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edva3ncedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvan1ce19dwanow4right\.com" -SecRule HTTP_Referer|ARGS "edvan1cedwanow4right\.com" -SecRule HTTP_Referer|ARGS "edvan5cedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvan7cedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvan9cedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvance14dwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvanced16wanow45right\.com" -SecRule HTTP_Referer|ARGS "edvancedwa10now45right\.com" -SecRule HTTP_Referer|ARGS "edvancedwa6now45right\.com" -SecRule HTTP_Referer|ARGS "edvancedwan13ow45right\.com" -SecRule HTTP_Referer|ARGS "edvancedwan8ow45right\.com" -SecRule HTTP_Referer|ARGS "edvancedwanow0018right\.com" -SecRule HTTP_Referer|ARGS "edvancedwanow1245right\.com" -SecRule HTTP_Referer|ARGS "edvancedwanow42right\.com" -SecRule HTTP_Referer|ARGS "edvancedwanow45right\.com" -SecRule HTTP_Referer|ARGS "edvdonline\.com" -SecRule HTTP_Referer|ARGS "efficacies\.net" -SecRule HTTP_Referer|ARGS "eforcitycorp\.com" -SecRule HTTP_Referer|ARGS "egolfadvergame\.net" -SecRule HTTP_Referer|ARGS "egrandgroup\.com" -SecRule HTTP_Referer|ARGS "eimediainc\.com" -SecRule HTTP_Referer|ARGS "eisabus\.com" -SecRule HTTP_Referer|ARGS "ekcar\.info" -SecRule HTTP_Referer|ARGS "elderberrymailer\.com" -SecRule HTTP_Referer|ARGS "ellendalecityq\.com" -SecRule HTTP_Referer|ARGS "ellenneel\.info" -SecRule HTTP_Referer|ARGS "elsehry\.com" -SecRule HTTP_Referer|ARGS "elstonavecorp\.com" -SecRule HTTP_Referer|ARGS "emark-jordan\.com" -SecRule HTTP_Referer|ARGS "emifd\.info" -SecRule HTTP_Referer|ARGS "emiliofeijoo\.com" -SecRule HTTP_Referer|ARGS "emisaviban\.com" -SecRule HTTP_Referer|ARGS "emlakgazetesi\.net" -SecRule HTTP_Referer|ARGS "emmwoyd\.com" -SecRule HTTP_Referer|ARGS "emorgage-finder\.com" -SecRule HTTP_Referer|ARGS "empirespecialty\.com" -SecRule HTTP_Referer|ARGS "empiricalmediaonline-pages\.com" -SecRule HTTP_Referer|ARGS "empiricalmediaonline\.com" -SecRule HTTP_Referer|ARGS "enabledmail\.net" -SecRule HTTP_Referer|ARGS "enactment\.net" -SecRule HTTP_Referer|ARGS "enjoyromance\.net" -SecRule HTTP_Referer|ARGS "enormetom\.com" -SecRule HTTP_Referer|ARGS "eoffercentral\.com" -SecRule HTTP_Referer|ARGS "ep\.sh\.cn" -SecRule HTTP_Referer|ARGS "epe6\.com" -SecRule HTTP_Referer|ARGS "epokersecrets\.com" -SecRule HTTP_Referer|ARGS "equityunionbank\.com" -SecRule HTTP_Referer|ARGS "erasera\.info" -SecRule HTTP_Referer|ARGS "erdfthysxmtf\.com" -SecRule HTTP_Referer|ARGS "erefinanceonline\.com" -SecRule HTTP_Referer|ARGS "ergd23\.com" -SecRule HTTP_Referer|ARGS "ergem\.info" -SecRule HTTP_Referer|ARGS "erghdc\.com" -SecRule HTTP_Referer|ARGS "eros-matching\.com" -SecRule HTTP_Referer|ARGS "erviesemb\.com" -SecRule HTTP_Referer|ARGS "erzzo\.info" -SecRule HTTP_Referer|ARGS "escrowus\.net" -SecRule HTTP_Referer|ARGS "esecurepostal\.com" -SecRule HTTP_Referer|ARGS "eshopping4all\.com" -SecRule HTTP_Referer|ARGS "esolutions-email\.net" -SecRule HTTP_Referer|ARGS "esolutions-online\.net" -SecRule HTTP_Referer|ARGS "estentific\.com" -SecRule HTTP_Referer|ARGS "esurveyclub\.com" -SecRule HTTP_Referer|ARGS "ethtren\.com" -SecRule HTTP_Referer|ARGS "etimersbow\.com" -SecRule HTTP_Referer|ARGS "etruite\.com" -SecRule HTTP_Referer|ARGS "euowvd\.com" -SecRule HTTP_Referer|ARGS "eurointonline\.com" -SecRule HTTP_Referer|ARGS "eurooffshorefinance\.org" -SecRule HTTP_Referer|ARGS "european2005\.com" -SecRule HTTP_Referer|ARGS "euv-cgi\.us" -SecRule HTTP_Referer|ARGS "evaget\.info" -SecRule HTTP_Referer|ARGS "eventosprofesionales\.com" -SecRule HTTP_Referer|ARGS "evril\.info" -SecRule HTTP_Referer|ARGS "evrsupport\.com" -SecRule HTTP_Referer|ARGS "ewinnerspage\.com" -SecRule HTTP_Referer|ARGS "excelbabes\.info" -SecRule HTTP_Referer|ARGS "excellcorp\.com" -SecRule HTTP_Referer|ARGS "exceptionalmailcenters\.net" -SecRule HTTP_Referer|ARGS "exceptionalmailincentive\.net" -SecRule HTTP_Referer|ARGS "exceptionalmailings\.net" -SecRule HTTP_Referer|ARGS "exceptionalmailreward\.com" -SecRule HTTP_Referer|ARGS "exceptionalmailreward\.net" -SecRule HTTP_Referer|ARGS "exceptionalpurchases\.net" -SecRule HTTP_Referer|ARGS "exclusivemallorcaproperties\.com" -SecRule HTTP_Referer|ARGS "exetinaby\.com" -SecRule HTTP_Referer|ARGS "exitedq\.us" -SecRule HTTP_Referer|ARGS "exmentis\.net" -SecRule HTTP_Referer|ARGS "exoringip\.com" -SecRule HTTP_Referer|ARGS "expansionarte\.com" -SecRule HTTP_Referer|ARGS "expert-loan\.com" -SecRule HTTP_Referer|ARGS "exploretomorow\.com" -SecRule HTTP_Referer|ARGS "expressneed\.com" -SecRule HTTP_Referer|ARGS "expressrow\.com" -SecRule HTTP_Referer|ARGS "extremesuccessformula\.com" -SecRule HTTP_Referer|ARGS "exuded\.net" -SecRule HTTP_Referer|ARGS "ezewatch\.net" -SecRule HTTP_Referer|ARGS "ezgirlwatches\.net" -SecRule HTTP_Referer|ARGS "ezl0an\.com" -SecRule HTTP_Referer|ARGS "fabricandtextile\.com" -SecRule HTTP_Referer|ARGS "facoramileqegu\.net" -SecRule HTTP_Referer|ARGS "faeldantas\.com" -SecRule HTTP_Referer|ARGS "falepeac\.com" -SecRule HTTP_Referer|ARGS "fallinlovin\.net" -SecRule HTTP_Referer|ARGS "familyhelpnow\.com" -SecRule HTTP_Referer|ARGS "fanecimi\.com" -SecRule HTTP_Referer|ARGS "fapugypuqiqa\.com" -SecRule HTTP_Referer|ARGS "farristownship\.us" -SecRule HTTP_Referer|ARGS "fastate\.com" -SecRule HTTP_Referer|ARGS "fastfood4free\.com" -SecRule HTTP_Referer|ARGS "fastjag\.info" -SecRule HTTP_Referer|ARGS "fastmoney-corp\.com" -SecRule HTTP_Referer|ARGS "fastmoney-corp\.net" -SecRule HTTP_Referer|ARGS "fastmoney4utoday\.com" -SecRule HTTP_Referer|ARGS "fastunn\.com" -SecRule HTTP_Referer|ARGS "fathummathum\.com" -SecRule HTTP_Referer|ARGS "fatnormal\.info" -SecRule HTTP_Referer|ARGS "fawntarkel1\.com" -SecRule HTTP_Referer|ARGS "fbsotomotiv\.com" -SecRule HTTP_Referer|ARGS "fearendshere\.com" -SecRule HTTP_Referer|ARGS "featuredgallery\.net" -SecRule HTTP_Referer|ARGS "fei163\.com" -SecRule HTTP_Referer|ARGS "felad\.info" -SecRule HTTP_Referer|ARGS "felttable35\.net" -SecRule HTTP_Referer|ARGS "femidonald\.com" -SecRule HTTP_Referer|ARGS "ferrymen\.net" -SecRule HTTP_Referer|ARGS "fertiler\.info" -SecRule HTTP_Referer|ARGS "fetty1\.net" -SecRule HTTP_Referer|ARGS "fevewiwoqo\.com" -SecRule HTTP_Referer|ARGS "fevityru\.com" -SecRule HTTP_Referer|ARGS "fhjruu\.com" -SecRule HTTP_Referer|ARGS "fiatv\.info" -SecRule HTTP_Referer|ARGS "fiduciarydepartment\.com" -SecRule HTTP_Referer|ARGS "fieryelephants\.com" -SecRule HTTP_Referer|ARGS "fightinamish\.org" -SecRule HTTP_Referer|ARGS "filawowo\.com" -SecRule HTTP_Referer|ARGS "filefarmer\.com" -SecRule HTTP_Referer|ARGS "filemaker-solutions\.org" -SecRule HTTP_Referer|ARGS "filmlaw\.org" -SecRule HTTP_Referer|ARGS "filmmagic\.net" -SecRule HTTP_Referer|ARGS "finalpayer\.com" -SecRule HTTP_Referer|ARGS "finance-corporation\.com" -SecRule HTTP_Referer|ARGS "finanztipp\.org" -SecRule HTTP_Referer|ARGS "finatus\.org" -SecRule HTTP_Referer|ARGS "findalat\.com" -SecRule HTTP_Referer|ARGS "finderr\.info" -SecRule HTTP_Referer|ARGS "findheadz\.org" -SecRule HTTP_Referer|ARGS "findmyl0an\.org" -SecRule HTTP_Referer|ARGS "fingersong\.com" -SecRule HTTP_Referer|ARGS "finkort\.com" -SecRule HTTP_Referer|ARGS "firethethief\.com" -SecRule HTTP_Referer|ARGS "first-mort\.com" -SecRule HTTP_Referer|ARGS "first-mort\.net" -SecRule HTTP_Referer|ARGS "firsteprot\.com" -SecRule HTTP_Referer|ARGS "firstmeds\.org" -SecRule HTTP_Referer|ARGS "firststephelp\.com" -SecRule HTTP_Referer|ARGS "firststephelp\.net" -SecRule HTTP_Referer|ARGS "firsttimediners\.com" -SecRule HTTP_Referer|ARGS "fishinginfo\.org" -SecRule HTTP_Referer|ARGS "fisusurrnb\.com" -SecRule HTTP_Referer|ARGS "fiwapopiwy\.info" -SecRule HTTP_Referer|ARGS "fiwyvoqypy\.biz" -SecRule HTTP_Referer|ARGS "fix3\.info" -SecRule HTTP_Referer|ARGS "flakbasket\.com" -SecRule HTTP_Referer|ARGS "flanagan2\.net" -SecRule HTTP_Referer|ARGS "flashlender\.com" -SecRule HTTP_Referer|ARGS "flaz\.org" -SecRule HTTP_Referer|ARGS "flexilireed\.com" -SecRule HTTP_Referer|ARGS "flightsimulatorhangar\.net" -SecRule HTTP_Referer|ARGS "floridatownship\.net" -SecRule HTTP_Referer|ARGS "flossiestcongregational\.com" -SecRule HTTP_Referer|ARGS "fluxaustralia\.com" -SecRule HTTP_Referer|ARGS "flyerstradegroup\.com" -SecRule HTTP_Referer|ARGS "fodk\.info" -SecRule HTTP_Referer|ARGS "fojixyxu\.com" -SecRule HTTP_Referer|ARGS "fokatydyzo\.com" -SecRule HTTP_Referer|ARGS "fonizoxyki\.com" -SecRule HTTP_Referer|ARGS "foolimberz\.com" -SecRule HTTP_Referer|ARGS "foothillsneighborhood\.com" -SecRule HTTP_Referer|ARGS "foralllife\.com" -SecRule HTTP_Referer|ARGS "fordantiz\.com" -SecRule HTTP_Referer|ARGS "formula-of-love\.biz" -SecRule HTTP_Referer|ARGS "forof\.info" -SecRule HTTP_Referer|ARGS "forthelosers\.com" -SecRule HTTP_Referer|ARGS "fparker\.net" -SecRule HTTP_Referer|ARGS "fppdf\.com" -SecRule HTTP_Referer|ARGS "franczyza\.com" -SecRule HTTP_Referer|ARGS "franksfitnesstips\.com" -SecRule HTTP_Referer|ARGS "frankstower\.com" -SecRule HTTP_Referer|ARGS "free-info1\.net" -SecRule HTTP_Referer|ARGS "freeandfun\.info" -SecRule HTTP_Referer|ARGS "freeaqua\.info" -SecRule HTTP_Referer|ARGS "freedesignersatchel\.com" -SecRule HTTP_Referer|ARGS "freegiftcardonline\.com" -SecRule HTTP_Referer|ARGS "freetechltd\.com" -SecRule HTTP_Referer|ARGS "freetrialhgh\.com" -SecRule HTTP_Referer|ARGS "frellodes\.com" -SecRule HTTP_Referer|ARGS "fresh-messages\.com" -SecRule HTTP_Referer|ARGS "freshcornam\.com" -SecRule HTTP_Referer|ARGS "fristchairman\.com" -SecRule HTTP_Referer|ARGS "fristinterview\.com" -SecRule HTTP_Referer|ARGS "frozennames\.net" -SecRule HTTP_Referer|ARGS "fstl0ans\.net" -SecRule HTTP_Referer|ARGS "fugh\.net" -SecRule HTTP_Referer|ARGS "fullydistributedsystems\.com" -SecRule HTTP_Referer|ARGS "fun-love\.net" -SecRule HTTP_Referer|ARGS "fundamentalweb\.com" -SecRule HTTP_Referer|ARGS "funkyplayer\.net" -SecRule HTTP_Referer|ARGS "funtimesahead\.net" -SecRule HTTP_Referer|ARGS "funtoshopnow\.info" -SecRule HTTP_Referer|ARGS "funtoshopusa\.info" -SecRule HTTP_Referer|ARGS "fuqarate\.com" -SecRule HTTP_Referer|ARGS "furuno-print\.com" -SecRule HTTP_Referer|ARGS "fusywylizidiva\.biz" -SecRule HTTP_Referer|ARGS "futuwerecent\.com" -SecRule HTTP_Referer|ARGS "fv3\.info" -SecRule HTTP_Referer|ARGS "fweh\.com" -SecRule HTTP_Referer|ARGS "fybabyko\.biz" -SecRule HTTP_Referer|ARGS "fygonibodi\.com" -SecRule HTTP_Referer|ARGS "fysal\.info" -SecRule HTTP_Referer|ARGS "g-bsmlolahost\.com" -SecRule HTTP_Referer|ARGS "gabian\.org" -SecRule HTTP_Referer|ARGS "galrtpr\.com" -SecRule HTTP_Referer|ARGS "galtods\.com" -SecRule HTTP_Referer|ARGS "gambl3s\.com" -SecRule HTTP_Referer|ARGS "gambra\.com" -SecRule HTTP_Referer|ARGS "gapetkinfn\.com" -SecRule HTTP_Referer|ARGS "gardentrowels\.com" -SecRule HTTP_Referer|ARGS "garew\.info" -SecRule HTTP_Referer|ARGS "garnasyd\.com" -SecRule HTTP_Referer|ARGS "gaveduda\.com" -SecRule HTTP_Referer|ARGS "gdekarandegae\.biz" -SecRule HTTP_Referer|ARGS "geenow\.info" -SecRule HTTP_Referer|ARGS "gefid\.info" -SecRule HTTP_Referer|ARGS "gemack\.net" -SecRule HTTP_Referer|ARGS "genagows\.com" -SecRule HTTP_Referer|ARGS "genieinbottle\.com" -SecRule HTTP_Referer|ARGS "genocare\.info" -SecRule HTTP_Referer|ARGS "genosbiz\.com" -SecRule HTTP_Referer|ARGS "gepi6\.com" -SecRule HTTP_Referer|ARGS "gequqyqolo\.biz" -SecRule HTTP_Referer|ARGS "geresylatutuco\.com" -SecRule HTTP_Referer|ARGS "geriana\.com" -SecRule HTTP_Referer|ARGS "germinally\.com" -SecRule HTTP_Referer|ARGS "get-me-now\.com" -SecRule HTTP_Referer|ARGS "getawaydea1s\.biz" -SecRule HTTP_Referer|ARGS "getawayhotspots\.com" -SecRule HTTP_Referer|ARGS "getgreatbuysonmeds\.com" -SecRule HTTP_Referer|ARGS "getrateslessnow\.com" -SecRule HTTP_Referer|ARGS "getthebestof\.info" -SecRule HTTP_Referer|ARGS "geturstuffdone\.com" -SecRule HTTP_Referer|ARGS "getvisitors4less\.com" -SecRule HTTP_Referer|ARGS "ghboxboardcm\.com" -SecRule HTTP_Referer|ARGS "ghiciflex\.com" -SecRule HTTP_Referer|ARGS "giddies\.com" -SecRule HTTP_Referer|ARGS "gifadser\.com" -SecRule HTTP_Referer|ARGS "gifadser\.net" -SecRule HTTP_Referer|ARGS "gifserad\.com" -SecRule HTTP_Referer|ARGS "gifserad\.net" -SecRule HTTP_Referer|ARGS "gigglinggals\.com" -SecRule HTTP_Referer|ARGS "giglioisolotto\.net" -SecRule HTTP_Referer|ARGS "gimaservicesnc\.com" -SecRule HTTP_Referer|ARGS "gingermailer\.com" -SecRule HTTP_Referer|ARGS "giqwa\.com" -SecRule HTTP_Referer|ARGS "gir8\.com" -SecRule HTTP_Referer|ARGS "girlschicks\.info" -SecRule HTTP_Referer|ARGS "girlsinyourarea\.com" -SecRule HTTP_Referer|ARGS "gkcnd\.com" -SecRule HTTP_Referer|ARGS "glad888\.com" -SecRule HTTP_Referer|ARGS "gladdest\.net" -SecRule HTTP_Referer|ARGS "glasstape\.info" -SecRule HTTP_Referer|ARGS "glicex\.com" -SecRule HTTP_Referer|ARGS "global-calls\.net" -SecRule HTTP_Referer|ARGS "globalproducts4-sale\.com" -SecRule HTTP_Referer|ARGS "globlmx\.com" -SecRule HTTP_Referer|ARGS "glrsad\.com" -SecRule HTTP_Referer|ARGS "gm-trade\.us" -SecRule HTTP_Referer|ARGS "go2refi\.net" -SecRule HTTP_Referer|ARGS "goafy\.info" -SecRule HTTP_Referer|ARGS "gonym\.info" -SecRule HTTP_Referer|ARGS "good2click\.com" -SecRule HTTP_Referer|ARGS "goodfoodstock\.com" -SecRule HTTP_Referer|ARGS "goodlookinghchicks\.info" -SecRule HTTP_Referer|ARGS "goodpointstoo\.com" -SecRule HTTP_Referer|ARGS "goodprodss\.com" -SecRule HTTP_Referer|ARGS "goodreplicaz\.com" -SecRule HTTP_Referer|ARGS "gooseberrymailer\.com" -SecRule HTTP_Referer|ARGS "goplewbure2\.com" -SecRule HTTP_Referer|ARGS "gornikiewicz\.us" -SecRule HTTP_Referer|ARGS "govsund\.com" -SecRule HTTP_Referer|ARGS "gr0ov3s\.net" -SecRule HTTP_Referer|ARGS "gr33ts\.com" -SecRule HTTP_Referer|ARGS "gr33ts\.net" -SecRule HTTP_Referer|ARGS "gr8class4u\.com" -SecRule HTTP_Referer|ARGS "gr8deal4unow\.com" -SecRule HTTP_Referer|ARGS "gr8grabs\.net" -SecRule HTTP_Referer|ARGS "gra1n\.com" -SecRule HTTP_Referer|ARGS "gra1n\.net" -SecRule HTTP_Referer|ARGS "gra1ns\.com" -SecRule HTTP_Referer|ARGS "gra1ns\.net" -SecRule HTTP_Referer|ARGS "grace765mark\.com" -SecRule HTTP_Referer|ARGS "grandlandtree\.com" -SecRule HTTP_Referer|ARGS "grandwadelinelink\.com" -SecRule HTTP_Referer|ARGS "grang3\.net" -SecRule HTTP_Referer|ARGS "grap3\.com" -SecRule HTTP_Referer|ARGS "grapefruitmailer\.com" -SecRule HTTP_Referer|ARGS "great-newz8\.com" -SecRule HTTP_Referer|ARGS "greatbluechipview\.com" -SecRule HTTP_Referer|ARGS "greatpillsline\.info" -SecRule HTTP_Referer|ARGS "greatron\.info" -SecRule HTTP_Referer|ARGS "greatstuffnews\.com" -SecRule HTTP_Referer|ARGS "green-agrotech\.com" -SecRule HTTP_Referer|ARGS "greenfrankscorp\.com" -SecRule HTTP_Referer|ARGS "gregwonbut\.info" -SecRule HTTP_Referer|ARGS "gro0ve\.net" -SecRule HTTP_Referer|ARGS "gro0ves\.net" -SecRule HTTP_Referer|ARGS "groov3s\.com" -SecRule HTTP_Referer|ARGS "groov3s\.net" -SecRule HTTP_Referer|ARGS "grosanune\.com" -SecRule HTTP_Referer|ARGS "groupwrap\.com" -SecRule HTTP_Referer|ARGS "grudgingly\.net" -SecRule HTTP_Referer|ARGS "grushx\.com" -SecRule HTTP_Referer|ARGS "gtfs-limited\.com" -SecRule HTTP_Referer|ARGS "guarneri2\.com" -SecRule HTTP_Referer|ARGS "guavamailer\.com" -SecRule HTTP_Referer|ARGS "guayabosbarrio\.biz" -SecRule HTTP_Referer|ARGS "guburuwedi\.com" -SecRule HTTP_Referer|ARGS "guhykeli\.com" -SecRule HTTP_Referer|ARGS "guite\.info" -SecRule HTTP_Referer|ARGS "gujerati\.info" -SecRule HTTP_Referer|ARGS "gunrose\.info" -SecRule HTTP_Referer|ARGS "gutturally\.com" -SecRule HTTP_Referer|ARGS "guzylehy\.com" -SecRule HTTP_Referer|ARGS "gymixera\.com" -SecRule HTTP_Referer|ARGS "gzcore\.com" -SecRule HTTP_Referer|ARGS "h0lds\.com" -SecRule HTTP_Referer|ARGS "h0lds\.net" -SecRule HTTP_Referer|ARGS "hackberrymailer\.com" -SecRule HTTP_Referer|ARGS "hafefisefami\.info" -SecRule HTTP_Referer|ARGS "haftorah\.net" -SecRule HTTP_Referer|ARGS "hagy\.info" -SecRule HTTP_Referer|ARGS "haksdhkas\.com" -SecRule HTTP_Referer|ARGS "hallmon\.biz" -SecRule HTTP_Referer|ARGS "hao8\.net\.cn" -SecRule HTTP_Referer|ARGS "hardmilkmaid\.biz" -SecRule HTTP_Referer|ARGS "harryc\.org" -SecRule HTTP_Referer|ARGS "hatadujunyzaha\.com" -SecRule HTTP_Referer|ARGS "havelockinvest\.com" -SecRule HTTP_Referer|ARGS "havetacy\.com" -SecRule HTTP_Referer|ARGS "hayab\.info" -SecRule HTTP_Referer|ARGS "hbwieuiwer\.net" -SecRule HTTP_Referer|ARGS "hcomite\.com" -SecRule HTTP_Referer|ARGS "health-castle\.com" -SecRule HTTP_Referer|ARGS "healthcentralmedical\.com" -SecRule HTTP_Referer|ARGS "healthdepotmeds\.com" -SecRule HTTP_Referer|ARGS "healthforyourmeds\.com" -SecRule HTTP_Referer|ARGS "healthisgoodmeds\.com" -SecRule HTTP_Referer|ARGS "healthmegastoremedical\.com" -SecRule HTTP_Referer|ARGS "healthseekweb\.com" -SecRule HTTP_Referer|ARGS "hearthenside\.com" -SecRule HTTP_Referer|ARGS "heavensdrive\.net" -SecRule HTTP_Referer|ARGS "hebycabyky\.com" -SecRule HTTP_Referer|ARGS "hendersonbiz\.net" -SecRule HTTP_Referer|ARGS "henogeny\.info" -SecRule HTTP_Referer|ARGS "heralbum\.info" -SecRule HTTP_Referer|ARGS "herndondeals\.com" -SecRule HTTP_Referer|ARGS "herneu\.com" -SecRule HTTP_Referer|ARGS "hf2shj\.info" -SecRule HTTP_Referer|ARGS "hicleprif\.com" -SecRule HTTP_Referer|ARGS "hiddenbabes\.info" -SecRule HTTP_Referer|ARGS "hiendwebdesign\.com" -SecRule HTTP_Referer|ARGS "highbluechiptool\.com" -SecRule HTTP_Referer|ARGS "highbluechipwade\.com" -SecRule HTTP_Referer|ARGS "highildsupal\.com" -SecRule HTTP_Referer|ARGS "hilejepufocy\.com" -SecRule HTTP_Referer|ARGS "hj1sss\.info" -SecRule HTTP_Referer|ARGS "hkimpexpcoy\.com" -SecRule HTTP_Referer|ARGS "hkrr\.org" -SecRule HTTP_Referer|ARGS "hloe\.info" -SecRule HTTP_Referer|ARGS "hogicazyka\.info" -SecRule HTTP_Referer|ARGS "hogwartsbr\.net" -SecRule HTTP_Referer|ARGS "holafish\.com" -SecRule HTTP_Referer|ARGS "holea\.info" -SecRule HTTP_Referer|ARGS "holiday-bonanza\.com" -SecRule HTTP_Referer|ARGS "home123biz\.info" -SecRule HTTP_Referer|ARGS "home456biz\.info" -SecRule HTTP_Referer|ARGS "home789biz\.info" -SecRule HTTP_Referer|ARGS "homefuels\.net" -SecRule HTTP_Referer|ARGS "homes03\.com" -SecRule HTTP_Referer|ARGS "hondapromotions\.com" -SecRule HTTP_Referer|ARGS "honeydewmailer\.com" -SecRule HTTP_Referer|ARGS "hongjingtian\.net" -SecRule HTTP_Referer|ARGS "hoodedness\.net" -SecRule HTTP_Referer|ARGS "hookup-with-locals\.com" -SecRule HTTP_Referer|ARGS "hookupwithlocals\.com" -SecRule HTTP_Referer|ARGS "hookupwithlocals\.net" -SecRule HTTP_Referer|ARGS "hooppimp\.com" -SecRule HTTP_Referer|ARGS "horeledy\.info" -SecRule HTTP_Referer|ARGS "horne37\.com" -SecRule HTTP_Referer|ARGS "hornydrugs\.biz" -SecRule HTTP_Referer|ARGS "hostbilisim\.net" -SecRule HTTP_Referer|ARGS "hostflow\.info" -SecRule HTTP_Referer|ARGS "hot-12asdasd1241\.info" -SecRule HTTP_Referer|ARGS "hot-nights-now\.com" -SecRule HTTP_Referer|ARGS "hot123123girls\.info" -SecRule HTTP_Referer|ARGS "hot124124chicks\.info" -SecRule HTTP_Referer|ARGS "hotasdasd124\.info" -SecRule HTTP_Referer|ARGS "hotchinchicks\.info" -SecRule HTTP_Referer|ARGS "hoteleljardincr\.com" -SecRule HTTP_Referer|ARGS "hotmalii\.com" -SecRule HTTP_Referer|ARGS "hotonlinechicks\.info" -SecRule HTTP_Referer|ARGS "hottacosandbuns\.info" -SecRule HTTP_Referer|ARGS "hotttybabes\.info" -SecRule HTTP_Referer|ARGS "hottylookers\.info" -SecRule HTTP_Referer|ARGS "housination\.com" -SecRule HTTP_Referer|ARGS "hovisunyciraqa\.org" -SecRule HTTP_Referer|ARGS "hqsdha12412\.info" -SecRule HTTP_Referer|ARGS "hrmmmm\.com" -SecRule HTTP_Referer|ARGS "hrmmmm\.net" -SecRule HTTP_Referer|ARGS "huahuizs\.com" -SecRule HTTP_Referer|ARGS "huckleberrymailer\.com" -SecRule HTTP_Referer|ARGS "hukefyrele\.com" -SecRule HTTP_Referer|ARGS "humbugging\.com" -SecRule HTTP_Referer|ARGS "hunchoe\.info" -SecRule HTTP_Referer|ARGS "hungariafd\.com" -SecRule HTTP_Referer|ARGS "hunyraducine\.com" -SecRule HTTP_Referer|ARGS "huqimoxyjame\.com" -SecRule HTTP_Referer|ARGS "huxeqoberomiso\.com" -SecRule HTTP_Referer|ARGS "hvbbh\.com" -SecRule HTTP_Referer|ARGS "hymosports\.com" -SecRule HTTP_Referer|ARGS "hyrotecve\.com" -SecRule HTTP_Referer|ARGS "hyvoceka\.info" -SecRule HTTP_Referer|ARGS "hztzf\.com" -SecRule HTTP_Referer|ARGS "i-globalproductsinc\.info" -SecRule HTTP_Referer|ARGS "ibbk\.net" -SecRule HTTP_Referer|ARGS "ibdiscovery\.com" -SecRule HTTP_Referer|ARGS "ibliz\.info" -SecRule HTTP_Referer|ARGS "icecreamruntoday\.net" -SecRule HTTP_Referer|ARGS "idase\.info" -SecRule HTTP_Referer|ARGS "ideagoldminebiz\.com" -SecRule HTTP_Referer|ARGS "ifexprogramme\.com" -SecRule HTTP_Referer|ARGS "ifsd-company\.com" -SecRule HTTP_Referer|ARGS "igestosib\.com" -SecRule HTTP_Referer|ARGS "ihomi\.info" -SecRule HTTP_Referer|ARGS "ijeol\.info" -SecRule HTTP_Referer|ARGS "ikaika68\.com" -SecRule HTTP_Referer|ARGS "ilautaol\.info" -SecRule HTTP_Referer|ARGS "ilibrensumasz\.biz" -SecRule HTTP_Referer|ARGS "ilsaninfo\.com" -SecRule HTTP_Referer|ARGS "iltimnam\.info" -SecRule HTTP_Referer|ARGS "imagesbyaz\.com" -SecRule HTTP_Referer|ARGS "imgig\.info" -SecRule HTTP_Referer|ARGS "imissyouluna\.com" -SecRule HTTP_Referer|ARGS "imsnetworks\.net" -SecRule HTTP_Referer|ARGS "inanacce\.com" -SecRule HTTP_Referer|ARGS "inbiwroc\.info" -SecRule HTTP_Referer|ARGS "incnetd\.com" -SecRule HTTP_Referer|ARGS "indeweum\.info" -SecRule HTTP_Referer|ARGS "indicejural\.com" -SecRule HTTP_Referer|ARGS "industrial7\.com" -SecRule HTTP_Referer|ARGS "infarucor\.com" -SecRule HTTP_Referer|ARGS "infojj\.com" -SecRule HTTP_Referer|ARGS "inforule\.info" -SecRule HTTP_Referer|ARGS "inkeon\.info" -SecRule HTTP_Referer|ARGS "inoharei\.info" -SecRule HTTP_Referer|ARGS "insta-save\.net" -SecRule HTTP_Referer|ARGS "insureyourpen\.com" -SecRule HTTP_Referer|ARGS "inswept\.com" -SecRule HTTP_Referer|ARGS "inswept\.net" -SecRule HTTP_Referer|ARGS "integraloutlets\.com" -SecRule HTTP_Referer|ARGS "intelligentstar\.com" -SecRule HTTP_Referer|ARGS "interelektropromo\.org" -SecRule HTTP_Referer|ARGS "intermed-corp\.org" -SecRule HTTP_Referer|ARGS "international-awarddept\.com" -SecRule HTTP_Referer|ARGS "international-cargo-express\.com" -SecRule HTTP_Referer|ARGS "internetinterier\.com" -SecRule HTTP_Referer|ARGS "intherhythm\.com" -SecRule HTTP_Referer|ARGS "iooos\.us" -SecRule HTTP_Referer|ARGS "iownhimor\.com" -SecRule HTTP_Referer|ARGS "ipjymasa\.info" -SecRule HTTP_Referer|ARGS "ipoon\.info" -SecRule HTTP_Referer|ARGS "iquwn\.info" -SecRule HTTP_Referer|ARGS "ireuntyg\.info" -SecRule HTTP_Referer|ARGS "irutcasd\.info" -SecRule HTTP_Referer|ARGS "isaturday\.net" -SecRule HTTP_Referer|ARGS "isawitgr8now\.com" -SecRule HTTP_Referer|ARGS "isnetdesign\.com" -SecRule HTTP_Referer|ARGS "isthatkilbasaorwhat\.com" -SecRule HTTP_Referer|ARGS "italianglass\.net" -SecRule HTTP_Referer|ARGS "itappeditandletitgo\.com" -SecRule HTTP_Referer|ARGS "itsfuntoshop\.info" -SecRule HTTP_Referer|ARGS "itsveryeasy\.net" -SecRule HTTP_Referer|ARGS "iwinnersweb\.com" -SecRule HTTP_Referer|ARGS "jach4\.com" -SecRule HTTP_Referer|ARGS "jackpot-mail1\.com" -SecRule HTTP_Referer|ARGS "jackpot-mail2\.com" -SecRule HTTP_Referer|ARGS "jagifaxylyki\.com" -SecRule HTTP_Referer|ARGS "jakartamail\.net" -SecRule HTTP_Referer|ARGS "james-coker\.net" -SecRule HTTP_Referer|ARGS "japanisfareast\.net" -SecRule HTTP_Referer|ARGS "jassensrareaudiovisualexperience\.net" -SecRule HTTP_Referer|ARGS "jave9\.com" -SecRule HTTP_Referer|ARGS "jcnelson\.net" -SecRule HTTP_Referer|ARGS "jda21asd\.info" -SecRule HTTP_Referer|ARGS "jedizone\.info" -SecRule HTTP_Referer|ARGS "jejunal\.net" -SecRule HTTP_Referer|ARGS "jekapusemugi\.org" -SecRule HTTP_Referer|ARGS "jenniferplas\.com" -SecRule HTTP_Referer|ARGS "jepagowo\.info" -SecRule HTTP_Referer|ARGS "jessewalsh\.com" -SecRule HTTP_Referer|ARGS "jetkeeper\.com" -SecRule HTTP_Referer|ARGS "jignamer\.net" -SecRule HTTP_Referer|ARGS "jigynivu\.net" -SecRule HTTP_Referer|ARGS "jimjahmj\.com" -SecRule HTTP_Referer|ARGS "jnelsonhollow\.com" -SecRule HTTP_Referer|ARGS "jo-taxi\.com" -SecRule HTTP_Referer|ARGS "job4germans\.com" -SecRule HTTP_Referer|ARGS "jobglad\.net" -SecRule HTTP_Referer|ARGS "joehanna\.info" -SecRule HTTP_Referer|ARGS "joeki\.info" -SecRule HTTP_Referer|ARGS "johnlambertyh\.net" -SecRule HTTP_Referer|ARGS "joincafe\.com" -SecRule HTTP_Referer|ARGS "jojefaxeso\.info" -SecRule HTTP_Referer|ARGS "jokebueno\.com" -SecRule HTTP_Referer|ARGS "jollyjerky\.com" -SecRule HTTP_Referer|ARGS "jometallurgical\.com" -SecRule HTTP_Referer|ARGS "jorexuqi\.com" -SecRule HTTP_Referer|ARGS "jotypitogaxe\.com" -SecRule HTTP_Referer|ARGS "jovicugabe\.org" -SecRule HTTP_Referer|ARGS "jpowemc\.biz" -SecRule HTTP_Referer|ARGS "jqpas\.net" -SecRule HTTP_Referer|ARGS "jschoolfellow\.com" -SecRule HTTP_Referer|ARGS "jshd8\.com" -SecRule HTTP_Referer|ARGS "judybupufi\.com" -SecRule HTTP_Referer|ARGS "juhynoxapypula\.com" -SecRule HTTP_Referer|ARGS "juicycherry\.info" -SecRule HTTP_Referer|ARGS "juqijenipugo\.com" -SecRule HTTP_Referer|ARGS "just-say-wow\.com" -SecRule HTTP_Referer|ARGS "just15minute\.com" -SecRule HTTP_Referer|ARGS "justare\.info" -SecRule HTTP_Referer|ARGS "justbakeme\.com" -SecRule HTTP_Referer|ARGS "justhotgirls\.net" -SecRule HTTP_Referer|ARGS "justinform\.biz" -SecRule HTTP_Referer|ARGS "justsupersize\.com" -SecRule HTTP_Referer|ARGS "jutatiwe\.com" -SecRule HTTP_Referer|ARGS "jvlworldofproducts\.com" -SecRule HTTP_Referer|ARGS "jyjutetymixa\.com" -SecRule HTTP_Referer|ARGS "jywipazusuge\.com" -SecRule HTTP_Referer|ARGS "jzhao2005\.com" -SecRule HTTP_Referer|ARGS "ka83m\.info" -SecRule HTTP_Referer|ARGS "kahyhewony\.com" -SecRule HTTP_Referer|ARGS "kakivsenejas\.biz" -SecRule HTTP_Referer|ARGS "kalipurayath\.net" -SecRule HTTP_Referer|ARGS "kamegamoridr\.com" -SecRule HTTP_Referer|ARGS "kameri\.info" -SecRule HTTP_Referer|ARGS "kapital-platz\.com" -SecRule HTTP_Referer|ARGS "karamba\.biz" -SecRule HTTP_Referer|ARGS "kaspita\.net" -SecRule HTTP_Referer|ARGS "katoriru\.com" -SecRule HTTP_Referer|ARGS "kavuduva\.com" -SecRule HTTP_Referer|ARGS "kdistrict7\.org" -SecRule HTTP_Referer|ARGS "kelixin\.net" -SecRule HTTP_Referer|ARGS "kenanyucesoy\.net" -SecRule HTTP_Referer|ARGS "kennpayoffski\.com" -SecRule HTTP_Referer|ARGS "kenwilliamsfortgroup\.net" -SecRule HTTP_Referer|ARGS "keqyxofaxatulo\.com" -SecRule HTTP_Referer|ARGS "keviclec\.com" -SecRule HTTP_Referer|ARGS "keypadlight\.com" -SecRule HTTP_Referer|ARGS "kihiryli\.com" -SecRule HTTP_Referer|ARGS "kilaservaferz\.biz" -SecRule HTTP_Referer|ARGS "kindenergy\.info" -SecRule HTTP_Referer|ARGS "kinkytee\.info" -SecRule HTTP_Referer|ARGS "kinnight\.info" -SecRule HTTP_Referer|ARGS "kirillavroved\.com" -SecRule HTTP_Referer|ARGS "kissback\.info" -SecRule HTTP_Referer|ARGS "kissforeverband\.com" -SecRule HTTP_Referer|ARGS "kiuhfkiuw\.net" -SecRule HTTP_Referer|ARGS "klesueur\.com" -SecRule HTTP_Referer|ARGS "kleyheoh\.info" -SecRule HTTP_Referer|ARGS "kodila\.com" -SecRule HTTP_Referer|ARGS "koscielniak\.net" -SecRule HTTP_Referer|ARGS "krakors\.net" -SecRule HTTP_Referer|ARGS "kretomusta\.info" -SecRule HTTP_Referer|ARGS "ksijdfkjshdf\.net" -SecRule HTTP_Referer|ARGS "ktgjru\.com" -SecRule HTTP_Referer|ARGS "kucahydy\.com" -SecRule HTTP_Referer|ARGS "kujlkresrtfrt\.net" -SecRule HTTP_Referer|ARGS "kunst-in-glas\.com" -SecRule HTTP_Referer|ARGS "kwudfiuwge\.net" -SecRule HTTP_Referer|ARGS "kylicumoxo\.com" -SecRule HTTP_Referer|ARGS "kyliesxxxplace\.com" -SecRule HTTP_Referer|ARGS "kzmmx\.com" -SecRule HTTP_Referer|ARGS "l0v3rs\.com" -SecRule HTTP_Referer|ARGS "l0v3rs\.net" -SecRule HTTP_Referer|ARGS "l0wbankrates\.com" -SecRule HTTP_Referer|ARGS "labint\.net" -SecRule HTTP_Referer|ARGS "lacalle53\.com" -SecRule HTTP_Referer|ARGS "lacaser\.com" -SecRule HTTP_Referer|ARGS "lacemenes\.com" -SecRule HTTP_Referer|ARGS "ladehawogy\.com" -SecRule HTTP_Referer|ARGS "ladnoidemserve\.biz" -SecRule HTTP_Referer|ARGS "lagusohelyvu\.com" -SecRule HTTP_Referer|ARGS "lahleerty\.com" -SecRule HTTP_Referer|ARGS "lajasmunicipio\.com" -SecRule HTTP_Referer|ARGS "lajutyru\.info" -SecRule HTTP_Referer|ARGS "lakdj9\.info" -SecRule HTTP_Referer|ARGS "laminae\.com" -SecRule HTTP_Referer|ARGS "lanckeyi\.com" -SecRule HTTP_Referer|ARGS "lapexpress\.com" -SecRule HTTP_Referer|ARGS "largelung\.com" -SecRule HTTP_Referer|ARGS "lasdertafolikz\.biz" -SecRule HTTP_Referer|ARGS "lasterlyre\.com" -SecRule HTTP_Referer|ARGS "layala\.info" -SecRule HTTP_Referer|ARGS "leaxsona\.info" -SecRule HTTP_Referer|ARGS "leceligeho\.net" -SecRule HTTP_Referer|ARGS "leekung\.com" -SecRule HTTP_Referer|ARGS "leetuck\.info" -SecRule HTTP_Referer|ARGS "legacydevelopment\.net" -SecRule HTTP_Referer|ARGS "leggamoyneangusherds\.com" -SecRule HTTP_Referer|ARGS "leggu\.info" -SecRule HTTP_Referer|ARGS "leisuredj\.biz" -SecRule HTTP_Referer|ARGS "leisurestars\.com" -SecRule HTTP_Referer|ARGS "lemonmailer\.com" -SecRule HTTP_Referer|ARGS "lessratestodayyeah\.com" -SecRule HTTP_Referer|ARGS "letbroker\.info" -SecRule HTTP_Referer|ARGS "leyblubuk\.com" -SecRule HTTP_Referer|ARGS "lheya\.info" -SecRule HTTP_Referer|ARGS "liburevobuno\.com" -SecRule HTTP_Referer|ARGS "lifebestproductss\.com" -SecRule HTTP_Referer|ARGS "lifewayinsurance\.com" -SecRule HTTP_Referer|ARGS "lifti\.info" -SecRule HTTP_Referer|ARGS "lightspeed-media\.com" -SecRule HTTP_Referer|ARGS "lijya\.info" -SecRule HTTP_Referer|ARGS "likewave\.info" -SecRule HTTP_Referer|ARGS "likingmyodds\.info" -SecRule HTTP_Referer|ARGS "lindacrawford\.net" -SecRule HTTP_Referer|ARGS "linebluechippad\.com" -SecRule HTTP_Referer|ARGS "liptonteas\.org" -SecRule HTTP_Referer|ARGS "lisasellsnaples\.net" -SecRule HTTP_Referer|ARGS "lisinengis\.com" -SecRule HTTP_Referer|ARGS "litcheemailer\.com" -SecRule HTTP_Referer|ARGS "littleelsematters\.com" -SecRule HTTP_Referer|ARGS "littlelepreau\.biz" -SecRule HTTP_Referer|ARGS "littleprodsss\.com" -SecRule HTTP_Referer|ARGS "livedear3\.com" -SecRule HTTP_Referer|ARGS "liveseon\.info" -SecRule HTTP_Referer|ARGS "livingz-pix\.com" -SecRule HTTP_Referer|ARGS "liziy\.info" -SecRule HTTP_Referer|ARGS "lkmort\.net" -SecRule HTTP_Referer|ARGS "loancola\.com" -SecRule HTTP_Referer|ARGS "loanira\.com" -SecRule HTTP_Referer|ARGS "loansx-now\.com" -SecRule HTTP_Referer|ARGS "loansx-now\.net" -SecRule HTTP_Referer|ARGS "loanz-your\.com" -SecRule HTTP_Referer|ARGS "loanzloanz\.com" -SecRule HTTP_Referer|ARGS "localbookbuy\.net" -SecRule HTTP_Referer|ARGS "localewatch\.net" -SecRule HTTP_Referer|ARGS "localwatch\.net" -SecRule HTTP_Referer|ARGS "lockedlock\.com" -SecRule HTTP_Referer|ARGS "lockthecar\.com" -SecRule HTTP_Referer|ARGS "lofuroneqi\.com" -SecRule HTTP_Referer|ARGS "logabc\.com" -SecRule HTTP_Referer|ARGS "loginspaypal\.com" -SecRule HTTP_Referer|ARGS "logojidutubene\.com" -SecRule HTTP_Referer|ARGS "logtree\.info" -SecRule HTTP_Referer|ARGS "loiha\.info" -SecRule HTTP_Referer|ARGS "londontraveless\.com" -SecRule HTTP_Referer|ARGS "lonelyroadbooks\.com" -SecRule HTTP_Referer|ARGS "lonemutt\.info" -SecRule HTTP_Referer|ARGS "longherb\.com" -SecRule HTTP_Referer|ARGS "longxing-dg\.com" -SecRule HTTP_Referer|ARGS "lookmyshop\.com" -SecRule HTTP_Referer|ARGS "lookoutmailing\.net" -SecRule HTTP_Referer|ARGS "loope7\.com" -SecRule HTTP_Referer|ARGS "loquatmailer\.com" -SecRule HTTP_Referer|ARGS "losijymizu\.com" -SecRule HTTP_Referer|ARGS "lotsavisitorscheaply\.com" -SecRule HTTP_Referer|ARGS "lotsofpokerrr\.net" -SecRule HTTP_Referer|ARGS "lotssahorez\.info" -SecRule HTTP_Referer|ARGS "lotssawhores\.info" -SecRule HTTP_Referer|ARGS "lotterwinners\.net" -SecRule HTTP_Referer|ARGS "lottsagirls\.info" -SecRule HTTP_Referer|ARGS "love-s0urce\.com" -SecRule HTTP_Referer|ARGS "lovemed\.biz" -SecRule HTTP_Referer|ARGS "lovepills\.biz" -SecRule HTTP_Referer|ARGS "loverockdrugs\.info" -SecRule HTTP_Referer|ARGS "lovetablets\.biz" -SecRule HTTP_Referer|ARGS "lowest-rates-ever\.com" -SecRule HTTP_Referer|ARGS "lowfeenet\.com" -SecRule HTTP_Referer|ARGS "lowlow1refinance\.com" -SecRule HTTP_Referer|ARGS "lownx-now\.com" -SecRule HTTP_Referer|ARGS "lownx-now\.net" -SecRule HTTP_Referer|ARGS "lowpriceplayer\.com" -SecRule HTTP_Referer|ARGS "lowratesmoremoney\.com" -SecRule HTTP_Referer|ARGS "lskflksdfasd\.net" -SecRule HTTP_Referer|ARGS "lubrimil\.com" -SecRule HTTP_Referer|ARGS "lucasober\.com" -SecRule HTTP_Referer|ARGS "luckydayln-uklworld\.com" -SecRule HTTP_Referer|ARGS "luckydayuk\.net" -SecRule HTTP_Referer|ARGS "luckydayukl-2005\.com" -SecRule HTTP_Referer|ARGS "luckydayworlds\.com" -SecRule HTTP_Referer|ARGS "luckydogmagazine\.com" -SecRule HTTP_Referer|ARGS "luzujuna\.com" -SecRule HTTP_Referer|ARGS "lyguwepypemife\.com" -SecRule HTTP_Referer|ARGS "lytynawoje\.com" -SecRule HTTP_Referer|ARGS "lyvicohenyzyza\.net" -SecRule HTTP_Referer|ARGS "macedonsseedling\.com" -SecRule HTTP_Referer|ARGS "macintype\.info" -SecRule HTTP_Referer|ARGS "macquaria\.com" -SecRule HTTP_Referer|ARGS "macroscorp\.com" -SecRule HTTP_Referer|ARGS "madyong\.info" -SecRule HTTP_Referer|ARGS "mafikywaramofu\.com" -SecRule HTTP_Referer|ARGS "mafin\.info" -SecRule HTTP_Referer|ARGS "mafuu\.info" -SecRule HTTP_Referer|ARGS "magnuscanada\.com" -SecRule HTTP_Referer|ARGS "magstack\.com" -SecRule HTTP_Referer|ARGS "mahoganyimages\.net" -SecRule HTTP_Referer|ARGS "mail-list\.us" -SecRule HTTP_Referer|ARGS "mail-online-desk\.com" -SecRule HTTP_Referer|ARGS "mailbrandplus\.com" -SecRule HTTP_Referer|ARGS "maildistributioncenters\.net" -SecRule HTTP_Referer|ARGS "mailrewardscenter\.com" -SecRule HTTP_Referer|ARGS "mailrewardscenter\.net" -SecRule HTTP_Referer|ARGS "mailshoppings\.com" -SecRule HTTP_Referer|ARGS "mailsystemrewards\.net" -SecRule HTTP_Referer|ARGS "mailthatworks\.net" -SecRule HTTP_Referer|ARGS "mailyuen\.com" -SecRule HTTP_Referer|ARGS "mainways\.info" -SecRule HTTP_Referer|ARGS "maitresseflo\.com" -SecRule HTTP_Referer|ARGS "malloycan\.com" -SecRule HTTP_Referer|ARGS "mamamoja\.info" -SecRule HTTP_Referer|ARGS "mangomailer\.com" -SecRule HTTP_Referer|ARGS "mangy\.info" -SecRule HTTP_Referer|ARGS "maniostirs\.info" -SecRule HTTP_Referer|ARGS "manipulable\.info" -SecRule HTTP_Referer|ARGS "mankarolina\.info" -SecRule HTTP_Referer|ARGS "manopoli\.com" -SecRule HTTP_Referer|ARGS "manypills\.biz" -SecRule HTTP_Referer|ARGS "maqikimasu\.info" -SecRule HTTP_Referer|ARGS "marethicle\.com" -SecRule HTTP_Referer|ARGS "marketingande-business\.com" -SecRule HTTP_Referer|ARGS "markplayer\.org" -SecRule HTTP_Referer|ARGS "markyam\.info" -SecRule HTTP_Referer|ARGS "mascleprotrusively\.com" -SecRule HTTP_Referer|ARGS "masritolisae\.biz" -SecRule HTTP_Referer|ARGS "massivewinners\.com" -SecRule HTTP_Referer|ARGS "masterings\.net" -SecRule HTTP_Referer|ARGS "matatachambers\.com" -SecRule HTTP_Referer|ARGS "matilubise\.com" -SecRule HTTP_Referer|ARGS "matiolev\.info" -SecRule HTTP_Referer|ARGS "mattlay\.info" -SecRule HTTP_Referer|ARGS "max-payments\.com" -SecRule HTTP_Referer|ARGS "maxmailer\.net" -SecRule HTTP_Referer|ARGS "maxtennow\.com" -SecRule HTTP_Referer|ARGS "maxxenlarger\.info" -SecRule HTTP_Referer|ARGS "medesend\.com" -SecRule HTTP_Referer|ARGS "medi-place\.com" -SecRule HTTP_Referer|ARGS "meebwn\.com" -SecRule HTTP_Referer|ARGS "meganame\.ru" -SecRule HTTP_Referer|ARGS "megaoem\.com" -SecRule HTTP_Referer|ARGS "melanomakmi\.com" -SecRule HTTP_Referer|ARGS "melnikovnh\.com" -SecRule HTTP_Referer|ARGS "mestir\.info" -SecRule HTTP_Referer|ARGS "mesurpis\.com" -SecRule HTTP_Referer|ARGS "metalist13\.net" -SecRule HTTP_Referer|ARGS "metallurgicaljohn\.com" -SecRule HTTP_Referer|ARGS "metjetblet\.com" -SecRule HTTP_Referer|ARGS "mexadivido\.com" -SecRule HTTP_Referer|ARGS "michealsmith\.net" -SecRule HTTP_Referer|ARGS "midofirstrim\.com" -SecRule HTTP_Referer|ARGS "midwayplayers\.net" -SecRule HTTP_Referer|ARGS "midwayplayers\.org" -SecRule HTTP_Referer|ARGS "miecznikowski\.us" -SecRule HTTP_Referer|ARGS "migirenkofg\.com" -SecRule HTTP_Referer|ARGS "migisisahgaigan\.net" -SecRule HTTP_Referer|ARGS "milbarefin\.com" -SecRule HTTP_Referer|ARGS "milisorast\.com" -SecRule HTTP_Referer|ARGS "milkbrother\.net" -SecRule HTTP_Referer|ARGS "millionetesit\.com" -SecRule HTTP_Referer|ARGS "milliongaming\.com" -SecRule HTTP_Referer|ARGS "millionvote\.info" -SecRule HTTP_Referer|ARGS "millrenee\.info" -SecRule HTTP_Referer|ARGS "miltonericksonsociety\.com" -SecRule HTTP_Referer|ARGS "mim5\.com" -SecRule HTTP_Referer|ARGS "mimiyori\.biz" -SecRule HTTP_Referer|ARGS "mimprovisatori\.com" -SecRule HTTP_Referer|ARGS "mindhorse\.info" -SecRule HTTP_Referer|ARGS "minimediamix\.com" -SecRule HTTP_Referer|ARGS "minstryofhealth\.com" -SecRule HTTP_Referer|ARGS "minuten-galerie\.com" -SecRule HTTP_Referer|ARGS "mitchellenterprises\.net" -SecRule HTTP_Referer|ARGS "mitotic\.net" -SecRule HTTP_Referer|ARGS "mixpics\.info" -SecRule HTTP_Referer|ARGS "mkdyv\.com" -SecRule HTTP_Referer|ARGS "mlleadtracking\.com" -SecRule HTTP_Referer|ARGS "mlmtopgun2\.com" -SecRule HTTP_Referer|ARGS "mlodzianowski\.us" -SecRule HTTP_Referer|ARGS "mobilenetwork-nowmediaplace\.com" -SecRule HTTP_Referer|ARGS "mobnight\.info" -SecRule HTTP_Referer|ARGS "modogogoserowy\.com" -SecRule HTTP_Referer|ARGS "moehi\.info" -SecRule HTTP_Referer|ARGS "mokusexujy\.biz" -SecRule HTTP_Referer|ARGS "molokais\.info" -SecRule HTTP_Referer|ARGS "monodactyl\.com" -SecRule HTTP_Referer|ARGS "monstermailrewards\.net" -SecRule HTTP_Referer|ARGS "montrealstopten\.com" -SecRule HTTP_Referer|ARGS "moonlightin\.info" -SecRule HTTP_Referer|ARGS "morepharmacy\.com" -SecRule HTTP_Referer|ARGS "moretvshows\.com" -SecRule HTTP_Referer|ARGS "morewaysforyou\.com" -SecRule HTTP_Referer|ARGS "motoafs\.com" -SecRule HTTP_Referer|ARGS "motofors\.com" -SecRule HTTP_Referer|ARGS "moutnking\.com" -SecRule HTTP_Referer|ARGS "mp3-playerss\.com" -SecRule HTTP_Referer|ARGS "mp3mp4players\.net" -SecRule HTTP_Referer|ARGS "mp4plllayer\.org" -SecRule HTTP_Referer|ARGS "mrkibaki\.com" -SecRule HTTP_Referer|ARGS "mrsamjackson\.com" -SecRule HTTP_Referer|ARGS "mrskotafamily\.com" -SecRule HTTP_Referer|ARGS "mrsstapels\.com" -SecRule HTTP_Referer|ARGS "mryna\.info" -SecRule HTTP_Referer|ARGS "mttree\.com" -SecRule HTTP_Referer|ARGS "muhawomisigu\.org" -SecRule HTTP_Referer|ARGS "mulamaker\.com" -SecRule HTTP_Referer|ARGS "mulberrymailer\.com" -SecRule HTTP_Referer|ARGS "muloloxycinamo\.com" -SecRule HTTP_Referer|ARGS "mulumba\.org" -SecRule HTTP_Referer|ARGS "mupyrohasiqi\.com" -SecRule HTTP_Referer|ARGS "murisonsglobalhealth\.com" -SecRule HTTP_Referer|ARGS "muruxicizuzyre\.com" -SecRule HTTP_Referer|ARGS "musclemoda\.net" -SecRule HTTP_Referer|ARGS "mustmix\.info" -SecRule HTTP_Referer|ARGS "mutably\.net" -SecRule HTTP_Referer|ARGS "mwnbeverly\.com" -SecRule HTTP_Referer|ARGS "mwncrisp\.com" -SecRule HTTP_Referer|ARGS "mwndelk\.com" -SecRule HTTP_Referer|ARGS "mwndonald\.com" -SecRule HTTP_Referer|ARGS "mwnfriddle\.com" -SecRule HTTP_Referer|ARGS "mwnhoneycutt\.com" -SecRule HTTP_Referer|ARGS "mwnlalor\.com" -SecRule HTTP_Referer|ARGS "mwnpaxton\.com" -SecRule HTTP_Referer|ARGS "my-globalproducts\.info" -SecRule HTTP_Referer|ARGS "my-qoquann\.com" -SecRule HTTP_Referer|ARGS "mybestwatches\.com" -SecRule HTTP_Referer|ARGS "mybestwatches\.net" -SecRule HTTP_Referer|ARGS "mybrde\.info" -SecRule HTTP_Referer|ARGS "myglobalproducts\.info" -SecRule HTTP_Referer|ARGS "myglobalproductsinc\.info" -SecRule HTTP_Referer|ARGS "mygreatproducts4u\.com" -SecRule HTTP_Referer|ARGS "myherequniwego\.com" -SecRule HTTP_Referer|ARGS "myofferpromotions\.com" -SecRule HTTP_Referer|ARGS "mypaypal-secure\.us" -SecRule HTTP_Referer|ARGS "myproducts4sell\.com" -SecRule HTTP_Referer|ARGS "mysoftdeals\.com" -SecRule HTTP_Referer|ARGS "mysolidfuture\.com" -SecRule HTTP_Referer|ARGS "myvisionsbuilder\.com" -SecRule HTTP_Referer|ARGS "n23fwsxx\.com" -SecRule HTTP_Referer|ARGS "n2mort\.net" -SecRule HTTP_Referer|ARGS "n3fwc\.com" -SecRule HTTP_Referer|ARGS "nageu\.info" -SecRule HTTP_Referer|ARGS "namnemmo\.com" -SecRule HTTP_Referer|ARGS "namwatches\.com" -SecRule HTTP_Referer|ARGS "naonalemb\.com" -SecRule HTTP_Referer|ARGS "nashigiropot\.biz" -SecRule HTTP_Referer|ARGS "nashsamoletace\.biz" -SecRule HTTP_Referer|ARGS "nastycable\.info" -SecRule HTTP_Referer|ARGS "natalia-bride\.com" -SecRule HTTP_Referer|ARGS "natalyescort\.info" -SecRule HTTP_Referer|ARGS "natenkocompanylimited\.com" -SecRule HTTP_Referer|ARGS "national-team-winners\.com" -SecRule HTTP_Referer|ARGS "nationalonlinegaming\.org" -SecRule HTTP_Referer|ARGS "nationalwinning\.com" -SecRule HTTP_Referer|ARGS "nationalwinningonline\.com" -SecRule HTTP_Referer|ARGS "nationwideplc\.com" -SecRule HTTP_Referer|ARGS "natjohnsonsproduct\.com" -SecRule HTTP_Referer|ARGS "natolaver\.com" -SecRule HTTP_Referer|ARGS "navinyou\.com" -SecRule HTTP_Referer|ARGS "ncsourcing\.com" -SecRule HTTP_Referer|ARGS "ndnmusic\.net" -SecRule HTTP_Referer|ARGS "nectarinemailer\.com" -SecRule HTTP_Referer|ARGS "nectcontic\.com" -SecRule HTTP_Referer|ARGS "nedaowens\.com" -SecRule HTTP_Referer|ARGS "need-girls\.com" -SecRule HTTP_Referer|ARGS "needlotsmoresleep\.net" -SecRule HTTP_Referer|ARGS "neop-ets\.com" -SecRule HTTP_Referer|ARGS "netloanform\.com" -SecRule HTTP_Referer|ARGS "netloanlink\.com" -SecRule HTTP_Referer|ARGS "nettart\.info" -SecRule HTTP_Referer|ARGS "nettyre\.info" -SecRule HTTP_Referer|ARGS "networkingalpharetta\.com" -SecRule HTTP_Referer|ARGS "networofana\.com" -SecRule HTTP_Referer|ARGS "neue-seiten\.info" -SecRule HTTP_Referer|ARGS "neurophile\.info" -SecRule HTTP_Referer|ARGS "new4you2day\.com" -SecRule HTTP_Referer|ARGS "newbelle\.info" -SecRule HTTP_Referer|ARGS "newbodi-workout\.com" -SecRule HTTP_Referer|ARGS "newcanaanfieldclub\.com" -SecRule HTTP_Referer|ARGS "newhey\.info" -SecRule HTTP_Referer|ARGS "newsnasty\.com" -SecRule HTTP_Referer|ARGS "newspacetosave\.com" -SecRule HTTP_Referer|ARGS "newsthatcounts\.net" -SecRule HTTP_Referer|ARGS "newureqa\.com" -SecRule HTTP_Referer|ARGS "newyorkcityjewishsingles\.net" -SecRule HTTP_Referer|ARGS "ngoziwilliams\.com" -SecRule HTTP_Referer|ARGS "nhinsurance\.net" -SecRule HTTP_Referer|ARGS "nice-diamond\.com" -SecRule HTTP_Referer|ARGS "nicejjang\.com" -SecRule HTTP_Referer|ARGS "nicewatchez\.net" -SecRule HTTP_Referer|ARGS "nicneo\.com" -SecRule HTTP_Referer|ARGS "nighttagoldschool\.net" -SecRule HTTP_Referer|ARGS "nigtimot\.com" -SecRule HTTP_Referer|ARGS "nim2\.com" -SecRule HTTP_Referer|ARGS "nitatugety\.com" -SecRule HTTP_Referer|ARGS "nkiedgfkiuw\.net" -SecRule HTTP_Referer|ARGS "nmchili\.net" -SecRule HTTP_Referer|ARGS "noapricots\.com" -SecRule HTTP_Referer|ARGS "nodatige\.com" -SecRule HTTP_Referer|ARGS "nodoggie\.com" -SecRule HTTP_Referer|ARGS "noeggplant\.com" -SecRule HTTP_Referer|ARGS "nofudge\.com" -SecRule HTTP_Referer|ARGS "noindigo\.com" -SecRule HTTP_Referer|ARGS "nojojida\.com" -SecRule HTTP_Referer|ARGS "nolamps\.com" -SecRule HTTP_Referer|ARGS "nomeatpatties\.com" -SecRule HTTP_Referer|ARGS "nomic\.info" -SecRule HTTP_Referer|ARGS "nomoredebsonyoucreditcard\.info" -SecRule HTTP_Referer|ARGS "nonoqihiwijito\.com" -SecRule HTTP_Referer|ARGS "northlima\.info" -SecRule HTTP_Referer|ARGS "notifyresultsuk\.net" -SecRule HTTP_Referer|ARGS "nounobeg\.com" -SecRule HTTP_Referer|ARGS "nowesans\.com" -SecRule HTTP_Referer|ARGS "nowheyhey\.info" -SecRule HTTP_Referer|ARGS "nowmalderga\.com" -SecRule HTTP_Referer|ARGS "nownowhey\.info" -SecRule HTTP_Referer|ARGS "nowyouhey\.info" -SecRule HTTP_Referer|ARGS "npark821mark\.com" -SecRule HTTP_Referer|ARGS "ntsomenort\.com" -SecRule HTTP_Referer|ARGS "nualeret\.com" -SecRule HTTP_Referer|ARGS "nualetage\.com" -SecRule HTTP_Referer|ARGS "nudauniciopizza\.com" -SecRule HTTP_Referer|ARGS "nuhkledrop\.com" -SecRule HTTP_Referer|ARGS "number1help\.net" -SecRule HTTP_Referer|ARGS "nurseaishalukman\.org" -SecRule HTTP_Referer|ARGS "nursudget\.com" -SecRule HTTP_Referer|ARGS "nusemovofo\.com" -SecRule HTTP_Referer|ARGS "nuvitify\.net" -SecRule HTTP_Referer|ARGS "nwcstle\.com" -SecRule HTTP_Referer|ARGS "nwusacte\.info" -SecRule HTTP_Referer|ARGS "nycjs\.net" -SecRule HTTP_Referer|ARGS "nyladypojejire\.biz" -SecRule HTTP_Referer|ARGS "nymytola\.info" -SecRule HTTP_Referer|ARGS "o0k\.net" -SecRule HTTP_Referer|ARGS "o2mo\.com" -SecRule HTTP_Referer|ARGS "o9sama4\.com" -SecRule HTTP_Referer|ARGS "oberherr\.com" -SecRule HTTP_Referer|ARGS "obermairmj\.net" -SecRule HTTP_Referer|ARGS "obor8\.com" -SecRule HTTP_Referer|ARGS "obzy\.info" -SecRule HTTP_Referer|ARGS "oceanwaterfalls\.com" -SecRule HTTP_Referer|ARGS "odjqm\.com" -SecRule HTTP_Referer|ARGS "odtcg\.com" -SecRule HTTP_Referer|ARGS "oemaugust5\.com" -SecRule HTTP_Referer|ARGS "oemlogo\.com" -SecRule HTTP_Referer|ARGS "oemparadise\.com" -SecRule HTTP_Referer|ARGS "oemsensor\.com" -SecRule HTTP_Referer|ARGS "oemversions\.com" -SecRule HTTP_Referer|ARGS "oetterstone\.com" -SecRule HTTP_Referer|ARGS "offerdelivery\.com" -SecRule HTTP_Referer|ARGS "offerdeliverynetwork\.com" -SecRule HTTP_Referer|ARGS "offerlit\.com" -SecRule HTTP_Referer|ARGS "ofredcoman\.com" -SecRule HTTP_Referer|ARGS "ohena\.info" -SecRule HTTP_Referer|ARGS "oijfvnj\.com" -SecRule HTTP_Referer|ARGS "oldschoolgoodmovie\.net" -SecRule HTTP_Referer|ARGS "olivetreeinc\.com" -SecRule HTTP_Referer|ARGS "omgshesohot\.com" -SecRule HTTP_Referer|ARGS "omgsmokinggirls\.net" -SecRule HTTP_Referer|ARGS "onapattohit\.com" -SecRule HTTP_Referer|ARGS "ondk\.com" -SecRule HTTP_Referer|ARGS "onemoreshot\.info" -SecRule HTTP_Referer|ARGS "onestopspaw\.com" -SecRule HTTP_Referer|ARGS "onlinekontoauthorisation\.com" -SecRule HTTP_Referer|ARGS "onlinemailrewards\.com" -SecRule HTTP_Referer|ARGS "onlinesweepagent\.com" -SecRule HTTP_Referer|ARGS "onlinewebgames\.net" -SecRule HTTP_Referer|ARGS "onlyforyounow\.com" -SecRule HTTP_Referer|ARGS "onsale-recipes\.com" -SecRule HTTP_Referer|ARGS "onthemove4you\.com" -SecRule HTTP_Referer|ARGS "ooik\.com" -SecRule HTTP_Referer|ARGS "oosm\.info" -SecRule HTTP_Referer|ARGS "openinggate1\.com" -SecRule HTTP_Referer|ARGS "opentao\.info" -SecRule HTTP_Referer|ARGS "oplegazin\.com" -SecRule HTTP_Referer|ARGS "oppster\.biz" -SecRule HTTP_Referer|ARGS "opsakoltas\.net" -SecRule HTTP_Referer|ARGS "optimusltd\.info" -SecRule HTTP_Referer|ARGS "optinemails\.org" -SecRule HTTP_Referer|ARGS "optinemailtoday\.biz" -SecRule HTTP_Referer|ARGS "optmazing\.info" -SecRule HTTP_Referer|ARGS "oralcaregums\.com" -SecRule HTTP_Referer|ARGS "orangermanthillness\.com" -SecRule HTTP_Referer|ARGS "orch5\.com" -SecRule HTTP_Referer|ARGS "oregon-exotic-hardwoods\.com" -SecRule HTTP_Referer|ARGS "orgasmm\.net" -SecRule HTTP_Referer|ARGS "orofesonal\.com" -SecRule HTTP_Referer|ARGS "osagopolis\.ru" -SecRule HTTP_Referer|ARGS "oshinfasvlesz\.biz" -SecRule HTTP_Referer|ARGS "osomy\.info" -SecRule HTTP_Referer|ARGS "ourvisionnet\.com" -SecRule HTTP_Referer|ARGS "outarguing\.com" -SecRule HTTP_Referer|ARGS "outcyber\.info" -SecRule HTTP_Referer|ARGS "outrageousmailcenter\.net" -SecRule HTTP_Referer|ARGS "ouys\.com" -SecRule HTTP_Referer|ARGS "overcooke\.com" -SecRule HTTP_Referer|ARGS "overfills\.com" -SecRule HTTP_Referer|ARGS "overtotect\.com" -SecRule HTTP_Referer|ARGS "ovule\.net" -SecRule HTTP_Referer|ARGS "owienlightworld\.net" -SecRule HTTP_Referer|ARGS "owninga\.info" -SecRule HTTP_Referer|ARGS "owochambers\.com" -SecRule HTTP_Referer|ARGS "p17refi\.net" -SecRule HTTP_Referer|ARGS "p2mturkey\.com" -SecRule HTTP_Referer|ARGS "pacificchess\.com" -SecRule HTTP_Referer|ARGS "packetlope\.com" -SecRule HTTP_Referer|ARGS "pacojysego\.com" -SecRule HTTP_Referer|ARGS "pagecanada\.info" -SecRule HTTP_Referer|ARGS "pagehostmaster\.com" -SecRule HTTP_Referer|ARGS "pagovid\.com" -SecRule HTTP_Referer|ARGS "pahug\.info" -SecRule HTTP_Referer|ARGS "painreliefbygreatmeds\.com" -SecRule HTTP_Referer|ARGS "pajezigi\.info" -SecRule HTTP_Referer|ARGS "palmcoastwebdesign\.com" -SecRule HTTP_Referer|ARGS "pamelasite\.info" -SecRule HTTP_Referer|ARGS "panasehu\.com" -SecRule HTTP_Referer|ARGS "panelian\.info" -SecRule HTTP_Referer|ARGS "panels-interactive\.com" -SecRule HTTP_Referer|ARGS "paradertis\.com" -SecRule HTTP_Referer|ARGS "paradiseclick1\.com" -SecRule HTTP_Referer|ARGS "partyintj\.com" -SecRule HTTP_Referer|ARGS "passsurf\.com" -SecRule HTTP_Referer|ARGS "patchier\.com" -SecRule HTTP_Referer|ARGS "pathelen\.info" -SecRule HTTP_Referer|ARGS "pattondearman\.com" -SecRule HTTP_Referer|ARGS "patxi-mar\.com" -SecRule HTTP_Referer|ARGS "pavlinios\.info" -SecRule HTTP_Referer|ARGS "paymentnotification-ukgames\.net" -SecRule HTTP_Referer|ARGS "payoffdawg\.com" -SecRule HTTP_Referer|ARGS "payoleros\.info" -SecRule HTTP_Referer|ARGS "paypal-com-cgi-bin-confirmation-pp784841\.com" -SecRule HTTP_Referer|ARGS "paypal-suport\.com" -SecRule HTTP_Referer|ARGS "paywe\.com" -SecRule HTTP_Referer|ARGS "pazovelifi\.com" -SecRule HTTP_Referer|ARGS "pcssource\.com" -SecRule HTTP_Referer|ARGS "pcwer\.com" -SecRule HTTP_Referer|ARGS "pdj1\.com" -SecRule HTTP_Referer|ARGS "pdx4less\.com" -SecRule HTTP_Referer|ARGS "peanutpredictions\.com" -SecRule HTTP_Referer|ARGS "pefacewezaco\.com" -SecRule HTTP_Referer|ARGS "pekingman\.org" -SecRule HTTP_Referer|ARGS "pendestra\.com" -SecRule HTTP_Referer|ARGS "pendotherod\.com" -SecRule HTTP_Referer|ARGS "pennystwistedweb\.com" -SecRule HTTP_Referer|ARGS "pepipome\.com" -SecRule HTTP_Referer|ARGS "perecawefu\.biz" -SecRule HTTP_Referer|ARGS "peredlojitlger\.biz" -SecRule HTTP_Referer|ARGS "perfectpricesss\.net" -SecRule HTTP_Referer|ARGS "perperkks\.com" -SecRule HTTP_Referer|ARGS "personalsaccess\.com" -SecRule HTTP_Referer|ARGS "perubio\.info" -SecRule HTTP_Referer|ARGS "peterwil\.com" -SecRule HTTP_Referer|ARGS "petiteworks\.com" -SecRule HTTP_Referer|ARGS "pibixyxoli\.com" -SecRule HTTP_Referer|ARGS "piblendit\.com" -SecRule HTTP_Referer|ARGS "pidekijadibuma\.com" -SecRule HTTP_Referer|ARGS "pieromania\.com" -SecRule HTTP_Referer|ARGS "pigskinpimp\.com" -SecRule HTTP_Referer|ARGS "pillsofpassion\.biz" -SecRule HTTP_Referer|ARGS "pimywunami\.com" -SecRule HTTP_Referer|ARGS "pincuderis\.com" -SecRule HTTP_Referer|ARGS "ping-audio\.com" -SecRule HTTP_Referer|ARGS "pinke99\.com" -SecRule HTTP_Referer|ARGS "pinkfloydhu\.net" -SecRule HTTP_Referer|ARGS "pinprickgainly\.com" -SecRule HTTP_Referer|ARGS "pislacesrfezer\.biz" -SecRule HTTP_Referer|ARGS "piznadnunaserva\.biz" -SecRule HTTP_Referer|ARGS "planet-hu\.net" -SecRule HTTP_Referer|ARGS "planet-mail1\.com" -SecRule HTTP_Referer|ARGS "planetainternets\.com" -SecRule HTTP_Referer|ARGS "planetwinningnotification\.org" -SecRule HTTP_Referer|ARGS "plasmasigns\.net" -SecRule HTTP_Referer|ARGS "platinoidperfection\.com" -SecRule HTTP_Referer|ARGS "platinumpix\.net" -SecRule HTTP_Referer|ARGS "playersss\.com" -SecRule HTTP_Referer|ARGS "plewteq\.com" -SecRule HTTP_Referer|ARGS "pliarides\.net" -SecRule HTTP_Referer|ARGS "plizosevaderto\.biz" -SecRule HTTP_Referer|ARGS "pllayernow\.com" -SecRule HTTP_Referer|ARGS "pmingledorff\.org" -SecRule HTTP_Referer|ARGS "point4kid\.com" -SecRule HTTP_Referer|ARGS "poker-check\.com" -SecRule HTTP_Referer|ARGS "poker-unique\.com" -SecRule HTTP_Referer|ARGS "pokersitesgirls\.info" -SecRule HTTP_Referer|ARGS "poledasertgase\.biz" -SecRule HTTP_Referer|ARGS "polisadertgase\.biz" -SecRule HTTP_Referer|ARGS "polivasedberz\.biz" -SecRule HTTP_Referer|ARGS "poluchistesmix\.biz" -SecRule HTTP_Referer|ARGS "popbasic\.com" -SecRule HTTP_Referer|ARGS "porasoviralertaz\.biz" -SecRule HTTP_Referer|ARGS "porshess\.com" -SecRule HTTP_Referer|ARGS "portpanel\.com" -SecRule HTTP_Referer|ARGS "poslechgodirl\.biz" -SecRule HTTP_Referer|ARGS "possclub\.com" -SecRule HTTP_Referer|ARGS "post-cardz\.com" -SecRule HTTP_Referer|ARGS "postal-cafe\.com" -SecRule HTTP_Referer|ARGS "potentialprovider\.com" -SecRule HTTP_Referer|ARGS "powafowe\.com" -SecRule HTTP_Referer|ARGS "powellia\.com" -SecRule HTTP_Referer|ARGS "powerlibra\.com" -SecRule HTTP_Referer|ARGS "poweroffers4u\.com" -SecRule HTTP_Referer|ARGS "poyntinggy\.com" -SecRule HTTP_Referer|ARGS "pp-activation\.net" -SecRule HTTP_Referer|ARGS "pqmort\.net" -SecRule HTTP_Referer|ARGS "pr1es\.com" -SecRule HTTP_Referer|ARGS "pr1es\.net" -SecRule HTTP_Referer|ARGS "praveshgupta\.com" -SecRule HTTP_Referer|ARGS "premierconsultoria\.com" -SecRule HTTP_Referer|ARGS "premiumoffersonline\.com" -SecRule HTTP_Referer|ARGS "premixing\.com" -SecRule HTTP_Referer|ARGS "prenude\.net" -SecRule HTTP_Referer|ARGS "presleymetallurgical\.com" -SecRule HTTP_Referer|ARGS "pressers\.net" -SecRule HTTP_Referer|ARGS "prettyvirgins\.biz" -SecRule HTTP_Referer|ARGS "pricklypeach\.com" -SecRule HTTP_Referer|ARGS "primeawardpromo\.com" -SecRule HTTP_Referer|ARGS "principlesofsavings\.com" -SecRule HTTP_Referer|ARGS "private-link\.info" -SecRule HTTP_Referer|ARGS "private-s0urce\.com" -SecRule HTTP_Referer|ARGS "privateoffshorefund\.com" -SecRule HTTP_Referer|ARGS "privetferasxer\.biz" -SecRule HTTP_Referer|ARGS "processingoffice\.com" -SecRule HTTP_Referer|ARGS "processonline\.net" -SecRule HTTP_Referer|ARGS "prodforyou\.com" -SecRule HTTP_Referer|ARGS "profileupdates\.biz" -SecRule HTTP_Referer|ARGS "promosort\.com" -SecRule HTTP_Referer|ARGS "promptestcherokees\.com" -SecRule HTTP_Referer|ARGS "pronicjkfc\.com" -SecRule HTTP_Referer|ARGS "prorefinance\.com" -SecRule HTTP_Referer|ARGS "prostonaosteve\.biz" -SecRule HTTP_Referer|ARGS "provides\.biz" -SecRule HTTP_Referer|ARGS "psarefi\.net" -SecRule HTTP_Referer|ARGS "psilotumbun\.net" -SecRule HTTP_Referer|ARGS "psoftintlinc\.com" -SecRule HTTP_Referer|ARGS "publiclender\.com" -SecRule HTTP_Referer|ARGS "puchedesion\.com" -SecRule HTTP_Referer|ARGS "puhatema\.com" -SecRule HTTP_Referer|ARGS "pulishanere\.com" -SecRule HTTP_Referer|ARGS "purality\.com" -SecRule HTTP_Referer|ARGS "purcarirf\.net" -SecRule HTTP_Referer|ARGS "putarushonit\.com" -SecRule HTTP_Referer|ARGS "pyffn\.com" -SecRule HTTP_Referer|ARGS "pynakomeny\.info" -SecRule HTTP_Referer|ARGS "pyvyxefo\.com" -SecRule HTTP_Referer|ARGS "qahl\.com" -SecRule HTTP_Referer|ARGS "qamry\.info" -SecRule HTTP_Referer|ARGS "qbks\.com" -SecRule HTTP_Referer|ARGS "qepr\.com" -SecRule HTTP_Referer|ARGS "qidpharmacy\.com" -SecRule HTTP_Referer|ARGS "qimejomi\.info" -SecRule HTTP_Referer|ARGS "qiqiqowiziwore\.info" -SecRule HTTP_Referer|ARGS "qiwyzeci\.com" -SecRule HTTP_Referer|ARGS "qoparifedypi\.com" -SecRule HTTP_Referer|ARGS "qualitypeek\.com" -SecRule HTTP_Referer|ARGS "quance\.net" -SecRule HTTP_Referer|ARGS "quantumemedia-updates\.com" -SecRule HTTP_Referer|ARGS "quasiqueries\.com" -SecRule HTTP_Referer|ARGS "queercheese\.com" -SecRule HTTP_Referer|ARGS "quenteri\.com" -SecRule HTTP_Referer|ARGS "quickvisitorsnow\.com" -SecRule HTTP_Referer|ARGS "quinazquinaz\.com" -SecRule HTTP_Referer|ARGS "quotesdot\.com" -SecRule HTTP_Referer|ARGS "qybiqevoru\.info" -SecRule HTTP_Referer|ARGS "qyguxylymijaxi\.com" -SecRule HTTP_Referer|ARGS "qyxaqykaxife\.com" -SecRule HTTP_Referer|ARGS "qyzatiboba\.org" -SecRule HTTP_Referer|ARGS "r22refi\.net" -SecRule HTTP_Referer|ARGS "radiantmailcenters\.net" -SecRule HTTP_Referer|ARGS "radionumber\.info" -SecRule HTTP_Referer|ARGS "radiorumba\.fm" -SecRule HTTP_Referer|ARGS "raffadantas\.com" -SecRule HTTP_Referer|ARGS "rainiswet\.info" -SecRule HTTP_Referer|ARGS "rainparadise\.info" -SecRule HTTP_Referer|ARGS "rainscarescars\.net" -SecRule HTTP_Referer|ARGS "raise10\.com" -SecRule HTTP_Referer|ARGS "rajufajeva\.com" -SecRule HTTP_Referer|ARGS "rappedapps\.com" -SecRule HTTP_Referer|ARGS "rarufawupifo\.com" -SecRule HTTP_Referer|ARGS "rbcon\.info" -SecRule HTTP_Referer|ARGS "rbprkes\.info" -SecRule HTTP_Referer|ARGS "rdrsby\.com" -SecRule HTTP_Referer|ARGS "re2n\.com" -SecRule HTTP_Referer|ARGS "realmarketads\.com" -SecRule HTTP_Referer|ARGS "realmat\.com" -SecRule HTTP_Referer|ARGS "realpriceshop\.net" -SecRule HTTP_Referer|ARGS "realtimemktg2\.com" -SecRule HTTP_Referer|ARGS "reascends\.net" -SecRule HTTP_Referer|ARGS "reasserts\.info" -SecRule HTTP_Referer|ARGS "recemypumu\.com" -SecRule HTTP_Referer|ARGS "recipesandmore\.net" -SecRule HTTP_Referer|ARGS "redblueyoudo\.com" -SecRule HTTP_Referer|ARGS "redcfg3\.com" -SecRule HTTP_Referer|ARGS "redcfg4\.com" -SecRule HTTP_Referer|ARGS "redefer\.info" -SecRule HTTP_Referer|ARGS "redstrikeforce\.com" -SecRule HTTP_Referer|ARGS "redtalud\.com" -SecRule HTTP_Referer|ARGS "redyqucy\.com" -SecRule HTTP_Referer|ARGS "reel-fun\.com" -SecRule HTTP_Referer|ARGS "reeldollars\.com" -SecRule HTTP_Referer|ARGS "refinancefire\.com" -SecRule HTTP_Referer|ARGS "refinancefrom\.com" -SecRule HTTP_Referer|ARGS "refinanceisez\.com" -SecRule HTTP_Referer|ARGS "refinasite902\.com" -SecRule HTTP_Referer|ARGS "refinowal2\.com" -SecRule HTTP_Referer|ARGS "refnowsaiap\.com" -SecRule HTTP_Referer|ARGS "refreshingpoolsofwater\.net" -SecRule HTTP_Referer|ARGS "regionalalert\.net" -SecRule HTTP_Referer|ARGS "regionalmailcenter\.net" -SecRule HTTP_Referer|ARGS "regionwatch\.net" -SecRule HTTP_Referer|ARGS "relaiblerep\.com" -SecRule HTTP_Referer|ARGS "releasez\.com" -SecRule HTTP_Referer|ARGS "relishazine\.com" -SecRule HTTP_Referer|ARGS "remiand\.com" -SecRule HTTP_Referer|ARGS "renoracer\.com" -SecRule HTTP_Referer|ARGS "rep-liberia\.com" -SecRule HTTP_Referer|ARGS "replicabargainbasement\.com" -SecRule HTTP_Referer|ARGS "reships\.net" -SecRule HTTP_Referer|ARGS "respondersnet\.net" -SecRule HTTP_Referer|ARGS "restoninvesting\.com" -SecRule HTTP_Referer|ARGS "resumetric\.com" -SecRule HTTP_Referer|ARGS "revealment\.com" -SecRule HTTP_Referer|ARGS "revealment\.net" -SecRule HTTP_Referer|ARGS "revforse\.com" -SecRule HTTP_Referer|ARGS "rextora\.info" -SecRule HTTP_Referer|ARGS "rfznet\.com" -SecRule HTTP_Referer|ARGS "rg-line\.com" -SecRule HTTP_Referer|ARGS "rgluk\.net" -SecRule HTTP_Referer|ARGS "rhmgexpand\.com" -SecRule HTTP_Referer|ARGS "rhodecereals\.com" -SecRule HTTP_Referer|ARGS "riamenteit\.com" -SecRule HTTP_Referer|ARGS "ricandream\.com" -SecRule HTTP_Referer|ARGS "richburgccd\.org" -SecRule HTTP_Referer|ARGS "richsam\.com" -SecRule HTTP_Referer|ARGS "richsecretsrevealed\.com" -SecRule HTTP_Referer|ARGS "richtom\.com" -SecRule HTTP_Referer|ARGS "ridebay\.net" -SecRule HTTP_Referer|ARGS "rigolets\.info" -SecRule HTTP_Referer|ARGS "riguk\.info" -SecRule HTTP_Referer|ARGS "riinternetenterprises\.com" -SecRule HTTP_Referer|ARGS "rikogr\.com" -SecRule HTTP_Referer|ARGS "rillocoa\.info" -SecRule HTTP_Referer|ARGS "ringroadbathrooms\.com" -SecRule HTTP_Referer|ARGS "riqojebo\.com" -SecRule HTTP_Referer|ARGS "risemoon\.info" -SecRule HTTP_Referer|ARGS "risra\.info" -SecRule HTTP_Referer|ARGS "risynloe\.info" -SecRule HTTP_Referer|ARGS "rk-plastic\.com" -SecRule HTTP_Referer|ARGS "rllcen\.com" -SecRule HTTP_Referer|ARGS "rllformat\.com" -SecRule HTTP_Referer|ARGS "rlosyrki\.info" -SecRule HTTP_Referer|ARGS "rnicmoim\.info" -SecRule HTTP_Referer|ARGS "robertoboldrin\.com" -SecRule HTTP_Referer|ARGS "rockvilleinvestments\.com" -SecRule HTTP_Referer|ARGS "roclandia\.com" -SecRule HTTP_Referer|ARGS "rogrohe\.com" -SecRule HTTP_Referer|ARGS "roleaids\.net" -SecRule HTTP_Referer|ARGS "rollandhal\.com" -SecRule HTTP_Referer|ARGS "rollsroycepromotions\.com" -SecRule HTTP_Referer|ARGS "rolofrelig\.com" -SecRule HTTP_Referer|ARGS "rolya\.info" -SecRule HTTP_Referer|ARGS "ronta\.info" -SecRule HTTP_Referer|ARGS "roommatearecool\.net" -SecRule HTTP_Referer|ARGS "roomupforrent\.net" -SecRule HTTP_Referer|ARGS "roroy\.info" -SecRule HTTP_Referer|ARGS "rosiered\.com" -SecRule HTTP_Referer|ARGS "roughoptu\.com" -SecRule HTTP_Referer|ARGS "roughplayers\.net" -SecRule HTTP_Referer|ARGS "rourkemcgaffin\.com" -SecRule HTTP_Referer|ARGS "rovagegybejace\.com" -SecRule HTTP_Referer|ARGS "rovincanth\.com" -SecRule HTTP_Referer|ARGS "roxtoman\.com" -SecRule HTTP_Referer|ARGS "royalbank-ofscotland\.com" -SecRule HTTP_Referer|ARGS "royalgrouprealty\.com" -SecRule HTTP_Referer|ARGS "roygrossbg\.net" -SecRule HTTP_Referer|ARGS "rpcic\.com" -SecRule HTTP_Referer|ARGS "rquiytyso\.info" -SecRule HTTP_Referer|ARGS "rreniaba\.info" -SecRule HTTP_Referer|ARGS "rruacref\.info" -SecRule HTTP_Referer|ARGS "rscheatdump\.com" -SecRule HTTP_Referer|ARGS "rubricate\.net" -SecRule HTTP_Referer|ARGS "rufszk\.info" -SecRule HTTP_Referer|ARGS "rufufugusy\.org" -SecRule HTTP_Referer|ARGS "ruidecle\.info" -SecRule HTTP_Referer|ARGS "rulanerms\.com" -SecRule HTTP_Referer|ARGS "rulrecea\.info" -SecRule HTTP_Referer|ARGS "runningstar\.net" -SecRule HTTP_Referer|ARGS "ruqewowari\.com" -SecRule HTTP_Referer|ARGS "ruqixodiwoli\.com" -SecRule HTTP_Referer|ARGS "rustycabbages\.com" -SecRule HTTP_Referer|ARGS "rustyice\.info" -SecRule HTTP_Referer|ARGS "rvpnewsletter4\.com" -SecRule HTTP_Referer|ARGS "rvpnewsletter5\.com" -SecRule HTTP_Referer|ARGS "rvpnewsletter6\.com" -SecRule HTTP_Referer|ARGS "rvpnewsletter7\.com" -SecRule HTTP_Referer|ARGS "rx-centralmedical\.com" -SecRule HTTP_Referer|ARGS "rx-depotmeds\.com" -SecRule HTTP_Referer|ARGS "rx-forallmeds\.com" -SecRule HTTP_Referer|ARGS "rx-foryourmeds\.com" -SecRule HTTP_Referer|ARGS "rx-ischeap\.com" -SecRule HTTP_Referer|ARGS "rx-isgoodmeds\.com" -SecRule HTTP_Referer|ARGS "rx-isgreatmeds\.com" -SecRule HTTP_Referer|ARGS "rx-isveryimportant\.com" -SecRule HTTP_Referer|ARGS "rx-megastoremedical\.com" -SecRule HTTP_Referer|ARGS "rygalytalogapu\.com" -SecRule HTTP_Referer|ARGS "rysybuqodipu\.com" -SecRule HTTP_Referer|ARGS "s-d21\.com" -SecRule HTTP_Referer|ARGS "s-t-o-p\.info" -SecRule HTTP_Referer|ARGS "s3ctor\.com" -SecRule HTTP_Referer|ARGS "s3ctor\.net" -SecRule HTTP_Referer|ARGS "sadazyfexymy\.com" -SecRule HTTP_Referer|ARGS "saddis\.com" -SecRule HTTP_Referer|ARGS "saferon\.info" -SecRule HTTP_Referer|ARGS "saidqwest\.com" -SecRule HTTP_Referer|ARGS "sailboat-4-sale\.com" -SecRule HTTP_Referer|ARGS "sajahunylo\.com" -SecRule HTTP_Referer|ARGS "sale-dvd\.com" -SecRule HTTP_Referer|ARGS "sale-ps\.com" -SecRule HTTP_Referer|ARGS "sale-vcd\.com" -SecRule HTTP_Referer|ARGS "saleoptus\.com" -SecRule HTTP_Referer|ARGS "salvage-of-war\.com" -SecRule HTTP_Referer|ARGS "samedayshipping\.net" -SecRule HTTP_Referer|ARGS "sashebec\.com" -SecRule HTTP_Referer|ARGS "satisis\.info" -SecRule HTTP_Referer|ARGS "satudomibi\.com" -SecRule HTTP_Referer|ARGS "savingsticketssite\.com" -SecRule HTTP_Referer|ARGS "savoryqaw2\.com" -SecRule HTTP_Referer|ARGS "sayguhdbi\.com" -SecRule HTTP_Referer|ARGS "sbete\.info" -SecRule HTTP_Referer|ARGS "sbohcosl\.info" -SecRule HTTP_Referer|ARGS "schlagerrager\.com" -SecRule HTTP_Referer|ARGS "schoolyardgames\.net" -SecRule HTTP_Referer|ARGS "sclientfour\.com" -SecRule HTTP_Referer|ARGS "scopulos\.com" -SecRule HTTP_Referer|ARGS "scrolnights\.com" -SecRule HTTP_Referer|ARGS "scullcap\.net" -SecRule HTTP_Referer|ARGS "sdg123\.com" -SecRule HTTP_Referer|ARGS "sdkjbnsgb3\.com" -SecRule HTTP_Referer|ARGS "sdlongshi\.com" -SecRule HTTP_Referer|ARGS "seacycles\.net" -SecRule HTTP_Referer|ARGS "sealaguna\.info" -SecRule HTTP_Referer|ARGS "searchforadiscount\.com" -SecRule HTTP_Referer|ARGS "searchtiles\.com" -SecRule HTTP_Referer|ARGS "seasurn\.com" -SecRule HTTP_Referer|ARGS "seatale\.info" -SecRule HTTP_Referer|ARGS "secure-site1044\.com" -SecRule HTTP_Referer|ARGS "secure-site1072\.com" -SecRule HTTP_Referer|ARGS "secure-site9477\.com" -SecRule HTTP_Referer|ARGS "secureangel\.com" -SecRule HTTP_Referer|ARGS "secureity-7746\.com" -SecRule HTTP_Referer|ARGS "securepostalsolutions\.com" -SecRule HTTP_Referer|ARGS "seddlanter4\.com" -SecRule HTTP_Referer|ARGS "sefuceje\.com" -SecRule HTTP_Referer|ARGS "semacasi\.com" -SecRule HTTP_Referer|ARGS "semi8\.com" -SecRule HTTP_Referer|ARGS "semimiqu\.info" -SecRule HTTP_Referer|ARGS "sender-ebay\.com" -SecRule HTTP_Referer|ARGS "sendmailplus\.biz" -SecRule HTTP_Referer|ARGS "senegobeky\.com" -SecRule HTTP_Referer|ARGS "senseera\.com" -SecRule HTTP_Referer|ARGS "sercinle\.com" -SecRule HTTP_Referer|ARGS "serp3\.com" -SecRule HTTP_Referer|ARGS "serverbackup595\.com" -SecRule HTTP_Referer|ARGS "service-paypal\.us" -SecRule HTTP_Referer|ARGS "sesquialteral\.com" -SecRule HTTP_Referer|ARGS "sesquialteral\.net" -SecRule HTTP_Referer|ARGS "severloan\.net" -SecRule HTTP_Referer|ARGS "sevurekijyzy\.com" -SecRule HTTP_Referer|ARGS "sexaychinchicks\.info" -SecRule HTTP_Referer|ARGS "sexayh12412412chicks\.info" -SecRule HTTP_Referer|ARGS "sexy1234214girls\.info" -SecRule HTTP_Referer|ARGS "sexychinchicks\.info" -SecRule HTTP_Referer|ARGS "sexyonlinechicks\.info" -SecRule HTTP_Referer|ARGS "seyh\.info" -SecRule HTTP_Referer|ARGS "sgielayg\.info" -SecRule HTTP_Referer|ARGS "sh00t\.com" -SecRule HTTP_Referer|ARGS "sh00t\.net" -SecRule HTTP_Referer|ARGS "sh00ts\.com" -SecRule HTTP_Referer|ARGS "sh0ot\.com" -SecRule HTTP_Referer|ARGS "sh0ot\.net" -SecRule HTTP_Referer|ARGS "sh0ots\.com" -SecRule HTTP_Referer|ARGS "sharkfur\.com" -SecRule HTTP_Referer|ARGS "sherwoodchurchofchrist\.com" -SecRule HTTP_Referer|ARGS "shessohot\.net" -SecRule HTTP_Referer|ARGS "shhv\.net" -SecRule HTTP_Referer|ARGS "shickyshacky\.com" -SecRule HTTP_Referer|ARGS "shimura-ushiro\.com" -SecRule HTTP_Referer|ARGS "sho0t\.com" -SecRule HTTP_Referer|ARGS "sho0ts\.com" -SecRule HTTP_Referer|ARGS "sho0ts\.net" -SecRule HTTP_Referer|ARGS "shopinustoday\.org" -SecRule HTTP_Referer|ARGS "shopmyshow\.net" -SecRule HTTP_Referer|ARGS "shopnownetworks\.com" -SecRule HTTP_Referer|ARGS "shopperzcraze\.info" -SecRule HTTP_Referer|ARGS "shopustoday\.org" -SecRule HTTP_Referer|ARGS "shorerat\.info" -SecRule HTTP_Referer|ARGS "shouichipo\.com" -SecRule HTTP_Referer|ARGS "shugarcake\.com" -SecRule HTTP_Referer|ARGS "shutterbugnet\.com" -SecRule HTTP_Referer|ARGS "shuttinanestima\.com" -SecRule HTTP_Referer|ARGS "shwatches\.com" -SecRule HTTP_Referer|ARGS "sicyzuzy\.info" -SecRule HTTP_Referer|ARGS "sidneysorts\.com" -SecRule HTTP_Referer|ARGS "signplayer\.com" -SecRule HTTP_Referer|ARGS "sijiva\.info" -SecRule HTTP_Referer|ARGS "sillsellsoo\.com" -SecRule HTTP_Referer|ARGS "silverskin\.info" -SecRule HTTP_Referer|ARGS "simpleyetgood\.com" -SecRule HTTP_Referer|ARGS "singinginthevain\.com" -SecRule HTTP_Referer|ARGS "siniwoda\.com" -SecRule HTTP_Referer|ARGS "sinogeme\.com" -SecRule HTTP_Referer|ARGS "sinogemexports1\.com" -SecRule HTTP_Referer|ARGS "sinosteel-tradings\.com" -SecRule HTTP_Referer|ARGS "site2refinow\.com" -SecRule HTTP_Referer|ARGS "siteallrefi02\.com" -SecRule HTTP_Referer|ARGS "siterefi1009\.com" -SecRule HTTP_Referer|ARGS "sizde\.info" -SecRule HTTP_Referer|ARGS "skilledattainment\.com" -SecRule HTTP_Referer|ARGS "sklonlineworld\.com" -SecRule HTTP_Referer|ARGS "skybeachtie\.com" -SecRule HTTP_Referer|ARGS "skylender\.com" -SecRule HTTP_Referer|ARGS "slaveries\.net" -SecRule HTTP_Referer|ARGS "smeah\.info" -SecRule HTTP_Referer|ARGS "smelanson\.net" -SecRule HTTP_Referer|ARGS "smenirenal\.com" -SecRule HTTP_Referer|ARGS "smmwatch\.com" -SecRule HTTP_Referer|ARGS "smokazz\.com" -SecRule HTTP_Referer|ARGS "smokersclubint\.com" -SecRule HTTP_Referer|ARGS "smokeymtnroyals\.com" -SecRule HTTP_Referer|ARGS "smokingchicks\.info" -SecRule HTTP_Referer|ARGS "smolic\.biz" -SecRule HTTP_Referer|ARGS "snachilalospolde\.biz" -SecRule HTTP_Referer|ARGS "snarkymarkets\.com" -SecRule HTTP_Referer|ARGS "sndforclnt1\.com" -SecRule HTTP_Referer|ARGS "sndforclnt2\.com" -SecRule HTTP_Referer|ARGS "snmrktg\.net" -SecRule HTTP_Referer|ARGS "sobroken\.net" -SecRule HTTP_Referer|ARGS "socalbordeaux\.com" -SecRule HTTP_Referer|ARGS "software4clubs\.com" -SecRule HTTP_Referer|ARGS "sohotasses\.info" -SecRule HTTP_Referer|ARGS "sololivesinmybasement\.com" -SecRule HTTP_Referer|ARGS "solvedproblemshop\.com" -SecRule HTTP_Referer|ARGS "somanychicks\.info" -SecRule HTTP_Referer|ARGS "somv3\.com" -SecRule HTTP_Referer|ARGS "songspa\.info" -SecRule HTTP_Referer|ARGS "sonicaurora\.info" -SecRule HTTP_Referer|ARGS "sonicjoy\.com" -SecRule HTTP_Referer|ARGS "sorrywemissedyou\.net" -SecRule HTTP_Referer|ARGS "sothebysitalia\.com" -SecRule HTTP_Referer|ARGS "sotozunolu\.com" -SecRule HTTP_Referer|ARGS "sotrepedly\.com" -SecRule HTTP_Referer|ARGS "soundofcontentment\.com" -SecRule HTTP_Referer|ARGS "soupterwar\.com" -SecRule HTTP_Referer|ARGS "southernoregonconcerts\.com" -SecRule HTTP_Referer|ARGS "spaceoftime\.net" -SecRule HTTP_Referer|ARGS "spaliziseg\.com" -SecRule HTTP_Referer|ARGS "spearmints\.net" -SecRule HTTP_Referer|ARGS "specialdirect4u\.com" -SecRule HTTP_Referer|ARGS "specialoffersonline\.biz" -SecRule HTTP_Referer|ARGS "specialtyseptic\.com" -SecRule HTTP_Referer|ARGS "specialtyxapplication\.com" -SecRule HTTP_Referer|ARGS "specificconsummation\.com" -SecRule HTTP_Referer|ARGS "speechcelebration\.com" -SecRule HTTP_Referer|ARGS "speedyproduct\.net" -SecRule HTTP_Referer|ARGS "spicykmid\.com" -SecRule HTTP_Referer|ARGS "spielunking\.com" -SecRule HTTP_Referer|ARGS "spiketomoran\.com" -SecRule HTTP_Referer|ARGS "spiritfc\.net" -SecRule HTTP_Referer|ARGS "spizzle\.net" -SecRule HTTP_Referer|ARGS "split-em\.com" -SecRule HTTP_Referer|ARGS "sportsolutionsinc\.com" -SecRule HTTP_Referer|ARGS "spurts\.net" -SecRule HTTP_Referer|ARGS "squirtlovers\.net" -SecRule HTTP_Referer|ARGS "srfrogys\.com" -SecRule HTTP_Referer|ARGS "ss-07\.com" -SecRule HTTP_Referer|ARGS "ss-09\.com" -SecRule HTTP_Referer|ARGS "ss-11\.com" -SecRule HTTP_Referer|ARGS "ss08\.com" -SecRule HTTP_Referer|ARGS "ssspro\.com" -SecRule HTTP_Referer|ARGS "stadareach\.com" -SecRule HTTP_Referer|ARGS "stallingsmisfit\.com" -SecRule HTTP_Referer|ARGS "standard-trustplc-nig\.org" -SecRule HTTP_Referer|ARGS "stararc\.com" -SecRule HTTP_Referer|ARGS "starslide\.com" -SecRule HTTP_Referer|ARGS "staryaki\.info" -SecRule HTTP_Referer|ARGS "stasusanna\.net" -SecRule HTTP_Referer|ARGS "steptoworld\.net" -SecRule HTTP_Referer|ARGS "sternpro\.info" -SecRule HTTP_Referer|ARGS "sternwarte-welzheim\.net" -SecRule HTTP_Referer|ARGS "stevelerch\.com" -SecRule HTTP_Referer|ARGS "stop4rx\.biz" -SecRule HTTP_Referer|ARGS "storasonapat\.com" -SecRule HTTP_Referer|ARGS "store-whore\.info" -SecRule HTTP_Referer|ARGS "storedandsecured\.com" -SecRule HTTP_Referer|ARGS "storeswirelessworld\.com" -SecRule HTTP_Referer|ARGS "stoughtoninvestments\.com" -SecRule HTTP_Referer|ARGS "stribontut\.com" -SecRule HTTP_Referer|ARGS "stripedqw\.com" -SecRule HTTP_Referer|ARGS "stroyinvestlab\.biz" -SecRule HTTP_Referer|ARGS "stuardestolxe\.biz" -SecRule HTTP_Referer|ARGS "studio3i\.org" -SecRule HTTP_Referer|ARGS "suavecatconsultinggroup\.net" -SecRule HTTP_Referer|ARGS "successcollege\.biz" -SecRule HTTP_Referer|ARGS "successcollege\.net" -SecRule HTTP_Referer|ARGS "successcollege\.org" -SecRule HTTP_Referer|ARGS "successcollege\.us" -SecRule HTTP_Referer|ARGS "successful-marketing-system\.com" -SecRule HTTP_Referer|ARGS "successmovienow\.com" -SecRule HTTP_Referer|ARGS "suchmaschinenexperten2000\.com" -SecRule HTTP_Referer|ARGS "suegnoguairo\.com" -SecRule HTTP_Referer|ARGS "sufoxajy\.com" -SecRule HTTP_Referer|ARGS "sugartele\.info" -SecRule HTTP_Referer|ARGS "sulkytopbobby\.com" -SecRule HTTP_Referer|ARGS "sumariza\.info" -SecRule HTTP_Referer|ARGS "sundayte\.com" -SecRule HTTP_Referer|ARGS "sunmarketflag\.com" -SecRule HTTP_Referer|ARGS "super-hot-gals\.info" -SecRule HTTP_Referer|ARGS "superhotchicksss\.com" -SecRule HTTP_Referer|ARGS "superhotcihicks\.info" -SecRule HTTP_Referer|ARGS "supernethotties\.net" -SecRule HTTP_Referer|ARGS "supersexaygirls\.com" -SecRule HTTP_Referer|ARGS "supineness\.net" -SecRule HTTP_Referer|ARGS "supplysolutionslimited\.com" -SecRule HTTP_Referer|ARGS "sureofthis\.com" -SecRule HTTP_Referer|ARGS "surfsalon\.com" -SecRule HTTP_Referer|ARGS "surveypeople\.net" -SecRule HTTP_Referer|ARGS "survivorsni\.com" -SecRule HTTP_Referer|ARGS "suzihuso\.com" -SecRule HTTP_Referer|ARGS "sweep-stakecentral\.com" -SecRule HTTP_Referer|ARGS "sweepsensationsnow-group\.com" -SecRule HTTP_Referer|ARGS "sweethawthunnies\.com" -SecRule HTTP_Referer|ARGS "sweetrudectober\.com" -SecRule HTTP_Referer|ARGS "swetepee\.com" -SecRule HTTP_Referer|ARGS "swiftpaydayloan\.com" -SecRule HTTP_Referer|ARGS "swimminglessonsamust\.net" -SecRule HTTP_Referer|ARGS "sworedat\.com" -SecRule HTTP_Referer|ARGS "swrr\.org" -SecRule HTTP_Referer|ARGS "sycugatyhofo\.net" -SecRule HTTP_Referer|ARGS "syfutezodame\.com" -SecRule HTTP_Referer|ARGS "symobiles\.com" -SecRule HTTP_Referer|ARGS "syndirella\.org" -SecRule HTTP_Referer|ARGS "synergysoup\.org" -SecRule HTTP_Referer|ARGS "synergysounds\.org" -SecRule HTTP_Referer|ARGS "synonyma\.com" -SecRule HTTP_Referer|ARGS "synonyma\.net" -SecRule HTTP_Referer|ARGS "syphonians\.com" -SecRule HTTP_Referer|ARGS "sys-names\.com" -SecRule HTTP_Referer|ARGS "szjlglass\.com" -SecRule HTTP_Referer|ARGS "tablisentacom\.com" -SecRule HTTP_Referer|ARGS "tacekacamala\.com" -SecRule HTTP_Referer|ARGS "tadeux\.com" -SecRule HTTP_Referer|ARGS "taiyuanjie\.com\.cn" -SecRule HTTP_Referer|ARGS "taiyuanjie\.org" -SecRule HTTP_Referer|ARGS "takenworks\.com" -SecRule HTTP_Referer|ARGS "talafha\.com" -SecRule HTTP_Referer|ARGS "tallabatk\.com" -SecRule HTTP_Referer|ARGS "tamenet\.info" -SecRule HTTP_Referer|ARGS "tantree\.info" -SecRule HTTP_Referer|ARGS "taquatre\.com" -SecRule HTTP_Referer|ARGS "tarlev\.info" -SecRule HTTP_Referer|ARGS "tarpie\.com" -SecRule HTTP_Referer|ARGS "tastytricia\.com" -SecRule HTTP_Referer|ARGS "tatrois\.com" -SecRule HTTP_Referer|ARGS "taune\.com" -SecRule HTTP_Referer|ARGS "tbesg\.info" -SecRule HTTP_Referer|ARGS "tbuh\.com" -SecRule HTTP_Referer|ARGS "tcs-it\.net" -SecRule HTTP_Referer|ARGS "team-alliance\.net" -SecRule HTTP_Referer|ARGS "teamlifeinsurance\.com" -SecRule HTTP_Referer|ARGS "teamwbc\.net" -SecRule HTTP_Referer|ARGS "tebaynktoces\.biz" -SecRule HTTP_Referer|ARGS "tehiseho\.com" -SecRule HTTP_Referer|ARGS "teleotech\.net" -SecRule HTTP_Referer|ARGS "televisionfreaks\.com" -SecRule HTTP_Referer|ARGS "telkir\.com" -SecRule HTTP_Referer|ARGS "teluveryn\.com" -SecRule HTTP_Referer|ARGS "tempelaere\.net" -SecRule HTTP_Referer|ARGS "tenderise\.net" -SecRule HTTP_Referer|ARGS "terakki2005\.net" -SecRule HTTP_Referer|ARGS "tetkazervagers\.biz" -SecRule HTTP_Referer|ARGS "textiliana\.com" -SecRule HTTP_Referer|ARGS "thatfreesite\.com" -SecRule HTTP_Referer|ARGS "thatsdirectoffers\.com" -SecRule HTTP_Referer|ARGS "thatsmydoginc\.com" -SecRule HTTP_Referer|ARGS "thaun\.info" -SecRule HTTP_Referer|ARGS "the-cash-carnival\.com" -SecRule HTTP_Referer|ARGS "theauctiontrainers\.com" -SecRule HTTP_Referer|ARGS "thebestchinchicks\.info" -SecRule HTTP_Referer|ARGS "thecatbirdsettee\.com" -SecRule HTTP_Referer|ARGS "thecountryclub\.us" -SecRule HTTP_Referer|ARGS "thecraftershome\.com" -SecRule HTTP_Referer|ARGS "thegraphichost\.com" -SecRule HTTP_Referer|ARGS "thehotchinchicks\.info" -SecRule HTTP_Referer|ARGS "thehottest123123\.info" -SecRule HTTP_Referer|ARGS "thehottestchicks\.info" -SecRule HTTP_Referer|ARGS "thehottestchinchicks\.info" -SecRule HTTP_Referer|ARGS "theisraellights\.com" -SecRule HTTP_Referer|ARGS "thelastpageoftheinternet\.net" -SecRule HTTP_Referer|ARGS "thelifestylechangers\.com" -SecRule HTTP_Referer|ARGS "themoneydigest\.com" -SecRule HTTP_Referer|ARGS "thenikky\.info" -SecRule HTTP_Referer|ARGS "therealdealsdirect\.com" -SecRule HTTP_Referer|ARGS "therusmarketing\.com" -SecRule HTTP_Referer|ARGS "theseoffersforyou\.com" -SecRule HTTP_Referer|ARGS "theservicemarket\.org" -SecRule HTTP_Referer|ARGS "thesuperbookstop\.com" -SecRule HTTP_Referer|ARGS "thexxxprize\.com" -SecRule HTTP_Referer|ARGS "theyseek\.net" -SecRule HTTP_Referer|ARGS "thingatshelter\.com" -SecRule HTTP_Referer|ARGS "third-express\.com" -SecRule HTTP_Referer|ARGS "thisbevf\.com" -SecRule HTTP_Referer|ARGS "thiscreatureso\.com" -SecRule HTTP_Referer|ARGS "thisezyl0an\.com" -SecRule HTTP_Referer|ARGS "thisithewaybackhome\.com" -SecRule HTTP_Referer|ARGS "thispartnership\.net" -SecRule HTTP_Referer|ARGS "thisweekonly\.biz" -SecRule HTTP_Referer|ARGS "tholcomb\.org" -SecRule HTTP_Referer|ARGS "thortonhillscorp\.info" -SecRule HTTP_Referer|ARGS "thousodel\.com" -SecRule HTTP_Referer|ARGS "threetoowon\.com" -SecRule HTTP_Referer|ARGS "thumbaride\.net" -SecRule HTTP_Referer|ARGS "thunderlist\.com" -SecRule HTTP_Referer|ARGS "tickytracky\.com" -SecRule HTTP_Referer|ARGS "tiendaswifi\.com" -SecRule HTTP_Referer|ARGS "timasican\.com" -SecRule HTTP_Referer|ARGS "timetobigdeal\.com" -SecRule HTTP_Referer|ARGS "tipperly\.com" -SecRule HTTP_Referer|ARGS "tirol-festival\.net" -SecRule HTTP_Referer|ARGS "tirpudecollege\.com" -SecRule HTTP_Referer|ARGS "titemeso\.info" -SecRule HTTP_Referer|ARGS "tmesdv\.com" -SecRule HTTP_Referer|ARGS "todayican-subscribers\.com" -SecRule HTTP_Referer|ARGS "todoh\.info" -SecRule HTTP_Referer|ARGS "todybafynorebi\.com" -SecRule HTTP_Referer|ARGS "tokens4free\.com" -SecRule HTTP_Referer|ARGS "tomorrowsave\.com" -SecRule HTTP_Referer|ARGS "toomanyplans\.net" -SecRule HTTP_Referer|ARGS "toothandknail\.com" -SecRule HTTP_Referer|ARGS "topdealshowroom\.com" -SecRule HTTP_Referer|ARGS "topmaybah\.com" -SecRule HTTP_Referer|ARGS "totalstresscase\.net" -SecRule HTTP_Referer|ARGS "totempower\.com" -SecRule HTTP_Referer|ARGS "touchwork\.info" -SecRule HTTP_Referer|ARGS "tr1usc\.com" -SecRule HTTP_Referer|ARGS "trackpimp\.com" -SecRule HTTP_Referer|ARGS "trade-relations\.net" -SecRule HTTP_Referer|ARGS "trafficlightsslowmedown\.net" -SecRule HTTP_Referer|ARGS "trainingeniousinger\.com" -SecRule HTTP_Referer|ARGS "trainingsensationstore\.com" -SecRule HTTP_Referer|ARGS "tramparamparam\.com" -SecRule HTTP_Referer|ARGS "trancilliarhynoplastics\.com" -SecRule HTTP_Referer|ARGS "tranquillizing\.net" -SecRule HTTP_Referer|ARGS "transfour\.info" -SecRule HTTP_Referer|ARGS "trasonalif\.com" -SecRule HTTP_Referer|ARGS "traveleng\.com" -SecRule HTTP_Referer|ARGS "trdriverzone\.net" -SecRule HTTP_Referer|ARGS "treerosered\.com" -SecRule HTTP_Referer|ARGS "trgnm3\.com" -SecRule HTTP_Referer|ARGS "triftyfinow\.com" -SecRule HTTP_Referer|ARGS "trimturbo\.com" -SecRule HTTP_Referer|ARGS "trindlegriz2\.com" -SecRule HTTP_Referer|ARGS "trionxglobal\.com" -SecRule HTTP_Referer|ARGS "trirholdings\.com" -SecRule HTTP_Referer|ARGS "troupers\.net" -SecRule HTTP_Referer|ARGS "trunkeryope7\.com" -SecRule HTTP_Referer|ARGS "tryumphentday5\.com" -SecRule HTTP_Referer|ARGS "ts4refi\.net" -SecRule HTTP_Referer|ARGS "tsproperties\.net" -SecRule HTTP_Referer|ARGS "tthingamabob\.us" -SecRule HTTP_Referer|ARGS "ttvast\.com" -SecRule HTTP_Referer|ARGS "tubre\.info" -SecRule HTTP_Referer|ARGS "tudoo\.info" -SecRule HTTP_Referer|ARGS "tukentsik\.com" -SecRule HTTP_Referer|ARGS "tumescent\.net" -SecRule HTTP_Referer|ARGS "tumywoze\.biz" -SecRule HTTP_Referer|ARGS "turneraxc\.net" -SecRule HTTP_Referer|ARGS "turnsout\.net" -SecRule HTTP_Referer|ARGS "tutehyxi\.info" -SecRule HTTP_Referer|ARGS "twiddler\.net" -SecRule HTTP_Referer|ARGS "twofacesofeve\.com" -SecRule HTTP_Referer|ARGS "twotoome\.com" -SecRule HTTP_Referer|ARGS "typeloan\.info" -SecRule HTTP_Referer|ARGS "tyquvesaqujozu\.info" -SecRule HTTP_Referer|ARGS "uhyperpyrexia\.us" -SecRule HTTP_Referer|ARGS "uk-national-lotte\.com" -SecRule HTTP_Referer|ARGS "uk-national-worldwide-promogamewinners\.com" -SecRule HTTP_Referer|ARGS "uk-nnbonline\.com" -SecRule HTTP_Referer|ARGS "uk-promoworld\.net" -SecRule HTTP_Referer|ARGS "ukclaimsdepartment\.net" -SecRule HTTP_Referer|ARGS "ukdirector\.net" -SecRule HTTP_Referer|ARGS "ukinternationalwin\.com" -SecRule HTTP_Referer|ARGS "ukl-promo\.com" -SecRule HTTP_Referer|ARGS "uklotery-orgnizer\.com" -SecRule HTTP_Referer|ARGS "uknational-claims\.net" -SecRule HTTP_Referer|ARGS "uknational-lott0\.com" -SecRule HTTP_Referer|ARGS "uknationallotouk\.com" -SecRule HTTP_Referer|ARGS "uknationalonlinepromoworld\.net" -SecRule HTTP_Referer|ARGS "uknationalonlinewinnings\.org" -SecRule HTTP_Referer|ARGS "uknationalottrey\.com" -SecRule HTTP_Referer|ARGS "uknationalwinnersdelivery\.com" -SecRule HTTP_Referer|ARGS "uknlonlinedraws\.com" -SecRule HTTP_Referer|ARGS "ukonline-promotional-programes\.com" -SecRule HTTP_Referer|ARGS "ukontrop\.com" -SecRule HTTP_Referer|ARGS "ukvisacreditcard\.com" -SecRule HTTP_Referer|ARGS "ukwinnersupdateannouncement\.com" -SecRule HTTP_Referer|ARGS "ukwinninggamesinuk\.com" -SecRule HTTP_Referer|ARGS "ukwinninginternationalpromo\.com" -SecRule HTTP_Referer|ARGS "ukwinningmail1\.com" -SecRule HTTP_Referer|ARGS "ukworldpromotion\.com" -SecRule HTTP_Referer|ARGS "ulageeteir6\.com" -SecRule HTTP_Referer|ARGS "ultimatemailcenters\.com" -SecRule HTTP_Referer|ARGS "ultimatemailcenters\.net" -SecRule HTTP_Referer|ARGS "ultimatemailincentive\.com" -SecRule HTTP_Referer|ARGS "ultimatemailincentive\.net" -SecRule HTTP_Referer|ARGS "ultimatemailincentives\.com" -SecRule HTTP_Referer|ARGS "ultimatemailincentives\.net" -SecRule HTTP_Referer|ARGS "ultimatemailonline\.com" -SecRule HTTP_Referer|ARGS "ultimatemailreward\.com" -SecRule HTTP_Referer|ARGS "ultimatemoneytyphoon\.biz" -SecRule HTTP_Referer|ARGS "ultimaterewardmail\.net" -SecRule HTTP_Referer|ARGS "ultimatevalue\.biz" -SecRule HTTP_Referer|ARGS "uludagotomotiv\.com" -SecRule HTTP_Referer|ARGS "umarc\.info" -SecRule HTTP_Referer|ARGS "umejuhmp\.com" -SecRule HTTP_Referer|ARGS "umort\.net" -SecRule HTTP_Referer|ARGS "unclefud\.com" -SecRule HTTP_Referer|ARGS "uneaten\.net" -SecRule HTTP_Referer|ARGS "uneedered\.com" -SecRule HTTP_Referer|ARGS "unfairbanks\.com" -SecRule HTTP_Referer|ARGS "unfairbanksbye\.com" -SecRule HTTP_Referer|ARGS "unitemised\.net" -SecRule HTTP_Referer|ARGS "universoshinobi\.com" -SecRule HTTP_Referer|ARGS "unpursed\.com" -SecRule HTTP_Referer|ARGS "unpursed\.net" -SecRule HTTP_Referer|ARGS "untitled-website\.com" -SecRule HTTP_Referer|ARGS "unwarily\.com" -SecRule HTTP_Referer|ARGS "update-user1040\.info" -SecRule HTTP_Referer|ARGS "update-user2413\.info" -SecRule HTTP_Referer|ARGS "update-user3245\.info" -SecRule HTTP_Referer|ARGS "update-user3333\.info" -SecRule HTTP_Referer|ARGS "update-user3897\.info" -SecRule HTTP_Referer|ARGS "update-user4123\.info" -SecRule HTTP_Referer|ARGS "update-user4337\.info" -SecRule HTTP_Referer|ARGS "update-user4884\.info" -SecRule HTTP_Referer|ARGS "update-user5005\.info" -SecRule HTTP_Referer|ARGS "update-user5467\.info" -SecRule HTTP_Referer|ARGS "update-user5645\.info" -SecRule HTTP_Referer|ARGS "uplod-information-ukbank\.co\.uk" -SecRule HTTP_Referer|ARGS "uproar-update\.com" -SecRule HTTP_Referer|ARGS "urbanplayers\.com" -SecRule HTTP_Referer|ARGS "urlbsmtrack-a\.com" -SecRule HTTP_Referer|ARGS "urlbsmtrack-z\.com" -SecRule HTTP_Referer|ARGS "usargenteus\.com" -SecRule HTTP_Referer|ARGS "usbuyersdirect\.com" -SecRule HTTP_Referer|ARGS "usdee\.info" -SecRule HTTP_Referer|ARGS "usedjoke\.info" -SecRule HTTP_Referer|ARGS "user-profile4365\.info" -SecRule HTTP_Referer|ARGS "usisfarwest\.net" -SecRule HTTP_Referer|ARGS "utinamcblb\.com" -SecRule HTTP_Referer|ARGS "uweedna\.com" -SecRule HTTP_Referer|ARGS "vakybugetuka\.com" -SecRule HTTP_Referer|ARGS "valerytour\.info" -SecRule HTTP_Referer|ARGS "valuablendeskeeter\.com" -SecRule HTTP_Referer|ARGS "vandynes\.info" -SecRule HTTP_Referer|ARGS "vapaqelimoxu\.com" -SecRule HTTP_Referer|ARGS "vaporings\.info" -SecRule HTTP_Referer|ARGS "variety-tickets\.net" -SecRule HTTP_Referer|ARGS "vassweaters\.com" -SecRule HTTP_Referer|ARGS "vatsinc\.com" -SecRule HTTP_Referer|ARGS "vaulee\.com" -SecRule HTTP_Referer|ARGS "vblotto\.com" -SecRule HTTP_Referer|ARGS "vebill\.biz" -SecRule HTTP_Referer|ARGS "vendwest\.com" -SecRule HTTP_Referer|ARGS "verhe\.info" -SecRule HTTP_Referer|ARGS "vernoncentral\.net" -SecRule HTTP_Referer|ARGS "versautesfickfleisch\.com" -SecRule HTTP_Referer|ARGS "vertrib\.info" -SecRule HTTP_Referer|ARGS "verybestontheweb\.com" -SecRule HTTP_Referer|ARGS "veryt\.info" -SecRule HTTP_Referer|ARGS "veska\.info" -SecRule HTTP_Referer|ARGS "vet5\.info" -SecRule HTTP_Referer|ARGS "vetinn\.info" -SecRule HTTP_Referer|ARGS "vfer\.info" -SecRule HTTP_Referer|ARGS "vibill\.biz" -SecRule HTTP_Referer|ARGS "vibrant-fun\.com" -SecRule HTTP_Referer|ARGS "vibratenow\.com" -SecRule HTTP_Referer|ARGS "vibratingtimes\.com" -SecRule HTTP_Referer|ARGS "victo\.info" -SecRule HTTP_Referer|ARGS "videotaperentals\.com" -SecRule HTTP_Referer|ARGS "viduxixycodi\.com" -SecRule HTTP_Referer|ARGS "vinuelalakes\.com" -SecRule HTTP_Referer|ARGS "virginiabumpscorp\.info" -SecRule HTTP_Referer|ARGS "virginmovies\.info" -SecRule HTTP_Referer|ARGS "virgins-portal\.info" -SecRule HTTP_Referer|ARGS "visapp\.net" -SecRule HTTP_Referer|ARGS "visionsmarketingonline\.com" -SecRule HTTP_Referer|ARGS "visionsmarketingweb\.com" -SecRule HTTP_Referer|ARGS "vitrasshop\.com" -SecRule HTTP_Referer|ARGS "vixv\.com" -SecRule HTTP_Referer|ARGS "vjdrefi\.net" -SecRule HTTP_Referer|ARGS "vmablder\.com" -SecRule HTTP_Referer|ARGS "vmesteuchilister\.biz" -SecRule HTTP_Referer|ARGS "vocejugaro\.net" -SecRule HTTP_Referer|ARGS "vodarehepi\.biz" -SecRule HTTP_Referer|ARGS "vogo\.info" -SecRule HTTP_Referer|ARGS "volander\.com" -SecRule HTTP_Referer|ARGS "volcasriv\.com" -SecRule HTTP_Referer|ARGS "volys\.info" -SecRule HTTP_Referer|ARGS "vr-netwoerld\.com" -SecRule HTTP_Referer|ARGS "vraperex\.com" -SecRule HTTP_Referer|ARGS "vulcanise\.net" -SecRule HTTP_Referer|ARGS "vyhokulu\.info" -SecRule HTTP_Referer|ARGS "vyzevireka\.org" -SecRule HTTP_Referer|ARGS "vyzovitpodozfer\.biz" -SecRule HTTP_Referer|ARGS "wacourtservices\.com" -SecRule HTTP_Referer|ARGS "waferlyhundred54\.com" -SecRule HTTP_Referer|ARGS "wagstowncorp\.net" -SecRule HTTP_Referer|ARGS "wahffsite\.co\.uk" -SecRule HTTP_Referer|ARGS "wakemae\.com" -SecRule HTTP_Referer|ARGS "wallywrld\.net" -SecRule HTTP_Referer|ARGS "walorylirakidi\.com" -SecRule HTTP_Referer|ARGS "waltermoore-ukpromo\.net" -SecRule HTTP_Referer|ARGS "walthaminvesting\.com" -SecRule HTTP_Referer|ARGS "wanoprot\.com" -SecRule HTTP_Referer|ARGS "wantgirls\.net" -SecRule HTTP_Referer|ARGS "wantgirlsnow\.com" -SecRule HTTP_Referer|ARGS "wantthecheck\.com" -SecRule HTTP_Referer|ARGS "wapijowuwu\.net" -SecRule HTTP_Referer|ARGS "wardstakebranch\.com" -SecRule HTTP_Referer|ARGS "warezstore\.us" -SecRule HTTP_Referer|ARGS "washingtonjudges\.com" -SecRule HTTP_Referer|ARGS "watcheswed\.com" -SecRule HTTP_Referer|ARGS "watcheswes\.com" -SecRule HTTP_Referer|ARGS "watchzbestprice\.net" -SecRule HTTP_Referer|ARGS "wathcesdd\.com" -SecRule HTTP_Referer|ARGS "wavisolv\.com" -SecRule HTTP_Referer|ARGS "waynebar\.info" -SecRule HTTP_Referer|ARGS "waytogame\.com" -SecRule HTTP_Referer|ARGS "wbc-company\.net" -SecRule HTTP_Referer|ARGS "wbccompanycentral\.com" -SecRule HTTP_Referer|ARGS "wbccompanyconnect\.com" -SecRule HTTP_Referer|ARGS "wbcsite\.net" -SecRule HTTP_Referer|ARGS "wbresource\.com" -SecRule HTTP_Referer|ARGS "wcolligan\.com" -SecRule HTTP_Referer|ARGS "wear1tn1ce\.com" -SecRule HTTP_Referer|ARGS "webjars\.com" -SecRule HTTP_Referer|ARGS "webmail-internationalstake-promo\.com" -SecRule HTTP_Referer|ARGS "webmilla\.info" -SecRule HTTP_Referer|ARGS "webringbuster\.com" -SecRule HTTP_Referer|ARGS "webscr-cgi-login-page\.com" -SecRule HTTP_Referer|ARGS "wedighap\.com" -SecRule HTTP_Referer|ARGS "weftp\.com" -SecRule HTTP_Referer|ARGS "weightmgmt\.net" -SecRule HTTP_Referer|ARGS "wekrai\.com" -SecRule HTTP_Referer|ARGS "welid\.com" -SecRule HTTP_Referer|ARGS "weoil\.com" -SecRule HTTP_Referer|ARGS "werehulica\.net" -SecRule HTTP_Referer|ARGS "wernerse\.net" -SecRule HTTP_Referer|ARGS "westbestwatches\.com" -SecRule HTTP_Referer|ARGS "westroem\.com" -SecRule HTTP_Referer|ARGS "wetwathcg\.com" -SecRule HTTP_Referer|ARGS "whapydres\.com" -SecRule HTTP_Referer|ARGS "whatdatbe\.com" -SecRule HTTP_Referer|ARGS "whateveronearth\.com" -SecRule HTTP_Referer|ARGS "whilasdatuwe\.com" -SecRule HTTP_Referer|ARGS "whiteheadisland\.com" -SecRule HTTP_Referer|ARGS "whitewinkers\.com" -SecRule HTTP_Referer|ARGS "whoarealexandomberov\.com" -SecRule HTTP_Referer|ARGS "whoet\.info" -SecRule HTTP_Referer|ARGS "whorezrus\.info" -SecRule HTTP_Referer|ARGS "whowhabo\.com" -SecRule HTTP_Referer|ARGS "widanguris\.com" -SecRule HTTP_Referer|ARGS "wifflesets\.com" -SecRule HTTP_Referer|ARGS "wifiwifewife\.com" -SecRule HTTP_Referer|ARGS "wileserst\.com" -SecRule HTTP_Referer|ARGS "willmynet\.com" -SecRule HTTP_Referer|ARGS "wilusuqu\.com" -SecRule HTTP_Referer|ARGS "winathomedeals\.com" -SecRule HTTP_Referer|ARGS "winbrundrivecorp\.info" -SecRule HTTP_Referer|ARGS "windsprayer\.com" -SecRule HTTP_Referer|ARGS "winnersdraw\.com" -SecRule HTTP_Referer|ARGS "winnersnotificationworld\.com" -SecRule HTTP_Referer|ARGS "winningatthinning\.net" -SecRule HTTP_Referer|ARGS "winningclaims-office-ukgames\.com" -SecRule HTTP_Referer|ARGS "winningsagency\.com" -SecRule HTTP_Referer|ARGS "winningsnotification2005\.com" -SecRule HTTP_Referer|ARGS "winsaua\.com" -SecRule HTTP_Referer|ARGS "winsweeps-mail2\.com" -SecRule HTTP_Referer|ARGS "wisexivaja\.com" -SecRule HTTP_Referer|ARGS "wkiebiwbef\.com" -SecRule HTTP_Referer|ARGS "wkngloves\.com" -SecRule HTTP_Referer|ARGS "wlesueur\.com" -SecRule HTTP_Referer|ARGS "wolander\.com" -SecRule HTTP_Referer|ARGS "wolap\.info" -SecRule HTTP_Referer|ARGS "wolfianaaw\.com" -SecRule HTTP_Referer|ARGS "wonelaster\.com" -SecRule HTTP_Referer|ARGS "woodgold\.info" -SecRule HTTP_Referer|ARGS "woodnight\.info" -SecRule HTTP_Referer|ARGS "woodpushers\.net" -SecRule HTTP_Referer|ARGS "woolsales\.net" -SecRule HTTP_Referer|ARGS "wooyeng\.com" -SecRule HTTP_Referer|ARGS "workathomejobs\.us\.tt" -SecRule HTTP_Referer|ARGS "workingcommunicationdesigns\.com" -SecRule HTTP_Referer|ARGS "worldfreightservices-uk\.com" -SecRule HTTP_Referer|ARGS "worldgolfsearch\.com" -SecRule HTTP_Referer|ARGS "worldmobi\.net" -SecRule HTTP_Referer|ARGS "wottapavlova\.com" -SecRule HTTP_Referer|ARGS "wretches\.net" -SecRule HTTP_Referer|ARGS "writebored\.com" -SecRule HTTP_Referer|ARGS "wufarytidovo\.com" -SecRule HTTP_Referer|ARGS "wuhaqunaxuzu\.com" -SecRule HTTP_Referer|ARGS "wusrefi\.net" -SecRule HTTP_Referer|ARGS "wynukibuli\.info" -SecRule HTTP_Referer|ARGS "xbsmghosthost\.com" -SecRule HTTP_Referer|ARGS "xc21sddf\.com" -SecRule HTTP_Referer|ARGS "xcb234r\.com" -SecRule HTTP_Referer|ARGS "xdob\.info" -SecRule HTTP_Referer|ARGS "xegosukoqeke\.com" -SecRule HTTP_Referer|ARGS "xf50\.com" -SecRule HTTP_Referer|ARGS "xhungrygirl\.info" -SecRule HTTP_Referer|ARGS "xiqakojexyketo\.info" -SecRule HTTP_Referer|ARGS "xncb2\.info" -SecRule HTTP_Referer|ARGS "xnn2\.info" -SecRule HTTP_Referer|ARGS "xnnnz\.info" -SecRule HTTP_Referer|ARGS "xojaheroho\.com" -SecRule HTTP_Referer|ARGS "xpassist\.com" -SecRule HTTP_Referer|ARGS "xumavuna\.com" -SecRule HTTP_Referer|ARGS "xxtremeconnections\.net" -SecRule HTTP_Referer|ARGS "xxxmoviesgirls\.com" -SecRule HTTP_Referer|ARGS "xycejunimyhi\.com" -SecRule HTTP_Referer|ARGS "yahgetsomeofthis\.com" -SecRule HTTP_Referer|ARGS "yahihaditlastnight\.com" -SecRule HTTP_Referer|ARGS "yahooooooooooooo\.net" -SecRule HTTP_Referer|ARGS "yellowloon\.com" -SecRule HTTP_Referer|ARGS "yesmort\.net" -SecRule HTTP_Referer|ARGS "yez7\.com" -SecRule HTTP_Referer|ARGS "yoddler7843\.com" -SecRule HTTP_Referer|ARGS "yoli\.info" -SecRule HTTP_Referer|ARGS "yomniarte\.com" -SecRule HTTP_Referer|ARGS "youcantoo00\.com" -SecRule HTTP_Referer|ARGS "youcantoo00\.net" -SecRule HTTP_Referer|ARGS "youheyhey\.info" -SecRule HTTP_Referer|ARGS "youneedvisit\.com" -SecRule HTTP_Referer|ARGS "your1choice\.net" -SecRule HTTP_Referer|ARGS "yourfreenews\.net" -SecRule HTTP_Referer|ARGS "yourfungamesgroup\.net" -SecRule HTTP_Referer|ARGS "yourmanhood\.com" -SecRule HTTP_Referer|ARGS "yourontheway\.com" -SecRule HTTP_Referer|ARGS "yourrewardsdept\.com" -SecRule HTTP_Referer|ARGS "youvebeenwrapped\.com" -SecRule HTTP_Referer|ARGS "yroundharbourgb\.net" -SecRule HTTP_Referer|ARGS "ysno\.com" -SecRule HTTP_Referer|ARGS "ytjfgh\.com" -SecRule HTTP_Referer|ARGS "yu220708361\.com" -SecRule HTTP_Referer|ARGS "yukosoilandgas\.net" -SecRule HTTP_Referer|ARGS "yukosoilandgass\.net" -SecRule HTTP_Referer|ARGS "yummyfirstcourse\.com" -SecRule HTTP_Referer|ARGS "yungjun\.com" -SecRule HTTP_Referer|ARGS "yungjun2\.com" -SecRule HTTP_Referer|ARGS "yuzwgg\.info" -SecRule HTTP_Referer|ARGS "yxyhkn\.com" -SecRule HTTP_Referer|ARGS "z1investments\.biz" -SecRule HTTP_Referer|ARGS "zaca\.info" -SecRule HTTP_Referer|ARGS "zachemnefertazs\.biz" -SecRule HTTP_Referer|ARGS "zachmneesterfas\.biz" -SecRule HTTP_Referer|ARGS "zaebalistorase\.biz" -SecRule HTTP_Referer|ARGS "zafegosizifa\.info" -SecRule HTTP_Referer|ARGS "zagapony\.com" -SecRule HTTP_Referer|ARGS "zamozimogoho\.com" -SecRule HTTP_Referer|ARGS "zaniqifi\.com" -SecRule HTTP_Referer|ARGS "zdadly\.com" -SecRule HTTP_Referer|ARGS "zenflip\.info" -SecRule HTTP_Referer|ARGS "zenyhyhasotapo\.com" -SecRule HTTP_Referer|ARGS "zero1refinance\.com" -SecRule HTTP_Referer|ARGS "zesadabyvysu\.biz" -SecRule HTTP_Referer|ARGS "zexooter\.com" -SecRule HTTP_Referer|ARGS "zibodidosu\.org" -SecRule HTTP_Referer|ARGS "zirymabegote\.com" -SecRule HTTP_Referer|ARGS "znayuuchtovpiush\.biz" -SecRule HTTP_Referer|ARGS "znxbcv\.info" -SecRule HTTP_Referer|ARGS "zogr\.info" -SecRule HTTP_Referer|ARGS "zubonekigyza\.com" -SecRule HTTP_Referer|ARGS "pharmacy-top-ranked\.com" -SecRule HTTP_Referer|ARGS "\.e-pills-4u\.com" -SecRule HTTP_Referer|ARGS "threethreethree\.us" -SecRule HTTP_Referer|ARGS "zucesedafy\.com" -SecRule HTTP_Referer|ARGS "zudogujomo\.com" -SecRule HTTP_Referer|ARGS "zudykytyhiqowe\.com" -SecRule HTTP_Referer|ARGS "zunizeviwysyra\.com" -SecRule HTTP_Referer|ARGS "zw4gwh\.com" -SecRule HTTP_Referer|ARGS "zzfjyds8j\.com" -SecRule HTTP_Referer|ARGS "cafexml\.com" -SecRule HTTP_Referer|ARGS "cameralover\.net" -SecRule HTTP_Referer|ARGS "(rape|incest)[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "caclbca\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "erealtystore\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "quality-poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gay-porn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "gay+[\w\-_.]*porn\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "adspoll\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "lot+[\w\-_.]*cash\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "lot-cash\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(mature|rape|incest)wow\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "plenty+[\w\-_.]*cash\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "voyeur[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.zoo[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "t-e-x-a-s-poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "t[\w\-_.]*e[\w\-_.]*x[\w\-_.]*a[\w\-_.]*s[\w\-_.]*poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "beast[\w\-_.]*adult\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "[\w\-_.]*adult\.(com|net|info|biz|org)" -SecRule HTTP_Referer|ARGS "shemale[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "americasparty\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.ipeddle\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "casino+[\w\-_.]*500\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "caribbeanfestival\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker-check\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker+[\w\-_.]*check\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "casino-bu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "casino+[\w\-_.]*bu\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "hobbyworkshop\.(com|net|org|info)" -SecRule HTTP_Referer|ARGS "moneydetails\.(com|net|org|info)" -SecRule HTTP_Referer|ARGS "emistry\.(com|net|org|info)" -SecRule HTTP_Referer|ARGS "dostavka\.ru" -SecRule HTTP_Referer|ARGS "ematrix\.ru" -SecRule HTTP_Referer|ARGS "budgethawaii\.net" -SecRule HTTP_Referer|ARGS "online-casino-tfx\.com" -SecRule HTTP_Referer|ARGS "ledpt\.com" -SecRule HTTP_Referer|ARGS "\.poker+[\w\-_.]*spanish\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.hobbyworkshop\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.joshtrading\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.straightlineteam\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "zoophilia\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.bayfronthomes\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "sex-with-(dog|horse)" -SecRule HTTP_Referer|ARGS "blowing-a-(dog|horse)" -SecRule HTTP_Referer|ARGS "explicit+[\w\-_.]*farm+[\w\-_.]*girls" -SecRule HTTP_Referer|ARGS "paris+[\w\-_.]*hilton+[\w\-_.]*video" -SecRule HTTP_Referer|ARGS "granny+[\w\-_.]*sex+[\w\-_.]*sites" -SecRule HTTP_Referer|ARGS "(russian|young)+[\w\-_.]*girls+[\w\-_.]*nude" -SecRule HTTP_Referer|ARGS "\.hotels4asia\.com" -SecRule HTTP_Referer|ARGS "\.vpartnerships\.com" -SecRule HTTP_Referer|ARGS "\.mydivx\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.sexcam-network\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.mpeg[0-9][0-9][0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.pawnauctions?\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.d2g\.(com|net|info|biz|org)" -SecRule HTTP_Referer|ARGS "\.xer\.dns2go\.com" -SecRule HTTP_Referer|ARGS "\.mygamesite\.net" -SecRule HTTP_Referer|ARGS "\.esite\.pl" -SecRule HTTP_Referer|ARGS "\.idlegames\.(net|com|org|info|biz)" -SecRule HTTP_Referer|ARGS "hot+[\w\-_.]*search\.us" -SecRule HTTP_Referer|ARGS "great+[\w\-_.]*money\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "\.blogdns\.net" -SecRule HTTP_Referer|ARGS "\.v2to\.info" -SecRule HTTP_Referer|ARGS "\.myip\.org" -SecRule HTTP_Referer|ARGS "\.immediately-credit\.com" -SecRule HTTP_Referer|ARGS "\.just-doctor\.com" -SecRule HTTP_Referer|ARGS "\.ath\.cx" -SecRule HTTP_Referer|ARGS "\.27south\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "\.101main\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "\.24sws\.ws" -SecRule HTTP_Referer|ARGS "\.x[\w\-_.]8\.org\.uk" -SecRule HTTP_Referer|ARGS "\.x-8\.org\.uk" -SecRule HTTP_Referer|ARGS "\.0up\.org" -SecRule HTTP_Referer|ARGS "\.sms2\.us" -SecRule HTTP_Referer|ARGS "\.6-9\.us" -SecRule HTTP_Referer|ARGS "\.00no\.info" -SecRule HTTP_Referer|ARGS "\.realtorx2\.com" -SecRule HTTP_Referer|ARGS "\.ouragent\.net" -SecRule HTTP_Referer|ARGS "\.homeloanselect\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.opacity\.[a-z]{2,}/links" -SecRule HTTP_Referer|ARGS "\.opacity\.us" -SecRule HTTP_Referer|ARGS "\.local-dating\.info" -SecRule HTTP_Referer|ARGS "\.linux-dude\.com" -SecRule HTTP_Referer|ARGS "online-forex-trading-currency-exchange" -SecRule HTTP_Referer|ARGS "\.vneighbor\.com" -SecRule HTTP_Referer|ARGS "\.useful-pills\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.idleplay\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "audio+[\w\-_.]*stream\.net" -SecRule HTTP_Referer|ARGS "slot+[\w\-_.]*machine" -SecRule HTTP_Referer|ARGS "play+[\w\-_.]*slots" -SecRule HTTP_Referer|ARGS "(paxil|diet+[\w\-_.]*pills)\.dyndns\.org" -SecRule HTTP_Referer|ARGS "prozac+[\w\-_.]*online\.dyndns\.org" -SecRule HTTP_Referer "\.(sie|xn|edj|none|80|5x|dz|bo|qd|lt|og)\.pl$" -SecRule ARGS "\.(sie|xn|edj|none|80|5x|dz|bo|qd|lt|og)\.pl" -SecRule HTTP_Referer|ARGS "\.topcities\.com" -SecRule HTTP_Referer|ARGS "\.me\.ly" -SecRule HTTP_Referer|ARGS "\.cast\.cc" -SecRule HTTP_Referer|ARGS "\.all+[\w\-_.]notebooks+[\w\-_.]sale\.com" -SecRule HTTP_Referer|ARGS "manik\.blog+[\w\-_.]city\.com" -SecRule HTTP_Referer|ARGS "\.blog+[\w\-_.]city\.com" -SecRule HTTP_Referer|ARGS "\.adult+[\w\-_.]anime+[\w\-_.]site" -SecRule HTTP_Referer|ARGS "mail15\.com" -SecRule HTTP_Referer|ARGS "\.nfo\.at" -SecRule HTTP_Referer|ARGS "\.dynup\.net" -SecRule HTTP_Referer|ARGS "\.pkak\.com" -SecRule HTTP_Referer|ARGS "\.b8w\.net" -SecRule HTTP_Referer|ARGS "\.9a7\.net" -SecRule HTTP_Referer|ARGS "tips-online-gambling" -SecRule HTTP_Referer|ARGS "empire-poker" -SecRule HTTP_Referer|ARGS "\.doctor-here\.com" -SecRule HTTP_Referer|ARGS "\.vgardening\.com" -SecRule HTTP_Referer|ARGS "\.vmailman\.com" -SecRule HTTP_Referer|ARGS "\.nfspaydayloan\.com" -SecRule HTTP_Referer|ARGS "\.special-medical\.com" -SecRule HTTP_Referer|ARGS "\.just-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.personalloanmarket\.com" -SecRule HTTP_Referer|ARGS "\.talentbroker\.net" -SecRule HTTP_Referer|ARGS "\.redhatdolls\.com" -SecRule HTTP_Referer|ARGS "\.thexmlguys\.com" -SecRule HTTP_Referer|ARGS "\.yours-cash\.com" -SecRule HTTP_Referer|ARGS "\.realtysmart\.net" -SecRule HTTP_Referer|ARGS "\.sportsexpert\.net" -SecRule HTTP_Referer|ARGS "take-mortgage\.com" -SecRule HTTP_Referer|ARGS "mortgage-rates" -SecRule HTTP_Referer|ARGS "\.4u-money\.com" -SecRule HTTP_Referer|ARGS "\.bravehost\.com" -SecRule HTTP_Referer|ARGS "\.professional-doctor\.com" -SecRule HTTP_Referer|ARGS "\.(mortgage|finance|medical|doctor)+[\w\-_.]*((2|4)(you|all))\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.atspace\.com" -SecRule HTTP_Referer|ARGS "\.snap\.to" -SecRule HTTP_Referer|ARGS "pharm+[\w\-_.]online\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "poker4spain.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "anabolic+[\w\-_.]steroi.*\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "mynicemailat\.com" -#SecRule HTTP_Referer|ARGS "\.tripod\.com" -SecRule HTTP_Referer|ARGS "angelfire\.com" -SecRule HTTP_Referer|ARGS "top+[\w\-_.]france+[\w\-_.]hotels" -SecRule HTTP_Referer|ARGS "\.staticip\.de" -SecRule HTTP_Referer|ARGS "\.hotinfocenter\.com" -SecRule HTTP_Referer|ARGS "credit+[\w\-_.]card+[\w\-_.]financing" -SecRule HTTP_Referer|ARGS "steroids\.dd\.vu" -SecRule HTTP_Referer|ARGS "\.jixx\.de" -SecRule HTTP_Referer|ARGS "\.web\.gg" -SecRule HTTP_Referer|ARGS "\.x\.gg" -SecRule HTTP_Referer|ARGS "\.pkak\.com" -SecRule HTTP_Referer|ARGS "\.edy2\.com" -SecRule HTTP_Referer|ARGS "no+[\w\-_.]*download+[\w\-_.]*poker" -SecRule HTTP_Referer|ARGS "vmillionaire\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "vselling\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "vsymphony\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "vmousetrap\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "vthought\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "vpawnshop\.(com|net|org|biz|info)" -SecRule HTTP_Referer|ARGS "meridiancapitalinc\.com" -SecRule HTTP_Referer|ARGS "\.realestatenow\.net" -SecRule HTTP_Referer|ARGS "pantyhose[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "compounding+[\w\-_.]*pharmacy" -SecRule HTTP_Referer|ARGS "(compare|debt+[\w\-_.]*negotiation).*credit+[\w\-_.]*card" -SecRule HTTP_Referer|ARGS "including+[\w\-_.]*poker\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "paris+[\w_.]*hilton" -SecRule HTTP_Referer|ARGS "only+[\w\-_.]*casino\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "shoujimoka\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "united+[\w\-_.]*rotary+[\w\-_.]*china\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cdrom+[\w\-_.]*gratis+[\w\-_.]*casino" -SecRule HTTP_Referer|ARGS "bad+[\w\-_.]*credit+[\w\-_.]*loans" -SecRule HTTP_Referer|ARGS "k-72\.com" -SecRule HTTP_Referer|ARGS "1fh\.net" -SecRule HTTP_Referer|ARGS "foundetion\.com" -SecRule HTTP_Referer|ARGS "istarthere\.com" -SecRule HTTP_Referer|ARGS "1999cn\.com" -SecRule HTTP_Referer|ARGS "\.realestatehotbuys\.com" -SecRule HTTP_Referer|ARGS "\.realestatehotdeals\.com" -SecRule HTTP_Referer|ARGS "198net\.com" -SecRule HTTP_Referer|ARGS "410300\.com" -SecRule HTTP_Referer|ARGS "\.understand-poker\.com" -SecRule HTTP_Referer|ARGS "\.678a\.com" -SecRule HTTP_Referer|ARGS "coolmsm\.com" -SecRule HTTP_Referer|ARGS "\.eu\.gg" -SecRule HTTP_Referer|ARGS "\.taobao\.com" -SecRule HTTP_Referer|ARGS "\.vcontacts\.com" -SecRule HTTP_Referer|ARGS "jj110\.com\.cn" -SecRule HTTP_Referer|ARGS "\.hsmd\.net" -SecRule HTTP_Referer|ARGS "\.great-finance\.com" -SecRule HTTP_Referer|ARGS "\.white-pills\.com" -SecRule HTTP_Referer|ARGS "purchase-antibiotics-online" -SecRule HTTP_Referer|ARGS "\.hbthlj\.com" -SecRule HTTP_Referer|ARGS "\.isavecoupons\.com" -SecRule HTTP_Referer|ARGS "centralmainewedding\.com" -SecRule HTTP_Referer|ARGS "\.detuo\.com" -SecRule HTTP_Referer|ARGS "sexoexcite\.com" -SecRule HTTP_Referer|ARGS "\.guest\.de" -SecRule HTTP_Referer|ARGS "carisoprodol2online" -SecRule HTTP_Referer|ARGS "findmenow\.info" -SecRule HTTP_Referer|ARGS "typepad\.com" -SecRule HTTP_Referer|ARGS "mortgage4sa\.com" -SecRule HTTP_Referer "personal-loans" -SecRule HTTP_Referer|ARGS "(cash|payday)[-| ](advance|loan)" -SecRule HTTP_Referer|ARGS "\.hn\.org" -SecRule HTTP_Referer|ARGS "\.uccpp\.org" -SecRule HTTP_Referer|ARGS "\.4u-money\.com" -SecRule HTTP_Referer|ARGS "\.toylane\.net" -SecRule HTTP_Referer|ARGS "\.this-insurance\.com" -SecRule HTTP_Referer|ARGS "\.bargainhunt\.net" -SecRule HTTP_Referer|ARGS "\.insurance-alerts\.com" -SecRule HTTP_Referer|ARGS "\.finance-ways\.com" -SecRule HTTP_Referer|ARGS "\.funpic\.org" -SecRule HTTP_Referer|ARGS "\.vined\.com" -SecRule HTTP_Referer|ARGS "\.vfacility\.com" -SecRule HTTP_Referer|ARGS "\.allkinds-pills\.com" -SecRule HTTP_Referer|ARGS "\.4all-prescription\.com" -SecRule HTTP_Referer|ARGS "\.4all-credit\.com" -SecRule HTTP_Referer|ARGS "\.available-prescription\.com" -SecRule HTTP_Referer|ARGS "\.weierunique\.com" -SecRule HTTP_Referer|ARGS "\.casinos4spain\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.vinsider\.com" -SecRule HTTP_Referer|ARGS "\.smsportali\.net" -SecRule HTTP_Referer|ARGS "\.canyonresearch\.org" -SecRule HTTP_Referer|ARGS "\.pills-best\.com" -SecRule HTTP_Referer|ARGS "\.top-wins-200[5-6].com" -SecRule HTTP_Referer|ARGS "\.party-poker-e\.com" -SecRule HTTP_Referer|ARGS "\.rohkalby\.net" -SecRule HTTP_Referer|ARGS "\.zen-izauk\.org" -SecRule HTTP_Referer|ARGS "\.betting-odds\.ws" -SecRule HTTP_Referer|ARGS "\.4hs8\.com" -SecRule HTTP_Referer|ARGS "\.vjuror\.com" -SecRule HTTP_Referer|ARGS "\.realtorlist\.net" -SecRule ARGS "Take(\+|\w|_|-)your(\+|\w|_|-)time(\+|\w|_|-)to(\+|\w|_|-)take(\+|\w|_|-)a(\+|\w|_|-)look(\+|\w|_|-)at(\+|\w|_|-)some(\+|\w|_|-)relevant(\+|\w|_|-)pages(\+|\w|_|-)about" -SecRule HTTP_Referer|ARGS "\.vjackpot\.com" -SecRule HTTP_Referer|ARGS "accept-credit-cards" -SecRule HTTP_Referer|ARGS "omaha-hi-low-poker" -SecRule HTTP_Referer|ARGS "anziobay\.com" -SecRule HTTP_Referer|ARGS "\.xer\.dns2go\.com" -SecRule HTTP_Referer|ARGS "\.cash-2u\.com" -SecRule HTTP_Referer|ARGS "\.rarefind\.net" -SecRule HTTP_Referer|ARGS "\.hurstville\.org" -SecRule HTTP_Referer|ARGS "\.mcr8\.com" -SecRule HTTP_Referer|ARGS "(best|internet|online)+[\w\-_.]*(craps|blackjack|poker)" -SecRule HTTP_Referer|ARGS "girls+[\w\-_.]*real\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "blackjack-game" -SecRule HTTP_Referer|ARGS "\.vexpert\.com" -SecRule HTTP_Referer|ARGS "\.bannbaba\.com" -SecRule HTTP_Referer|ARGS "\.money-plans\.com" -SecRule HTTP_Referer|ARGS "\.kulu-best\.com" -SecRule HTTP_Referer|ARGS "paydayloan\.com" -SecRule HTTP_Referer|ARGS "\.rebuildsanmateohighschool\.org" -SecRule HTTP_Referer|ARGS "\.infinitecomplexity\.org" -SecRule HTTP_Referer|ARGS "\.alamuk\.com" -SecRule HTTP_Referer|ARGS "\.available-credit\.com" -SecRule HTTP_Referer|ARGS "\.real+[\w\-_.]*estate+[\w\-_.]*companies\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "cyber-robotics\.com" -SecRule HTTP_Referer|ARGS "\.0808cn\.cn" -SecRule HTTP_Referer|ARGS "\.d-c-o\.cn" -SecRule HTTP_Referer|ARGS "\.rarehomes\.net" -SecRule HTTP_Referer|ARGS "\.myholisticdentist\.com" -SecRule HTTP_Referer|ARGS "\.jixx\.net" -SecRule HTTP_Referer|ARGS "\.poolsmart\.net" -SecRule HTTP_Referer|ARGS "\.fairrx\.com" -SecRule HTTP_Referer|ARGS "net-search\.org" -SecRule HTTP_Referer|ARGS "egygift\.com" -SecRule HTTP_Referer|ARGS "\.shoeshot\.com" -SecRule HTTP_Referer|ARGS "\.liveclothes\.com" -SecRule HTTP_Referer|ARGS "\.realtorx2\.com" -SecRule HTTP_Referer|ARGS "\.ihomebroker\.com" -SecRule HTTP_Referer|ARGS "\.lgh\.dyndns\.dk/" -SecRule HTTP_Referer|ARGS "\.azonos\.com" -SecRule HTTP_Referer|ARGS "\.ultrabest\.info" -SecRule HTTP_Referer|ARGS "\.rainbowfactory\.net" -SecRule HTTP_Referer|ARGS "\.planyourhome\.net" -SecRule HTTP_Referer|ARGS "\.isacommie\.com" -SecRule HTTP_Referer|ARGS "\.pills-home\.com" -SecRule HTTP_Referer|ARGS "\.cheat-elite\.com" -SecRule HTTP_Referer|ARGS "\.take-mortgage\.com/" -SecRule HTTP_Referer|ARGS "\.realantiques\.net" -SecRule HTTP_Referer|ARGS "\.cheat-elite\.com" -SecRule HTTP_Referer|ARGS "\.vtoyshop\.com" -SecRule HTTP_Referer|ARGS "pharmacies-online" -SecRule HTTP_Referer|ARGS "\.e-top-pharmacy\.com" -SecRule HTTP_Referer|ARGS "buy-2005\.com" -SecRule HTTP_Referer|ARGS "available-prescription\.com" -SecRule HTTP_Referer|ARGS "10-pills\.com" -SecRule HTTP_Referer|ARGS "\.real-estate-shop\.com" -SecRule HTTP_Referer|ARGS "\.craps-table\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.bestleadinglenders\.com" -SecRule HTTP_Referer|ARGS "\.zoosex\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.web\.gg" -SecRule HTTP_Referer|ARGS "\.zindagi\.us" -SecRule HTTP_Referer|ARGS "\.chat-nett\.com" -SecRule HTTP_Referer|ARGS "\.pawnauctions\.net" -SecRule HTTP_Referer|ARGS "\.petsellers\.net" -SecRule HTTP_Referer|ARGS "\.parentcompany\.net" -SecRule HTTP_Referer|ARGS "\.registrarprice\.com" -SecRule HTTP_Referer|ARGS "\.card-games-trx\.com" -SecRule HTTP_Referer|ARGS "\.lookscute\.com" -SecRule HTTP_Referer|ARGS "\.vquality\.com" -SecRule HTTP_Referer|ARGS "\.epraha\.info" -SecRule HTTP_Referer|ARGS "\.crimeanet\.com" -SecRule HTTP_Referer|ARGS "\.freazer\.com" -SecRule HTTP_Referer|ARGS "\.majorclick\.com" -SecRule HTTP_Referer|ARGS "\.sapo\.pt" -SecRule HTTP_Referer|ARGS "\.agentpro\.net" -SecRule HTTP_Referer|ARGS "\.musicbox1\.com" -SecRule HTTP_Referer|ARGS "\.mista-x\.net" -SecRule HTTP_Referer|ARGS "\.vnsoul\.org" -SecRule HTTP_Referer|ARGS "\.unique-pills\.com" -SecRule HTTP_Referer|ARGS "\.playcasino777\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.fr\.mn" -SecRule HTTP_Referer|ARGS "\.vdude\.com" -SecRule HTTP_Referer|ARGS "\.vdirections\.com" -SecRule HTTP_Referer|ARGS "\.webpark\.pl" -SecRule HTTP_Referer|ARGS "\.stopspending\.org" -SecRule HTTP_Referer|ARGS "\.mynet-poker\.com" -SecRule HTTP_Referer|ARGS "\.dickensfoundation\.org" -SecRule HTTP_Referer|ARGS "\.progressiveupdate\.net" -SecRule HTTP_Referer|ARGS "\.rulo\.biz" -SecRule HTTP_Referer|ARGS "\.bnetsol\.com" -SecRule HTTP_Referer|ARGS "\.allkinds-pills\.com" -SecRule HTTP_Referer|ARGS "\.available-poker\.com" -SecRule HTTP_Referer|ARGS "\.vpshs\.com" -SecRule HTTP_Referer|ARGS "\.recommendlist\.com" -SecRule HTTP_Referer|ARGS "\.wgaga\.com" -SecRule HTTP_Referer|ARGS "\.zoowow\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "chance2mail\.com" -SecRule HTTP_Referer|ARGS "\.sudtuiles\.com" -SecRule HTTP_Referer|ARGS "\.great-doctor\.com" -SecRule HTTP_Referer|ARGS "\.realty-discounts\.com" -SecRule HTTP_Referer|ARGS "\.aivci\.com" -SecRule HTTP_Referer|ARGS "\.vacuums\.be" -SecRule HTTP_Referer|ARGS "\.digitalbomb\.com" -SecRule HTTP_Referer|ARGS "\.kw\.pl" -SecRule HTTP_Referer|ARGS "\.artisticlandscapes\.net" -SecRule HTTP_Referer|ARGS "\.mid-atlantic-aroc\.org" -SecRule HTTP_Referer|ARGS "\.silicon-prairie\.org" -SecRule HTTP_Referer|ARGS "bestiality+[\w\-_.]*movies" -SecRule HTTP_Referer|ARGS "\.clicksolidario\.org" -SecRule HTTP_Referer|ARGS "casino.*\.(net|com|org|us|biz|info)" -SecRule HTTP_Referer|ARGS "casino\.(net|com|org|us|biz|info)" -SecRule HTTP_Referer|ARGS "buysouthfla\.com" -SecRule HTTP_Referer|ARGS "\.schildert\.nl" -SecRule HTTP_Referer|ARGS "\.amazing-credit\.com" -SecRule HTTP_Referer|ARGS "\.kwik.to" -SecRule HTTP_Referer|ARGS "\.grab-mortgage\.com" -SecRule HTTP_Referer|ARGS "\.money-lovers\.com" -SecRule HTTP_Referer|ARGS "\.affordableantiques\.net" -SecRule HTTP_Referer|ARGS "\.birchfieldharriers\.org" -SecRule HTTP_Referer|ARGS "\.antispysoft2005\.com" -SecRule HTTP_Referer|ARGS "\.hotinfocenter\.com" -SecRule HTTP_Referer|ARGS "windowsexplorer\.com" -SecRule HTTP_Referer|ARGS "cutezone\.com" -SecRule HTTP_Referer|ARGS "\.free-websites\.com" -SecRule HTTP_Referer|ARGS "\.optus\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.bpa\.nu" -SecRule HTTP_Referer|ARGS "taboo-incest" -SecRule HTTP_Referer|ARGS "\.musicdots\.com" -SecRule HTTP_Referer|ARGS "\.studyinslovakia\.com" -SecRule HTTP_Referer|ARGS "\.looxe\.be" -SecRule HTTP_Referer|ARGS "\.poker-e-win\.com" -SecRule HTTP_Referer|ARGS "\.ruinfo\.org" -SecRule HTTP_Referer|ARGS "\.lookin\.at" -SecRule HTTP_Referer|ARGS "\.top-wins-2005\.com" -SecRule HTTP_Referer|ARGS "\.fidelityfunding\.net/" -SecRule HTTP_Referer|ARGS "\.medical-4you\.com" -SecRule HTTP_Referer|ARGS "acne+[\w\-_.]*treatment" -SecRule HTTP_Referer|ARGS ".pissing[0-9]\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "\.sexbrowsing\.com" -SecRule HTTP_Referer|ARGS "\.vreporters\.com" -SecRule HTTP_Referer|ARGS "\.goditi\.com" -SecRule HTTP_Referer|ARGS "\.furni\.org" -SecRule HTTP_Referer|ARGS "\.nfsautoloan\.com" -SecRule HTTP_Referer|ARGS "\.nutzu\.com" -SecRule HTTP_Referer|ARGS "\.trbq\.ws" -SecRule HTTP_Referer|ARGS "\.homesbysellers\.net" -SecRule HTTP_Referer|ARGS "\.e-buy-200[4567]\.com" -SecRule HTTP_Referer|ARGS "\.pharmacy-top-ranked\.com/" -SecRule HTTP_Referer|ARGS "\.vmasterpiece\.com" -SecRule HTTP_Referer|ARGS|ARGS|REQUEST_BODY|REQUEST_URI "\.esynn\.net" -SecRule HTTP_Referer|ARGS|ARGS|REQUEST_BODY|REQUEST_URI "\.synnweb\.com" -SecRule HTTP_Referer|ARGS|ARGS|REQUEST_BODY|REQUEST_URI "\.synn[a-z]\.com" -SecRule HTTP_Referer|ARGS|ARGS|REQUEST_BODY|REQUEST_URI "\.sumali\.com" -SecRule ARGS:comment "May\+be\+this\+is\+BAD.*but\+is\+something\+different" -SecRule ARGS|ARGS|REQUEST_BODY|REQUEST_URI "title=poker+[\w\-_.]*run.*url=" -SecRule HTTP_Referer|ARGS "anzwers\.(net|com|org|info|biz)" -SecRule HTTP_Referer|ARGS "berlin-hotel-4u\.com" -SecRule HTTP_Referer|ARGS "thesitefights\.com" -SecRule HTTP_Referer|ARGS "\.journalspace\.com" -SecRule HTTP_Referer|ARGS "\.ijijiji\.com" -SecRule HTTP_Referer|ARGS "\.tiscali\.cz" -SecRule HTTP_Referer|ARGS "\.milcobook\.com" -SecRule HTTP_Referer|ARGS "\.sumali\.com" -SecRule HTTP_Referer|ARGS "\.usdata\.com\.cn" -SecRule HTTP_Referer|ARGS "\.neteller+[\w\-_.]*casinos\.ws" -SecRule HTTP_Referer|ARGS "\.best+[\w\-_.]*casino\.biz" -SecRule HTTP_Referer|ARGS "www\.smogless\.com" -SecRule HTTP_Referer|ARGS "\.the-village\.bc\.nu" -SecRule HTTP_Referer|ARGS "\.realtysite\.(com|net|org|info|biz)" -SecRule HTTP_Referer|ARGS "money+[\w\-_.]*plans\.(com|net|info|org)" -SecRule HTTP_Referer|ARGS "dogs+[\w\-_.]*doing+[\w\-_.]*(girl|bitch|women)" -SecRule HTTP_Referer|ARGS "casino+[\w\-_.]*espana+[\w\-_.]*(portal|web)" -SecRule HTTP_Referer|ARGS "sex+[\w\-_.]*with+[\w\-_.]*(girl|bitch|women|horse|dog|animal)" -SecRule HTTP_Referer|ARGS "hard+[\w\-_.]*(horse|dog)+[\w\-_.]*(cock|penis|dick)" -SecRule HTTP_Referer|ARGS "(horse|dog)+[\w\-_.]*blowjob" -SecRule HTTP_Referer|ARGS "(www\.)?.*accepted.cc$" -SecRule HTTP_Referer|ARGS "(www\.)?.*episodesusdbz" -SecRule HTTP_Referer|ARGS "(www\.)?advancedmoneyloans.*" -SecRule HTTP_Referer|ARGS "(www\.)?affiliplanet" -SecRule HTTP_Referer|ARGS "(www\.)?apart-?design" -SecRule HTTP_Referer|ARGS "(www\.)?auktion" -SecRule HTTP_Referer|ARGS "(www\.)?autogewinne24" -SecRule HTTP_Referer|ARGS "(www\.)?autospiele24" -SecRule HTTP_Referer|ARGS "(www\.)?babay" -SecRule HTTP_Referer|ARGS "(www\.)?euromillionen" -SecRule HTTP_Referer|ARGS "(www\.)?eurowins" -SecRule HTTP_Referer|ARGS "(www\.)?geldspiele24" -SecRule HTTP_Referer|ARGS "(www\.)?goovle" -SecRule HTTP_Referer|ARGS "(www\.)?gsm-support" -SecRule HTTP_Referer|ARGS "(www\.)?gzltax" -SecRule HTTP_Referer|ARGS "(www\.)?heil-fasten" -SecRule HTTP_Referer|ARGS "(www\.)?immobiliengewinne24" -SecRule HTTP_Referer|ARGS "(www\.)?internetsupervision" -SecRule HTTP_Referer|ARGS "(www\.)?keywordmaster" -SecRule HTTP_Referer|ARGS "(www\.)?nackt-stars-nackt" -SecRule HTTP_Referer|ARGS "(www\.)?one2onemag" -SecRule HTTP_Referer "\.qw8\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(www\.)?referrer-script" -SecRule HTTP_Referer|ARGS "profitable+[\w\-_.\+]*forex+[\w\-_.\+]*trading+[\w\-_.\+]*systems" -SecRule HTTP_Referer|ARGS "(www\.)?ranking-hits" -SecRule HTTP_Referer|ARGS "(www\.)?reisegewinne24" -SecRule HTTP_Referer "(www\.)?rootfood" -SecRule HTTP_Referer|ARGS "(www\.)?single66" -SecRule HTTP_Referer|ARGS "(www\.)?slamhost" -SecRule HTTP_Referer|ARGS "(www\.)?spielepsychatrie" -SecRule HTTP_Referer|ARGS "(www\.)?superface" -SecRule HTTP_Referer|ARGS "(www\.)?texasholdem" -SecRule HTTP_Referer|ARGS "(www\.)?topgewinn24" -SecRule HTTP_Referer|ARGS "(www\.)?topspiele24" -SecRule HTTP_Referer|ARGS "(www\.)?transexual" -SecRule HTTP_Referer|ARGS "(www\.)?usa-wins" -SecRule HTTP_Referer|ARGS "(www\.)?vendini" -SecRule HTTP_Referer|ARGS "(www\.)?webmasterplan" -SecRule HTTP_Referer|ARGS "(www\.)?wichsfick" -SecRule HTTP_Referer|ARGS "(www\.)?wseeker" -SecRule HTTP_Referer|ARGS "(www\.)?yachtdurak" -SecRule HTTP_Referer|ARGS "Payday Loan" -#SecRule HTTP_Referer|ARGS "(www\.)?(xmaster.*|xmaster)\.[a-z]{2,}" -#SecRule HTTP_Referer|ARGS "www.*\.blogspot" -SecRule HTTP_Referer|ARGS "(www\.)?yahh+oo" -#SecRule HTTP_Referer|ARGS "(www\.)?.*[\w\-_.]?(adult|anal[\w\-_/]|blow.?job|gay|cum+shot|casino|incest|mature|nude|piss|porn|pussy|sex|teen|tits|titten|wichsab|wichslos|shemale)+[\w\-_].*\.[a-z]{2,}" - -#new patterns -SecRule REQUEST_URI "/guest\.php\?name=.*web=.*homepage=.*home=.*phone=86881154" -SecRule REQUEST_URI "/guest\.php\?name=.*web=.*homepage=.*home=.*phone=010-684" -SecRule REQUEST_URI "/guest\.php\?name=\xd5\xc5\xd7\xd3\xbd\xad" - -#broken spammer tool sign -SecRule REQUEST_URI "href.*http.*\{@\DOMAIN}\.*\{\@URL\}.*\{\@ANCHOR\}" - -SecRule HTTP_Referer|ARGS "\.1click-paydayloan\.com" -SecRule HTTP_Referer|ARGS "\.all-credit-report\.com" -SecRule HTTP_Referer|ARGS "\.all-paydayloan\.com" -SecRule HTTP_Referer|ARGS "\.another-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.any-poker\.com" -SecRule HTTP_Referer|ARGS "\.available-loan\.com" -SecRule HTTP_Referer|ARGS "\.bargainhunt\.net" -SecRule HTTP_Referer|ARGS "\.blest-doctor\.com" -SecRule HTTP_Referer|ARGS "\.credit-report-24x7\.com" -SecRule HTTP_Referer|ARGS "\.credit-report-2u\.com" -SecRule HTTP_Referer|ARGS "\.credit-report-4u\.com" -SecRule HTTP_Referer|ARGS "\.credit-report-extras\.com" -SecRule HTTP_Referer|ARGS "\.credit-report-net\.com" -SecRule HTTP_Referer|ARGS "\.dedicated-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.different-mortgage\.com" -SecRule HTTP_Referer|ARGS "\.excellent-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.finance-ways\.com" -SecRule HTTP_Referer|ARGS "\.insurance-packages\.com" -SecRule HTTP_Referer|ARGS "\.loan-24x7\.com" -SecRule HTTP_Referer|ARGS "\.loan-4all\.com" -SecRule HTTP_Referer|ARGS "\.loan-here\.com" -SecRule HTTP_Referer|ARGS "\.loan-owner\.com" -SecRule HTTP_Referer|ARGS "\.loan-results\.com" -SecRule HTTP_Referer|ARGS "\.loan-variety\.com" -SecRule HTTP_Referer|ARGS "\.mine-doctor\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-certificates\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-day\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-ext\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-grab\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-owners\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-plans\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-save\.com" -SecRule HTTP_Referer|ARGS "\.mortgage-start\.com" -SecRule HTTP_Referer|ARGS "\.only-credit-report\.com" -SecRule HTTP_Referer|ARGS "\.only-doctor\.com" -SecRule HTTP_Referer|ARGS "\.open-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-24x7\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-2u\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-4u\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-advisors\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-help\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-here\.com" -SecRule HTTP_Referer|ARGS "\.paydayloan-services\.com" -SecRule HTTP_Referer|ARGS "\.pharmacy-related\.com" -SecRule HTTP_Referer|ARGS "\.poker-intro\.com" -SecRule HTTP_Referer|ARGS "\.pro-credit-report\.com" -SecRule HTTP_Referer|ARGS "\.pro-doctor\.com" -SecRule HTTP_Referer|ARGS "\.protected-insurance\.com" -SecRule HTTP_Referer|ARGS "\.search-credit-report\.com" -SecRule HTTP_Referer|ARGS "\.splendid-insurance\.com" -SecRule HTTP_Referer|ARGS "\.take-loan\.com" -SecRule HTTP_Referer|ARGS "\.this-insurance\.com" -SecRule HTTP_Referer|ARGS "\.unique-loan\.com" -SecRule HTTP_Referer|ARGS "\.well-finance\.com" -SecRule HTTP_Referer|ARGS "\.yours-loan\.com" -SecRule HTTP_Referer|ARGS "\.10-pills\.com" -SecRule HTTP_Referer|ARGS "\.20mbweb\.com" -SecRule HTTP_Referer|ARGS "\.20six\.co" -SecRule HTTP_Referer|ARGS "\.24x7-insurance\.com" -SecRule HTTP_Referer|ARGS "\.38ha\.com" -SecRule HTTP_Referer|ARGS "\.4all-credit\.com" -SecRule HTTP_Referer|ARGS "\.4all-prescription\.com" -SecRule HTTP_Referer|ARGS "\.4hs8\.com" -SecRule HTTP_Referer|ARGS "\.4u-money\.com" -SecRule HTTP_Referer|ARGS "\.6q\.org" -SecRule HTTP_Referer|ARGS "\.adspoll\.com" -SecRule HTTP_Referer|ARGS "\.affordableantiques\.net" -SecRule HTTP_Referer|ARGS "\.agentpro\.net" -SecRule HTTP_Referer|ARGS "\.agribrokerindia\.com" -SecRule HTTP_Referer|ARGS "\.allkinds-pills\.com" -SecRule HTTP_Referer|ARGS "\.always-credit\.com" -SecRule HTTP_Referer|ARGS "\.amazing-credit\.com" -SecRule HTTP_Referer|ARGS "\.another-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.antiquemarketplace\.net" -SecRule HTTP_Referer|ARGS "\.available-casino\.com" -SecRule HTTP_Referer|ARGS "\.available-credit\.com" -SecRule HTTP_Referer|ARGS "\.available-insurance\.com" -SecRule HTTP_Referer|ARGS "\.available-mortgage\.com" -SecRule HTTP_Referer|ARGS "\.available-poker\.com" -SecRule HTTP_Referer|ARGS "\.available-prescription\.com" -SecRule HTTP_Referer|ARGS "\.az-greenvalley\.com" -SecRule HTTP_Referer|ARGS "\.baby-casino\.com" -SecRule HTTP_Referer|ARGS "\.bargainhunt\.net" -SecRule HTTP_Referer|ARGS "\.bayfronthomes\.net" -SecRule HTTP_Referer|ARGS "\.berlin-hotel-4u\.com" -SecRule HTTP_Referer|ARGS "\.birchfieldharriers\.org" -SecRule HTTP_Referer|ARGS "\.black-poker\.com" -SecRule HTTP_Referer|ARGS "\.blest-doctor\.com" -SecRule HTTP_Referer|ARGS "\.blest-money\.com" -SecRule HTTP_Referer|ARGS "\.blevensdamman\.com" -SecRule HTTP_Referer|ARGS "\.bnetsol\.com" -SecRule HTTP_Referer|ARGS "\.boatexhibit\.com" -SecRule HTTP_Referer|ARGS "\.buy-2005\.com" -SecRule HTTP_Referer|ARGS "\.cafexml\.com" -SecRule HTTP_Referer|ARGS "\.cash-2u\.com" -SecRule HTTP_Referer|ARGS "\.casino-500\.com" -SecRule HTTP_Referer|ARGS "\.casino7-online\.com" -SecRule HTTP_Referer|ARGS "\.casino-amusement\.com" -SecRule HTTP_Referer|ARGS "\.casino-bu\.com" -SecRule HTTP_Referer|ARGS "\.casino-copy\.com" -SecRule HTTP_Referer|ARGS "\.casino-denotation\.com" -SecRule HTTP_Referer|ARGS "\.casino-extras\.com" -SecRule HTTP_Referer|ARGS "\.casino-light\.com" -SecRule HTTP_Referer|ARGS "\.casino-lust\.com" -SecRule HTTP_Referer|ARGS "\.casino-ppp\.com" -SecRule HTTP_Referer|ARGS "\.casino-profits\.com" -SecRule HTTP_Referer|ARGS "\.casino-ride\.com" -SecRule HTTP_Referer|ARGS "\.casino-run\.com" -SecRule HTTP_Referer|ARGS "\.casinos4spain\.com" -SecRule HTTP_Referer|ARGS "\.casino-solution\.com" -SecRule HTTP_Referer|ARGS "\.chat-nett\.com" -SecRule HTTP_Referer|ARGS "\.cheat-elite\.com" -SecRule HTTP_Referer|ARGS "\.computerxchange\.com" -SecRule HTTP_Referer|ARGS "\.conjuratia\.com" -SecRule HTTP_Referer|ARGS "\.credit-dreams\.com" -SecRule HTTP_Referer|ARGS "\.crescentarian\.net" -SecRule HTTP_Referer|ARGS "\.d-daystore\.com" -SecRule HTTP_Referer|ARGS "\.dedicated-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.dedicated-poker\.com" -SecRule HTTP_Referer|ARGS "\.de\.fidelityfunding" -SecRule HTTP_Referer|ARGS "\.djsdesigns\.net" -SecRule HTTP_Referer|ARGS "\.doctor-4all\.com" -SecRule HTTP_Referer|ARGS "\.doctor-here\.com" -SecRule HTTP_Referer|ARGS "\.doctor-pills\.com" -SecRule HTTP_Referer|ARGS "\.drugs-order\.com" -SecRule HTTP_Referer|ARGS "\.e-buy-2004\.com" -SecRule HTTP_Referer|ARGS "\.e-casino-bonus\.com" -SecRule HTTP_Referer|ARGS "\.e-pills-4u\.com" -SecRule HTTP_Referer|ARGS "\.e-poker-2005\.com" -SecRule HTTP_Referer|ARGS "\.e-poker-777\.com" -SecRule HTTP_Referer|ARGS "\.epraha\.info" -SecRule HTTP_Referer|ARGS "\.e-top-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.excellent-health\.com" -SecRule HTTP_Referer|ARGS "\.excellent-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.exciting-casino\.com" -SecRule HTTP_Referer|ARGS "\.extra-insurance\.com" -SecRule HTTP_Referer|ARGS "\.fearcrow\.com" -SecRule HTTP_Referer|ARGS "\.fidelityfunding\.net" -SecRule HTTP_Referer|ARGS "\.finance-2u\.com" -SecRule HTTP_Referer|ARGS "\.finance-4all\.com" -SecRule HTTP_Referer|ARGS "\.finance-account\.com" -SecRule HTTP_Referer|ARGS "\.finestrealty\.net" -SecRule HTTP_Referer|ARGS "\.freaky-cheats\.com" -SecRule HTTP_Referer|ARGS "\.freakycheats\.com" -SecRule HTTP_Referer|ARGS "\.future-2000\.net" -SecRule HTTP_Referer|ARGS "\.grab-insurance\.com" -SecRule HTTP_Referer|ARGS "\.grab-mortgage\.com" -SecRule HTTP_Referer|ARGS "\.great-doctor\.com" -SecRule HTTP_Referer|ARGS "\.great-finance\.com" -SecRule HTTP_Referer|ARGS "\.great-money\.com" -SecRule HTTP_Referer|ARGS "\.guarantee-money\.com" -SecRule HTTP_Referer|ARGS "\.hbsnwa\.org" -SecRule HTTP_Referer|ARGS "\.health-livening\.com" -SecRule HTTP_Referer|ARGS "\.highest-credit\.com" -SecRule HTTP_Referer|ARGS "\.highprofitclub\.com" -SecRule HTTP_Referer|ARGS "\.homesbysellers\.net" -SecRule HTTP_Referer|ARGS "\.hub4textiles\.com" -SecRule HTTP_Referer|ARGS "\.huge-credit\.com" -SecRule HTTP_Referer|ARGS "\.immediately-credit\.com" -SecRule HTTP_Referer|ARGS "\.including-poker\.com" -SecRule HTTP_Referer|ARGS "\.instant-quick-money-cash-advance-personal-loans-until-pay-day\.com" -SecRule HTTP_Referer|ARGS "\.insurance-24x7\.com" -SecRule HTTP_Referer|ARGS "\.insurance-alerts\.com" -SecRule HTTP_Referer|ARGS "\.insurance-packages\.com" -SecRule HTTP_Referer|ARGS "\.insurance-purchase\.com" -SecRule HTTP_Referer|ARGS "\.insurance-renew\.com" -SecRule HTTP_Referer|ARGS "\.isacommie\.com" -SecRule HTTP_Referer|ARGS "\.jmhic\.com" -SecRule HTTP_Referer|ARGS "\.just-doctor\.com" -SecRule HTTP_Referer|ARGS "\.just-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.just-pills\.com" -SecRule HTTP_Referer|ARGS "\.knowtax\.net" -SecRule HTTP_Referer|ARGS "\.learnhowtoplay\.com" -SecRule HTTP_Referer|ARGS "\.legaladvocate\.net" -SecRule HTTP_Referer|ARGS "\.legalnow\.net" -SecRule HTTP_Referer|ARGS "\.lot-cash\.com" -SecRule HTTP_Referer|ARGS "\.lovejewelry\.net" -SecRule HTTP_Referer|ARGS "\.manage-cash\.com" -SecRule HTTP_Referer|ARGS "\.mauiforsale\.net" -SecRule HTTP_Referer|ARGS "\.mauisun\.net" -SecRule HTTP_Referer|ARGS "\.medical-4you\.com" -SecRule HTTP_Referer|ARGS "\.metasart\.com" -SecRule HTTP_Referer|ARGS "\.mine-doctor\.com" -SecRule HTTP_Referer|ARGS "\.mine-insurance\.com" -SecRule HTTP_Referer|ARGS "\.mista-x\.net" -SecRule HTTP_Referer|ARGS "\.moneydetails\.net" -SecRule HTTP_Referer|ARGS "\.money-lovers\.com" -SecRule HTTP_Referer|ARGS "\.money-plans\.com" -SecRule HTTP_Referer|ARGS "\.morning-after-pill-top-pharmacy\.net" -SecRule HTTP_Referer|ARGS "\.mortgage-2you\.com" -SecRule HTTP_Referer|ARGS "\.moved\.to" -SecRule HTTP_Referer|ARGS "\.musicbox1\.com" -SecRule HTTP_Referer|ARGS "\.musicdots\.com" -SecRule HTTP_Referer|ARGS "\.mycaddy\.net" -SecRule HTTP_Referer|ARGS "\.mydaycare\.net" -SecRule HTTP_Referer|ARGS "\.mydivx\.info" -SecRule HTTP_Referer|ARGS "\.my-health\.us" -SecRule HTTP_Referer|ARGS "\.myhost\.gb" -SecRule HTTP_Referer|ARGS "\.mynet-poker\.com" -SecRule HTTP_Referer|ARGS "\.namedealers\.net" -SecRule HTTP_Referer|ARGS "\.namerealestate\.com" -SecRule HTTP_Referer|ARGS "\.naturaldelights\.net" -SecRule HTTP_Referer|ARGS "\.naturaldelights\.net+" -SecRule HTTP_Referer|ARGS "\.norwichwriters\.org" -SecRule HTTP_Referer|ARGS "\.now-cash\.com" -SecRule HTTP_Referer|ARGS "\.nutzu\.com" -SecRule HTTP_Referer|ARGS "\.online-forex-trading-currency-exchange\.com" -SecRule HTTP_Referer|ARGS "\.only-doctor\.com" -SecRule HTTP_Referer|ARGS "\.op-clan\.com" -SecRule HTTP_Referer|ARGS "\.openlistings\.net" -SecRule HTTP_Referer|ARGS "\.open-pharmacy\.com" -SecRule HTTP_Referer|ARGS "\.order-doctor\.com" -SecRule HTTP_Referer|ARGS "\.ouragent\.net" -SecRule HTTP_Referer|ARGS "\.our-money\.com" -SecRule HTTP_Referer|ARGS "\.parentcompany\.net" -SecRule HTTP_Referer|ARGS "\.party-poker-e\.com" -SecRule HTTP_Referer|ARGS "\.pawnauctions\.net" -SecRule HTTP_Referer|ARGS "\.payperday\.com" -SecRule HTTP_Referer|ARGS "\.petsellers\.net" -SecRule HTTP_Referer|ARGS "\.pharmacy-here\.com" -SecRule HTTP_Referer|ARGS "\.pharmacy-related\.com" -SecRule HTTP_Referer|ARGS "\.pills-best\.com" -SecRule HTTP_Referer|ARGS "\.pills-home\.com" -SecRule HTTP_Referer|ARGS "\.pills-sale\.com" -SecRule HTTP_Referer|ARGS "\.pisangrebus\.com" -SecRule HTTP_Referer|ARGS "\.planyourhome\.net" -SecRule HTTP_Referer|ARGS "\.play12\.zindagi" -SecRule HTTP_Referer|ARGS "\.play13\.zindagi" -SecRule HTTP_Referer|ARGS "\.play1\.zindagi" -SecRule HTTP_Referer|ARGS "\.play5\.zindagi" -SecRule HTTP_Referer|ARGS "\.play6\.zindagi" -SecRule HTTP_Referer|ARGS "\.play9\.zindagi" -SecRule HTTP_Referer|ARGS "\.poker4spain\.com" -SecRule HTTP_Referer|ARGS "\.poker-freak\.com" -SecRule HTTP_Referer|ARGS "\.poker-protection\.com" -SecRule HTTP_Referer|ARGS "\.poker-scan\.com" -SecRule HTTP_Referer|ARGS "\.poker-stadium\.com" -SecRule HTTP_Referer|ARGS "\.poolexperts\.net" -SecRule HTTP_Referer|ARGS "\.poolsmart\.net" -SecRule HTTP_Referer|ARGS "\.postagepaid\.net" -SecRule HTTP_Referer|ARGS "\.prakashcommunication\.com" -SecRule HTTP_Referer|ARGS "\.pro-doctor\.com" -SecRule HTTP_Referer|ARGS "\.professional-doctor\.com" -SecRule HTTP_Referer|ARGS "\.protected-insurance\.com" -SecRule HTTP_Referer|ARGS "\.ps2cool\.com" -SecRule HTTP_Referer|ARGS "\.psxtreme\.com" -SecRule HTTP_Referer|ARGS "\.quality-poker\.com" -SecRule HTTP_Referer|ARGS "\.racepointfunding\.com" -SecRule HTTP_Referer|ARGS "\.rainbowfactory\.net" -SecRule HTTP_Referer|ARGS "\.randppro-cuts\.com" -SecRule HTTP_Referer|ARGS "\.rarefind\.net" -SecRule HTTP_Referer|ARGS "\.rarehomes\.net" -SecRule HTTP_Referer|ARGS "\.reachcasino\.com" -SecRule HTTP_Referer|ARGS "\.realantiques\.net" -SecRule HTTP_Referer|ARGS "\.realestatehotbuys\.com" -SecRule HTTP_Referer|ARGS "\.realestatehotdeals\.com" -SecRule HTTP_Referer|ARGS "\.realestatenow\.net" -SecRule HTTP_Referer|ARGS "\.realestateseller\.net" -SecRule HTTP_Referer|ARGS "\.real-estate-shop\.com" -SecRule HTTP_Referer|ARGS "\.realtorlist\.net" -SecRule HTTP_Referer|ARGS "\.realtorx2\.com" -SecRule HTTP_Referer|ARGS "\.realty-discounts\.com" -SecRule HTTP_Referer|ARGS "\.realty-refund\.com" -SecRule HTTP_Referer|ARGS "\.realtysmart\.net" -SecRule HTTP_Referer|ARGS "\.rebuildsanmateohighschool\.org" -SecRule HTTP_Referer|ARGS "\.registrarprice\.com" -SecRule HTTP_Referer|ARGS "\.ridgeviewelem\.org" -SecRule HTTP_Referer|ARGS "\.rohkalby\.com" -SecRule HTTP_Referer|ARGS "\.rohkalby\.net" -SecRule HTTP_Referer|ARGS "\.rulo\.biz" -SecRule HTTP_Referer|ARGS "\.samiuls\.com" -SecRule HTTP_Referer|ARGS "\.screwy-casino\.com" -SecRule HTTP_Referer|ARGS "\.seat208\.com" -SecRule HTTP_Referer|ARGS "\.seethishome\.net" -SecRule HTTP_Referer|ARGS "\.showcasegifts\.net" -SecRule HTTP_Referer|ARGS "\.sigmapiscu\.org" -SecRule HTTP_Referer|ARGS "\.smithtownelementarypta\.org" -SecRule HTTP_Referer|ARGS "\.sml338\.org" -SecRule HTTP_Referer|ARGS "\.smsportali\.net" -SecRule HTTP_Referer|ARGS "\.society-health\.com" -SecRule HTTP_Referer|ARGS "\.special-medical\.com" -SecRule HTTP_Referer|ARGS "\.sportsexpert\.net" -SecRule HTTP_Referer|ARGS "\.standard-casino\.com" -SecRule HTTP_Referer|ARGS "\.standard-poker\.com" -SecRule HTTP_Referer|ARGS "\.street-poker\.com" -SecRule HTTP_Referer|ARGS "\.strega\.us" -SecRule HTTP_Referer|ARGS "\.studyinslovakia\.com" -SecRule HTTP_Referer|ARGS "\.sudtuiles\.com" -SecRule HTTP_Referer|ARGS "\.sy-casino\.com" -SecRule HTTP_Referer|ARGS "\.take-insurance\.com" -SecRule HTTP_Referer|ARGS "\.take-mortgage\.com" -SecRule HTTP_Referer|ARGS "\.take-poker\.com" -SecRule HTTP_Referer|ARGS "\.talentbroker\.net" -SecRule HTTP_Referer|ARGS "\.talented-doctor\.com" -SecRule HTTP_Referer|ARGS "\.tecrep-inc\.net" -SecRule HTTP_Referer|ARGS "\.terashells\.com" -SecRule HTTP_Referer|ARGS "\.thebrainstormer\.com" -SecRule HTTP_Referer|ARGS "\.theebest\.com" -SecRule HTTP_Referer|ARGS "\.thexmlguys\.com" -SecRule HTTP_Referer|ARGS "\.this-casino\.com" -SecRule HTTP_Referer|ARGS "\.this-insurance\.com" -SecRule HTTP_Referer|ARGS "\.threethreethree\.org" -SecRule HTTP_Referer|ARGS "\.threethreethree\.us" -SecRule HTTP_Referer|ARGS "\.to\." -SecRule HTTP_Referer|ARGS "\.top-poker-21\.com" -SecRule HTTP_Referer|ARGS "\.top-wins-2005\.com" -SecRule HTTP_Referer|ARGS "\.toylane\.net" -SecRule HTTP_Referer|ARGS "\.uccpp\.org" -SecRule HTTP_Referer|ARGS "\.unbelievable-poker\.com" -SecRule HTTP_Referer|ARGS "\.understand-poker\.com" -SecRule HTTP_Referer|ARGS "\.unique-casino\.net" -SecRule HTTP_Referer|ARGS "\.unique-insurance\.com" -SecRule HTTP_Referer|ARGS "\.unique-pills\.com" -SecRule HTTP_Referer|ARGS "\.unique-poker\.com" -SecRule HTTP_Referer|ARGS "\.us\.8gold" -SecRule HTTP_Referer|ARGS "\.useful-pills\.com" -SecRule HTTP_Referer|ARGS "\.vadoptions\.com" -SecRule HTTP_Referer|ARGS "\.vcontacts\.com" -SecRule HTTP_Referer|ARGS "\.vdiplomas\.com" -SecRule HTTP_Referer|ARGS "\.vdirections\.com" -SecRule HTTP_Referer|ARGS "\.vdude\.com" -SecRule HTTP_Referer|ARGS "\.vexpert\.com" -SecRule HTTP_Referer|ARGS "\.vfacility\.com" -SecRule HTTP_Referer|ARGS "\.vfreeway\.com" -SecRule HTTP_Referer|ARGS "\.vgardening\.com" -SecRule HTTP_Referer|ARGS "\.vined\.com" -SecRule HTTP_Referer|ARGS "\.vinsider\.com" -SecRule HTTP_Referer|ARGS "\.vjackpot\.com" -SecRule HTTP_Referer|ARGS "\.vjuror\.com" -SecRule HTTP_Referer|ARGS "\.vmailman\.com" -SecRule HTTP_Referer|ARGS "\.vmasterpiece\.com" -SecRule HTTP_Referer|ARGS "\.vmousetrap\.com" -SecRule HTTP_Referer|ARGS "\.vneighbor\.com" -SecRule HTTP_Referer|ARGS "\.vnsoul\.org" -SecRule HTTP_Referer|ARGS "\.vpawnshop\.com" -SecRule HTTP_Referer|ARGS "\.vplaymate\.com" -SecRule HTTP_Referer|ARGS "\.vpshs\.com" -SecRule HTTP_Referer|ARGS "\.vquality\.com" -SecRule HTTP_Referer|ARGS "\.vrajitor\.com" -SecRule HTTP_Referer|ARGS "\.vreporters\.com" -SecRule HTTP_Referer|ARGS "\.vthought\.com" -SecRule HTTP_Referer|ARGS "\.walnuttownfireco\.org" -SecRule HTTP_Referer|ARGS "\.web4u\.gb" -SecRule HTTP_Referer|ARGS "\.white-pills\.com" -SecRule HTTP_Referer|ARGS "\.win-2005\.com" -SecRule HTTP_Referer|ARGS "\.win-in-poker\.com" -SecRule HTTP_Referer|ARGS "\.wkelleylucas\.com" -SecRule HTTP_Referer|ARGS "\.wslp24\.com" -SecRule HTTP_Referer|ARGS "\.wsop-allabout\.com" -SecRule HTTP_Referer|ARGS "\.xmlindustry\.com" -SecRule HTTP_Referer|ARGS "\.yelucie\.com" -SecRule HTTP_Referer|ARGS "\.yours-cash\.com" -SecRule HTTP_Referer|ARGS "\.zindagi\.us" -SecRule HTTP_Referer|ARGS "\.medianetjapan\.com" -SecRule HTTP_Referer|ARGS "\.medics\.dn\.ua" -SecRule HTTP_Referer|ARGS "\.isgre\.at" -SecRule HTTP_Referer|ARGS "\.nerdcamp\.net" -SecRule HTTP_Referer|ARGS "\.mortgage-start\.com" -SecRule HTTP_Referer|ARGS "\.galstown\.ne\.jp" -SecRule HTTP_Referer|ARGS "\.rtq2\.com" -SecRule HTTP_Referer|ARGS "\.winfixer\.com" -SecRule HTTP_Referer|ARGS "\.winantispyware\.com" -SecRule HTTP_Referer|ARGS "\.asdrugs\.com" -SecRule HTTP_Referer|ARGS "\.sdrugs\.com" -SecRule HTTP_Referer|ARGS "\.etowns\.org" -SecRule HTTP_Referer|ARGS "\.vnunetblog\.de" -SecRule HTTP_Referer|ARGS "\.blogg\.de" -SecRule HTTP_Referer|ARGS "\.eponym\.com" -SecRule HTTP_Referer|ARGS "\.tubuse\.com" -SecRule HTTP_Referer|ARGS "\.undonet\.com" -SecRule HTTP_Referer|ARGS "\.crozbee\.com" -SecRule HTTP_Referer|ARGS "\.24-7galleries\.com" -SecRule HTTP_Referer|ARGS "\.cnbnp\.com" -SecRule HTTP_Referer|ARGS "\.get-sport-betting\.com" -SecRule HTTP_Referer|ARGS "\.galstown\.ne\.jp" -SecRule HTTP_Referer|ARGS "\.chick-on-you\.com" -SecRule HTTP_Referer|ARGS "\.changeip\.name" -SecRule HTTP_Referer|ARGS "\.yachtdurak\.com" -SecRule HTTP_Referer|ARGS "\.sobonn\.com" -SecRule HTTP_Referer|ARGS "(\.|/)nic-x\.com" -SecRule HTTP_Referer|ARGS "(\.|/)hornyfanclub\.com" -SecRule HTTP_Referer|ARGS "(\.|/)luvthenet\.com" -SecRule HTTP_Referer|ARGS "(\.|/)stpetersdunboyne.com" -SecRule HTTP_Referer|ARGS "(\.|/)catastrophicskate\.com" -SecRule HTTP_Referer|ARGS "(\.|/)multidomainaward\.com" -SecRule HTTP_Referer|ARGS "(\.|/)spiritedjourneyinn.com" -SecRule HTTP_Referer|ARGS "(\.|/)nnickee\.com" -SecRule HTTP_Referer|ARGS "(\.|/)harfordweb\.com" -SecRule HTTP_Referer|ARGS "(\.|/)ohab-accounting\.com" -SecRule HTTP_Referer|ARGS "(\.|/)heartsdesireconcerts\.com" -SecRule HTTP_Referer|ARGS "(\.|/)scpa-films\.com" -SecRule HTTP_Referer|ARGS "(\.|/)neumannsouthey\.com" -SecRule HTTP_Referer|ARGS "(\.|/)admax-express\.com" -SecRule HTTP_Referer|ARGS "(\.|/)inet-d\.com" -SecRule HTTP_Referer|ARGS "(\.|/)locketech\.com" -SecRule HTTP_Referer|ARGS "(\.|/)lbrarycrunch\.com" -SecRule HTTP_Referer|ARGS "(\.|/)spectro-optics\.com" -SecRule HTTP_Referer|ARGS "(\.|/)sekwebdesign\.com" -SecRule HTTP_Referer|ARGS "(\.|/)glennboyandmitch\.com" -SecRule HTTP_Referer|ARGS "(\.|/)terrosrismunveiled\.com" -SecRule HTTP_Referer|ARGS "(\.|/)wanamakerassoc\.com" -SecRule HTTP_Referer|ARGS "(\.|/)ons98\.com" -SecRule HTTP_Referer|ARGS "(\.|/)homesalenow\.net" -SecRule HTTP_Referer|ARGS "(\.|/)visionecon\.com" -SecRule HTTP_Referer|ARGS "(\.|/)pqgraphica\.com" -SecRule HTTP_Referer|ARGS "(\.|/)seawolfmm\.com" -SecRule HTTP_Referer|ARGS "(\.|/)planettoyko\.com" -SecRule HTTP_Referer|ARGS "(\.|/)spectronixresearch\.com" -SecRule HTTP_Referer|ARGS "\.sti\.in\.ua" -SecRule HTTP_Referer|ARGS "\.sultryserver\.com" -SecRule HTTP_Referer|ARGS "(\.|/)csi-sales\.com" -SecRule HTTP_Referer|ARGS "(\.|/)sumale\.net" -SecRule HTTP_Referer|ARGS "(\.|/)cypressmgmt\.com" -SecRule HTTP_Referer|ARGS "(\.|/)(com|net|org)-fiberpipe\.net" -SecRule HTTP_Referer|ARGS "\.debt-consolidation-(page|advises)\.com" -SecRule HTTP_Referer|ARGS "\.24x7-debt-consolidation\.com" -SecRule HTTP_Referer|ARGS "(\.|/)(unique|take|yours|available)+[\w\-_.]*loan\.[a-z]{2,}" -SecRule HTTP_Referer|ARGS "(\.|/)(loan)+[\w\-_.]*(4all|results|here|variety)\.[a-z]{2,}" -#Bogus google.com referrer -SecRule HTTP_Referer "(/|$)google\.com/?^" "pass,log" -SecRule HTTP_Referer|ARGS 10-poker\.com -SecRule HTTP_Referer|ARGS 1click-casino\.com -SecRule HTTP_Referer|ARGS 1click-hotel\.com -SecRule HTTP_Referer|ARGS 1click-poker\.com -SecRule HTTP_Referer|ARGS 1hour-finance\.com -SecRule HTTP_Referer|ARGS 4all-casino\.com -SecRule HTTP_Referer|ARGS 4u-finance\.com -SecRule HTTP_Referer|ARGS allabout-poker\.net -SecRule HTTP_Referer|ARGS alleghenydist\.net -SecRule HTTP_Referer|ARGS available-finance\.com -SecRule HTTP_Referer|ARGS aylwardfamily\.com -SecRule HTTP_Referer|ARGS backpage\.com -SecRule HTTP_Referer|ARGS be\.uaeecommerce\.com -SecRule HTTP_Referer|ARGS bitlocker\.net -SecRule HTTP_Referer|ARGS blast-poker\.com -SecRule HTTP_Referer|ARGS blest-casino\.com -SecRule HTTP_Referer|ARGS blog\.expedia\.fr -SecRule HTTP_Referer|ARGS casino-2u\.com -SecRule HTTP_Referer|ARGS casino-555\.com -SecRule HTTP_Referer|ARGS casino-addicted\.com -SecRule HTTP_Referer|ARGS casino-builders\.com -SecRule HTTP_Referer|ARGS casino-fans\.com -SecRule HTTP_Referer|ARGS casino-junkies\.com -SecRule HTTP_Referer|ARGS casino-lovers\.com -SecRule HTTP_Referer|ARGS casino-y\.com -SecRule HTTP_Referer|ARGS classical-casino\.com -SecRule HTTP_Referer|ARGS completely-sport\.com -SecRule HTTP_Referer|ARGS consultanthub\.com -SecRule HTTP_Referer|ARGS credit-card-24x7\.com -SecRule HTTP_Referer|ARGS credit-card-2u\.com -SecRule HTTP_Referer|ARGS credit-card-available\.com -SecRule HTTP_Referer|ARGS credit-card-check\.com -SecRule HTTP_Referer|ARGS credit-card-funds\.com -SecRule HTTP_Referer|ARGS credit-card-registration\.com -SecRule HTTP_Referer|ARGS credit-card-verification\.com -SecRule HTTP_Referer|ARGS dare-poker\.com -SecRule HTTP_Referer|ARGS debt-consolidation-1click\.com -SecRule HTTP_Referer|ARGS debt-consolidation-2u\.com -SecRule HTTP_Referer|ARGS debt-consolidation-advises\.com -SecRule HTTP_Referer|ARGS debt-consolidation-modification\.com -SecRule HTTP_Referer|ARGS debt-consolidation-notes\.com -SecRule HTTP_Referer|ARGS debt-consolidation-organization\.com -SecRule HTTP_Referer|ARGS debt-consolidation-page\.com -SecRule HTTP_Referer|ARGS debt-consolidation-rate\.com -SecRule HTTP_Referer|ARGS debt-consolidation-reviews\.com -SecRule HTTP_Referer|ARGS diet-pills-with-ephedra-for-you\.info -SecRule HTTP_Referer|ARGS dir\.bg -SecRule HTTP_Referer|ARGS doctor-tip\.com -SecRule HTTP_Referer|ARGS domain-poker\.com -SecRule HTTP_Referer|ARGS em-poker-texas-holdem-4u\.info -SecRule HTTP_Referer|ARGS excellent-casino\.com -SecRule HTTP_Referer|ARGS extra-hotel\.com -SecRule HTTP_Referer|ARGS extra-poker\.com -SecRule HTTP_Referer|ARGS extra-sport-betting\.com -SecRule HTTP_Referer|ARGS famous-hotel\.com -SecRule HTTP_Referer|ARGS favorites-hotels\.com -SecRule HTTP_Referer|ARGS finance-always\.com -SecRule HTTP_Referer|ARGS finance-here\.com -SecRule HTTP_Referer|ARGS finance-immediately\.com -SecRule HTTP_Referer|ARGS finance-results\.com -SecRule HTTP_Referer|ARGS fokus\.bg -SecRule HTTP_Referer|ARGS forever-casino\.com -SecRule HTTP_Referer|ARGS free-poker-texas-hold-em-pc-4-you\.info -SecRule HTTP_Referer|ARGS funny-poker\.com -SecRule HTTP_Referer|ARGS general-hotels\.com -SecRule HTTP_Referer|ARGS globus-finance\.com -SecRule HTTP_Referer|ARGS good-credit-card\.com -SecRule HTTP_Referer|ARGS good-poker\.com -SecRule HTTP_Referer|ARGS mine-casino\.com -SecRule HTTP_Referer|ARGS secured-casino\.com -SecRule HTTP_Referer|ARGS more-chicks\.com -SecRule HTTP_Referer|ARGS skyscrapercity\.com -SecRule HTTP_Referer|ARGS "\.unkemptgirls\.com" -SecRule HTTP_Referer|ARGS "\.goldflirt\.com" -SecRule HTTP_Referer|ARGS "\.splitcamera\.com" -SecRule HTTP_Referer|ARGS "\.pornoszones\.com" -SecRule HTTP_Referer|ARGS "\.advancegrouponline\.com" -SecRule HTTP_Referer|ARGS "\.dredgerjs\.info" -SecRule HTTP_Referer|ARGS "7lux\.com" -SecRule HTTP_Referer|ARGS "etc-lb\.com" -SecRule HTTP_Referer|ARGS "fine-galleries\.com" -SecRule HTTP_Referer|ARGS "gienos\.com" -SecRule HTTP_Referer|ARGS "hard-in-porno\.com" -SecRule HTTP_Referer|ARGS "hugeboobstgp\.com" -SecRule HTTP_Referer|ARGS "kinipi\.com" -SecRule HTTP_Referer|ARGS "krava\.org" -SecRule HTTP_Referer|ARGS "moreanalpics\.com" -SecRule HTTP_Referer|ARGS "moregal\.com" -SecRule HTTP_Referer|ARGS "ninja\.co\.in" -SecRule HTTP_Referer|ARGS "poes\.net" -SecRule HTTP_Referer|ARGS "primoposi\.com" -SecRule HTTP_Referer|ARGS "puposi\.com" -SecRule HTTP_Referer|ARGS "studsplase\.com" -SecRule HTTP_Referer|ARGS "synnland\.com" -SecRule HTTP_Referer|ARGS "synnnet\.net" -SecRule HTTP_Referer|ARGS "synns\.net" -SecRule HTTP_Referer|ARGS "synnt\.com" -SecRule HTTP_Referer|ARGS "synnu\.com" -SecRule HTTP_Referer|ARGS "tantrsex\.com" -SecRule HTTP_Referer|ARGS "tenssexyxxxporn\.com" -SecRule HTTP_Referer|ARGS "thesynn\.net" -SecRule HTTP_Referer|ARGS "xxxanalmovies\.info" -SecRule HTTP_Referer|ARGS "xxxdosug\.ru" -SecRule HTTP_Referer|ARGS "xzuc1\.com" -SecRule HTTP_Referer|ARGS "b-capital\.ru" -SecRule HTTP_Referer|ARGS "bdsm.sexwwwinfo\.com" -SecRule HTTP_Referer|ARGS 50megs\.com -SecRule HTTP_Referer|ARGS accounting1\.org -SecRule HTTP_Referer|ARGS advancegrouponline\.com -SecRule HTTP_Referer|ARGS all-drug-shop\.com -SecRule HTTP_Referer|ARGS bestporn2006\.com -SecRule HTTP_Referer|ARGS bigxxxsex\.com -SecRule HTTP_Referer|ARGS blogsforums\.info -SecRule HTTP_Referer|ARGS blogspot\.com -SecRule HTTP_Referer|ARGS cabspace\.com -SecRule HTTP_Referer|ARGS canalblog\.com -SecRule HTTP_Referer|ARGS cheap-sn\.com -SecRule HTTP_Referer|ARGS cmm3w\.info -SecRule HTTP_Referer|ARGS cnnty\.com -SecRule HTTP_Referer|ARGS com\.ru -SecRule HTTP_Referer|ARGS CRASN\.COM -SecRule HTTP_Referer|ARGS crimsonland\.info -SecRule HTTP_Referer|ARGS ctynn\.com -SecRule HTTP_Referer|ARGS dasyt\.com -SecRule HTTP_Referer|ARGS deo-vindice\.info -SecRule HTTP_Referer|ARGS diem-perdidi\.info -SecRule HTTP_Referer|ARGS dorvpered\.info -SecRule HTTP_Referer|ARGS download-madonna-mp3\.com -SecRule HTTP_Referer|ARGS drugname\.net -SecRule HTTP_Referer|ARGS drugsn\.com -SecRule HTTP_Referer|ARGS DRUGSN\.COM -SecRule HTTP_Referer|ARGS ebony-fucking\.net -SecRule HTTP_Referer|ARGS eurohostindex\.info -SecRule HTTP_Referer|ARGS ewqe-r\.info -SecRule HTTP_Referer|ARGS full-mp3s-albums\.com -SecRule HTTP_Referer|ARGS gaa\.com -SecRule HTTP_Referer|ARGS getfunhere\.com -SecRule HTTP_Referer|ARGS gojox\.com -SecRule HTTP_Referer|ARGS goo\.com -SecRule HTTP_Referer|ARGS hosther\.com -SecRule HTTP_Referer|ARGS host\.sk -SecRule HTTP_Referer|ARGS i8\.com -SecRule HTTP_Referer|ARGS inetscan\.com -SecRule HTTP_Referer|ARGS interneo\.ru -SecRule HTTP_Referer|ARGS interneo\.us -SecRule HTTP_Referer|ARGS isuisse\.com -SecRule HTTP_Referer|ARGS magneticgame\.com -SecRule HTTP_Referer|ARGS masterbell\.net -SecRule HTTP_Referer|ARGS meta13\.com -SecRule HTTP_Referer|ARGS ne-quid-nimis\.info -SecRule HTTP_Referer|ARGS noads\.biz -SecRule HTTP_Referer|ARGS nosce-te-ipsum\.info -SecRule HTTP_Referer|ARGS nvchat\.net -SecRule HTTP_Referer|ARGS okanagangirlz\.com -SecRule HTTP_Referer|ARGS onesite\.com -SecRule HTTP_Referer|ARGS osarex\.com -SecRule HTTP_Referer|ARGS pharmacysn\.com -SecRule HTTP_Referer|ARGS pharmasn\.com -SecRule HTTP_Referer|ARGS play-sex-game\.com -SecRule HTTP_Referer|ARGS property-link\.info -SecRule HTTP_Referer|ARGS ripway\.com -SecRule HTTP_Referer|ARGS rr\.nu -SecRule HTTP_Referer|ARGS servik\.com -SecRule HTTP_Referer|ARGS sexcom-xxx\.com -SecRule HTTP_Referer|ARGS sexpasw\.com -SecRule HTTP_Referer|ARGS sexwwwinfo\.com -SecRule HTTP_Referer|ARGS sharebear\.co\.uk -SecRule HTTP_Referer|ARGS siteburg\.com -SecRule HTTP_Referer|ARGS smalllols\.info -SecRule HTTP_Referer|ARGS sn333\.com -SecRule HTTP_Referer|ARGS snow-mp3\.com -SecRule HTTP_Referer|ARGS splitcamera\.com -SecRule HTTP_Referer|ARGS sport-gambling-888\.info -SecRule HTTP_Referer|ARGS supador\.info -SecRule HTTP_Referer|ARGS swingers\.cnnty\.com -SecRule HTTP_Referer|ARGS talk-more\.biz -SecRule HTTP_Referer|ARGS top-keywords\.net -SecRule HTTP_Referer|ARGS uhuhu\.ru -SecRule HTTP_Referer|ARGS vipraskrutka\.com -SecRule HTTP_Referer|ARGS vipraskrutka\.info -SecRule HTTP_Referer|ARGS winfixer\.com -SecRule HTTP_Referer|ARGS yard\.ru -SecRule HTTP_Referer|ARGS yourfreevids\.com -SecRule HTTP_Referer|ARGS zomi\.net -SecRule HTTP_Referer|ARGS \.yaboo\.dk/ -SecRule HTTP_Referer|ARGS \.infoinet\.net -SecRule HTTP_Referer|ARGS \.dermonuj\.info -SecRule HTTP_Referer|ARGS "\.amatureloveboys\.com" -SecRule HTTP_Referer|ARGS "\.porkyhost\.com" -SecRule HTTP_Referer|ARGS "\.homewithgod\.com" diff --git a/files/mod_security/custom_rules/blacklist2.conf b/files/mod_security/custom_rules/blacklist2.conf deleted file mode 100644 index e44e462..0000000 --- a/files/mod_security/custom_rules/blacklist2.conf +++ /dev/null @@ -1,583 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Blacklist of rootkit sites, owned machines and other bad players for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/blacklist2.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# modsecurity is a trademark of Thinking Stone, Ltd. -# -# Version: N-20061022-01 -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - - -SecRule REQUEST_URI|ARGS "\.frauenfinanzzentrum\.at" -SecRule REQUEST_URI|ARGS "von-der-igelhoehe\.de" -SecRule REQUEST_URI|ARGS "danger-soft\.com" -SecRule REQUEST_URI|ARGS "(\.|/)altunerhost\.com" -SecRule REQUEST_URI|ARGS "\.netfast\.org" -SecRule REQUEST_URI|ARGS "\.redcrew\.de" -SecRule REQUEST_URI|ARGS "(\.|/)elektroteh\.com/" -SecRule REQUEST_URI|ARGS "(\.|/)see-my-ip\.info/" -SecRule REQUEST_URI|ARGS "kanalia\.bimber\.pl" -SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" -SecRule REQUEST_URI "https?:.*(\.|/)myspace\.si/" -SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar" -SecRule REQUEST_URI|ARGS "(\.|/)wileyc\.edu/" -SecRule REQUEST_URI|ARGS "(\.|/)eks-darmstadt\.de" -SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" -SecRule REQUEST_URI|ARGS "\.albacrew\.us/" -SecRule REQUEST_URI|ARGS "\.tebel-gmbh\.de/" -SecRule REQUEST_URI|ARGS "(/|\.)defensacivil\.gov\.ec/" -SecRule REQUEST_URI|ARGS "(/|\.)wwop\.org" -SecRule REQUEST_URI|ARGS "\.kalin\.ru/" -SecRule REQUEST_URI|ARGS "destructive\.by\.ru/" -SecRule REQUEST_URI|ARGS "gulfchamber\.org/" -SecRule REQUEST_URI|ARGS "tckct\.co\.uk" -SecRule REQUEST_URI|ARGS "crimsonaddict\.com/" -SecRule REQUEST_URI|ARGS "(\.|/)webstorch\.com" -SecRule REQUEST_URI|ARGS "/213\.133\.108\.122/" -SecRule REQUEST_URI|ARGS "freewebtown\.com/" -SecRule REQUEST_URI|ARGS "(\.|/)tinypath\.com/" -SecRule REQUEST_URI|ARGS "rve\.cjb\.hu/" -SecRule REQUEST_URI|ARGS "69\.25\.64\.78" -SecRule REQUEST_URI|ARGS "(\.|/)xgamers\.com\.tw/" -SecRule REQUEST_URI|ARGS "(\.|/)balikesir\.edu\.tr/" -SecRule REQUEST_URI|ARGS "(\.|/)ocprojects\.com/" -SecRule REQUEST_URI|ARGS "(\.|/)casadejoaodebarro\.com\.br/" -SecRule REQUEST_URI|ARGS "\.extremus\.info/" -SecRule REQUEST_URI|ARGS "\.parit\.org/" -SecRule REQUEST_URI|ARGS "\.awardspace\.com" -SecRule REQUEST_URI|ARGS "(/|\.)haztek-software\.com" -SecRule REQUEST_URI|ARGS "(/|\.)geocities\.com/nirkan2k3/" -SecRule REQUEST_URI|ARGS "(/|\.)libracomm\.co\.uk/" -SecRule REQUEST_URI|ARGS "(/|\.)kloeckner-web\.de" -SecRule REQUEST_URI|ARGS "(/|\.)mirckurdu\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)apk\.pt/" -SecRule REQUEST_URI|ARGS "(/|\.)asksevda\.net" -SecRule REQUEST_URI|ARGS "(/|\.)kacaktc\.com" -SecRule REQUEST_URI|ARGS "(/|\.)3-bius\.com" -SecRule REQUEST_URI|ARGS "(/|\.)injek-gw\.com" -SecRule REQUEST_URI|ARGS "(/|\.)brtdata\.com\.br/" -SecRule REQUEST_URI|ARGS "(/|\.)uaivip\.com\.br/" -SecRule REQUEST_URI|ARGS "(/|\.)boardtr\.com/" -SecRule REQUEST_URI|ARGS "(/|\.)radiouniversity\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)velvet\.jp/" -SecRule REQUEST_URI|ARGS "(/|\.)loved\.com/" -SecRule REQUEST_URI|ARGS "(/|\.)kit\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)warezworld\.cx/" -SecRule REQUEST_URI|ARGS "(/|\.)void\.ru/" -SecRule REQUEST_URI|ARGS "(/|\.)itabaiana\.se\.gov\.br" -SecRule REQUEST_URI|ARGS "(/|\.)ajadp\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)perian-a\.biz" -SecRule REQUEST_URI|ARGS "(/|\.)rootshell\.be" -SecRule REQUEST_URI|ARGS "(/|\.)tododescargas\.com\.ve/" -SecRule REQUEST_URI|ARGS "(/|\.)caucasus\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)iespana\.es/" -SecRule REQUEST_URI|ARGS "(/|\.)the-tronix\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)classi-find\.net/" -SecRule REQUEST_URI|ARGS "(/|\.)albanet\.biz\.tc/" -SecRule REQUEST_URI|ARGS "(/|\.)wendyscountrycloset\.biz/" -SecRule REQUEST_URI|ARGS "(/|\.)meiemees\.pri\.ee" -SecRule REQUEST_URI|ARGS "(/|\.)geirinn\.is" -SecRule REQUEST_URI|ARGS "(/|\.)skullbocks\.org/" -SecRule REQUEST_URI|ARGS "(/|\.)byethost9\.com/" -SecRule REQUEST_URI|ARGS "(/|\.)hackermail2010\.ifrance\.com" -SecRule REQUEST_URI|ARGS "(/|\.)ifrance\.com/hackermail2010" -SecRule REQUEST_URI|ARGS "(/|\.)paul\.net\.pl/" -SecRule REQUEST_URI|ARGS "(/|\.)interfree\.it/" -SecRule REQUEST_URI|ARGS "\.albados\.com" -SecRule REQUEST_URI|ARGS "\.perqafohu\.com" -SecRule REQUEST_URI|ARGS "\.cside21\.com/" -SecRule REQUEST_URI|ARGS "200\.24\.117\.125" -SecRule REQUEST_URI|ARGS "elitemorgan\.com/" -SecRule REQUEST_URI|ARGS "\acesso\.t35\.com" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/jefferyladun/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/junhendra/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/xpl_gibson/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/kelvinkappa1/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/damon_shaft/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/gettoprince4u/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/brennanventures/" -SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/solohackerlinks/" -SecRule REQUEST_URI|ARGS "(\.|/)albahost\.host\.sk/" -SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar/" -SecRule REQUEST_URI|ARGS "\.manhattanservice\.com" -SecRule REQUEST_URI|ARGS "\.kurddomain\.net" -SecRule REQUEST_URI|ARGS "elmorgan\.com\.ar" -SecRule REQUEST_URI|ARGS "61\.1\.197\.244" -SecRule REQUEST_URI|ARGS "home\.arcor\.de" -SecRule REQUEST_URI|ARGS "\.turx\.nl" -SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/albacr3w/" -SecRule REQUEST_URI|ARGS "\.ifrance\.com" -SecRule REQUEST_URI|ARGS "pivadesign\.com\.br" -SecRule REQUEST_URI|ARGS "\.pc-phasechange\.it" -SecRule REQUEST_URI|ARGS "ciberia\.ya\.com" -SecRule REQUEST_URI|ARGS "\.starhack\.org" -SecRule REQUEST_URI|ARGS "sweet-serenity\.org" -SecRule REQUEST_URI|ARGS "\.uol\.com\.br" -SecRule REQUEST_URI|ARGS "aviozone\.com" -SecRule REQUEST_URI|ARGS "mptechno\.cz" -SecRule REQUEST_URI|ARGS "\.piranho\.de" -SecRule REQUEST_URI|ARGS "\.lilspage\.de" -SecRule REQUEST_URI|ARGS "209\.136\.48\.69" -SecRule REQUEST_URI|ARGS "216\.12\.103\.29" -SecRule REQUEST_URI|ARGS "209\.232\.227\.224" -SecRule REQUEST_URI|ARGS "200\.72\.130\.29" -SecRule REQUEST_URI|ARGS "209\.123\.16\.34" -SecRule REQUEST_URI|ARGS "\.mitchellwhite\.com" -SecRule REQUEST_URI|ARGS "full-comandos\.com" -SecRule REQUEST_URI|ARGS "members\.lycos\.co\.uk/tiara" -SecRule REQUEST_URI|ARGS "sharonfamilyandtravel\.com" -SecRule REQUEST_URI|ARGS "72\.18\.195\.161" -SecRule REQUEST_URI|ARGS "geocities\.com/hitam_putih_dalnet/" -SecRule REQUEST_URI|ARGS "cyberspiderwebdesign\.com" -SecRule REQUEST_URI|ARGS "\.softcarein\.com" -SecRule REQUEST_URI|ARGS "\.netmisphere2\.com" -SecRule REQUEST_URI|ARGS "juniorenkammer\.be" -SecRule REQUEST_URI|ARGS "\.itunisie\.com" -SecRule REQUEST_URI|ARGS "mitchellgeo\.com" -SecRule REQUEST_URI|ARGS "hackexpert\.net" -SecRule REQUEST_URI|ARGS "agi-zagi\.co\.kr" -SecRule REQUEST_URI|ARGS "\.f1-kingpin\.de" -SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.free\.fr" -SecRule REQUEST_URI|ARGS "www\.designerwear\.co\.uk" -SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.i8\.com" -SecRule REQUEST_URI|ARGS "danzarte\.cl" -SecRule REQUEST_URI|ARGS "\.ripway\.com" -SecRule REQUEST_URI|ARGS "81\.174\.26\.111" -SecRule REQUEST_URI|ARGS "128\.173\.40\.113" -SecRule REQUEST_URI|ARGS "\.lycos\.co\.uk/metlak/" -SecRule REQUEST_URI|ARGS "\.xcop\.biz/" -SecRule REQUEST_URI|ARGS "sca\.postech\.ac\.kr" -SecRule REQUEST_URI|ARGS "www\.aauto\.no" -SecRule REQUEST_URI|ARGS "dsoulzin\.net" -SecRule REQUEST_URI|ARGS "\.altervista\.org" -SecRule REQUEST_URI|ARGS "\.yatas\.com" -SecRule REQUEST_URI|ARGS "bocor-team\.org" -SecRule REQUEST_URI|ARGS "s0l4r1sr0x\.com" -SecRule REQUEST_URI|ARGS "209\.16\.85\.15" -SecRule REQUEST_URI|ARGS "217\.160\.242\.90" -SecRule REQUEST_URI|ARGS "81\.174\.26\.111" -SecRule REQUEST_URI|ARGS "216\.15\.209\.12" -SecRule REQUEST_URI|ARGS "216\.103\.82\.214" -SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/angienuka" -SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/saxalt/" -SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/hackersclup" -SecRule REQUEST_URI|ARGS "spykids\.info" -SecRule REQUEST_URI|ARGS "smellthecoffee\.com" -SecRule REQUEST_URI|ARGS "\.nana\.co\.il" -SecRule REQUEST_URI|ARGS "yavnek12\.co\.il" -SecRule REQUEST_URI|ARGS "billing\.veloxinternet\.com/" -SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es" -SecRule REQUEST_URI|ARGS "217\.114\.109\.11" -SecRule REQUEST_URI|ARGS "217\.160\.255\.44" -SecRule REQUEST_URI|ARGS "217\.160\.242\.90" -SecRule REQUEST_URI|ARGS "148\.81\.141\.12" -SecRule REQUEST_URI|ARGS "131\.155\.98\.128" -SecRule REQUEST_URI|ARGS "212\.114\.84\.18" -SecRule REQUEST_URI|ARGS "81\.174\.26\.111" -SecRule REQUEST_URI|ARGS "192\.112\.220\.37" -SecRule REQUEST_URI|ARGS "pc-clinic\.fr" -SecRule REQUEST_URI|ARGS "clientes\.netvisao\.pt" -SecRule REQUEST_URI|ARGS "\.sanicentrum\.be" -SecRule REQUEST_URI|ARGS "www\.brain\.net\.pk" -SecRule REQUEST_URI|ARGS "web\.un1xtech\.com" -SecRule REQUEST_URI|ARGS "\.schost\.com\.br/" -SecRule REQUEST_URI|ARGS "neto5a\.iitalia\.com" -SecRule REQUEST_URI|ARGS "mesahigh\.com" -SecRule REQUEST_URI|ARGS "216\.111\.31\.2" -SecRule REQUEST_URI|ARGS "24\.224\.174\.18" -SecRule REQUEST_URI|ARGS "\.mcarthur.\org" -SecRule REQUEST_URI|ARGS "\.v10\.com\.br/" -SecRule REQUEST_URI|ARGS "agaman\.net" -SecRule REQUEST_URI|ARGS "\.what-a-pair\.com" -SecRule REQUEST_URI|ARGS "62\.101\.193\.244" -SecRule REQUEST_URI|ARGS "\.tutoworld\.org" -SecRule REQUEST_URI|ARGS "jupiterhost\.net/" -SecRule REQUEST_URI|ARGS "\.iyscrew\.com" -SecRule REQUEST_URI|ARGS "\.server4free\.de" -SecRule REQUEST_URI|ARGS "\.tikla\.org" -SecRule REQUEST_URI|ARGS "\.dps-ct\.com/" -SecRule REQUEST_URI|ARGS "66\.235\.216\.137" -SecRule REQUEST_URI|ARGS "labserver\.veter\.ucv\.ve" -SecRule REQUEST_URI|ARGS "\.eformidler\.dk" -SecRule REQUEST_URI|ARGS "febronio\.org" -SecRule REQUEST_URI|ARGS "zavisnici\.com" -SecRule REQUEST_URI|ARGS "\.2x4\.ru" -SecRule REQUEST_URI|ARGS "\.k4boom\.biz" -SecRule REQUEST_URI|ARGS "theperfecttitle\.com" -SecRule REQUEST_URI|ARGS "\.yhrhosting\.com" -SecRule REQUEST_URI|ARGS "\.nitrofx\.com" -SecRule REQUEST_URI|ARGS "(/|\.)ownsalldomains\.org" -SecRule REQUEST_URI|ARGS "(/|\.)ocktober\.com" -SecRule REQUEST_URI|ARGS "\.s5\.com" -SecRule REQUEST_URI|ARGS "\.systemcrew\.net" -SecRule REQUEST_URI|ARGS "www\.tutoworld\.org" -SecRule REQUEST_URI|ARGS "\.supereva\.it/" -SecRule REQUEST_URI|ARGS "\.frsirt\.com" -SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/anangkd" -SecRule REQUEST_URI|ARGS "geocities\.com/anugerahnet" -SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/bacardi_marv" -SecRule REQUEST_URI|ARGS "\.geocities\.com/" -SecRule REQUEST_URI|ARGS "/geocities\.com/" -SecRule REQUEST_URI|ARGS "\.freshmaker\.us" -SecRule REQUEST_URI|ARGS "packetx\.org" -SecRule REQUEST_URI|ARGS "\.de-soc-mac\.de" -SecRule REQUEST_URI|ARGS "\.leohissa\.oi\.com\.br" -SecRule REQUEST_URI|ARGS "\.fig0\.com" -SecRule REQUEST_URI|ARGS "\.brasilhoster\.net" -SecRule REQUEST_URI|ARGS "\.riteweld\.com" -SecRule REQUEST_URI|ARGS "216\.111\.31\.2" -SecRule REQUEST_URI|ARGS "\.fineca\.net" -SecRule REQUEST_URI|ARGS "r00nin\.vila\.bol\.com\.br" -SecRule REQUEST_URI|ARGS "\.bol\.com\.br" -SecRule REQUEST_URI|ARGS "freewebbe\.supereva\.it" -SecRule REQUEST_URI|ARGS "asianfiles\.deluxepass\.com" -SecRule REQUEST_URI|ARGS "sei26\.tripod\.com" -SecRule REQUEST_URI|ARGS "gigachat\.net" -SecRule REQUEST_URI|ARGS "www\.sos-deces\.be" -SecRule REQUEST_URI|ARGS "\.sosha\.it/" -SecRule REQUEST_URI|ARGS "\.pbholland\.com" -SecRule REQUEST_URI|ARGS "\.newtontidy\.com" -SecRule REQUEST_URI|ARGS "\.barretttree\.com" -SecRule REQUEST_URI|ARGS "agaman\.net" -SecRule REQUEST_URI|ARGS "anti-clones\.com" -SecRule REQUEST_URI|ARGS "www\.members\.lycos\.nl/sesli" -SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/toolsandcmd/" -SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/" -SecRule REQUEST_URI|ARGS "chancom\.webpal\.info" -SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/h4x0r_club/" -SecRule REQUEST_URI|ARGS "\.argaio\.net" -SecRule REQUEST_URI|ARGS "baixinhoo\.hpgvip\.com\.br" -SecRule REQUEST_URI|ARGS "\.zeldalegacies\.com" -SecRule REQUEST_URI|ARGS "simbafriends\.com/" -SecRule REQUEST_URI|ARGS "webshells\.org" -SecRule REQUEST_URI|ARGS "groupiys\.net" -SecRule REQUEST_URI|ARGS "megahostbr\.com" -SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/slash_slink" -SecRule REQUEST_URI|ARGS "\.357is\.com" -SecRule REQUEST_URI|ARGS "northfox\.uw\.hu" -SecRule REQUEST_URI|ARGS "\.dynalith\.com" -SecRule REQUEST_URI|ARGS "\.xplmanager\.com" -SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/thoronnn/" -SecRule REQUEST_URI|ARGS "\.terra\.com\.br/" -SecRule REQUEST_URI|ARGS "f58\.aaacafe\.ne.\jp/" -SecRule REQUEST_URI|ARGS "www\.derf\.hpgvip\.ig\.com\.br/" -SecRule REQUEST_URI|ARGS "rodrigo\.hcerto\.com/" -SecRule REQUEST_URI|ARGS "\.terror\.as\.ro/" -SecRule REQUEST_URI|ARGS "\.tntt\.org/meu/" -SecRule REQUEST_URI|ARGS "\.syscore\.hpgvip\.com\.br/" -SecRule REQUEST_URI|ARGS "\.hpgvip\.com\.br/" -SecRule REQUEST_URI|ARGS "ijoo\.homelinux\.com/" -SecRule REQUEST_URI|ARGS "\.derf\.hpgvip\.ig\.com\.br/" -SecRule REQUEST_URI|ARGS "\.100free\.com/" -SecRule REQUEST_URI|ARGS "\.lorenzo4ever\.de/" -SecRule REQUEST_URI|ARGS "visualcoders\.net/" -SecRule REQUEST_URI|ARGS "\.fendora\.net" -SecRule REQUEST_URI|ARGS "gigashell\.org/" -SecRule REQUEST_URI|ARGS "\.prir0x\.com/" -SecRule REQUEST_URI|ARGS "geocities\.com/madb0ss/" -SecRule REQUEST_URI|ARGS "geocities\.com/sapulinux/" -SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/dh4x0r/" -SecRule REQUEST_URI|ARGS ".*\.verizon\.net\.do/carlos.*" -SecRule REQUEST_URI|ARGS "mi\.verizon\.net\.do/carlos.*" -SecRule REQUEST_URI|ARGS "\.stanlley\.ubbi\.com\.br/" -SecRule REQUEST_URI|ARGS "xthost\.info/" -SecRule REQUEST_URI|ARGS "yaoibr\.vila\.bol\.com\.br/" -SecRule REQUEST_URI|ARGS "geocities\.com/catalin1713/" -SecRule REQUEST_URI|ARGS "visualcoders\.net/spy\." -SecRule REQUEST_URI|ARGS "\.digitalmedia\.org\.mk" -SecRule REQUEST_URI|ARGS "pharoeste\.net" -SecRule REQUEST_URI|ARGS "userbr\.info" -SecRule REQUEST_URI|ARGS "\.foxcf\.hpgvip\.ig\.com\.br" -SecRule REQUEST_URI|ARGS "medicine\.bjmu\.edu\.cn" -SecRule REQUEST_URI|ARGS "\.blueconnection\.com\.br" -SecRule REQUEST_URI|ARGS "\.ph4nt4sm4\.hpgvip\.ig\.com\.br" -SecRule REQUEST_URI|ARGS "\.mvhosted\.com" -SecRule REQUEST_URI|ARGS "\.0catch\.com" -SecRule REQUEST_URI|ARGS "newton\.100free\.com" -SecRule REQUEST_URI|ARGS "\.forplay\.com\.br" -SecRule REQUEST_URI|ARGS "\.geocities\.com/my_lusy" -SecRule REQUEST_URI|ARGS "lol\.freecoolsite\.com" -SecRule REQUEST_URI|ARGS "winscp\.net" -SecRule REQUEST_URI|ARGS "\.karpit\.net" -SecRule REQUEST_URI|ARGS "www\.partyradio\.ca" -SecRule REQUEST_URI|ARGS "\.triple-hhh\.de" -SecRule REQUEST_URI|ARGS "\.gottablaze\.com" -SecRule REQUEST_URI|ARGS "xanutz\.3x\.ro" -SecRule REQUEST_URI|ARGS "geocities\.com/anak_indekost" -SecRule REQUEST_URI|ARGS "themis\.geocities\.yahoo\.com" -SecRule REQUEST_URI|ARGS "\.geocities\.com/my_sweet_cute/" -SecRule REQUEST_URI|ARGS "\.angelfire\.com/zine2/" -SecRule REQUEST_URI|ARGS "72\.20\.34\.[0-9]+" -SecRule REQUEST_URI|ARGS "animehost\.de" -SecRule REQUEST_URI|ARGS "home\.online\.no/~p-shahr" -SecRule REQUEST_URI|ARGS "indragostit\.net" -SecRule REQUEST_URI|ARGS "hdr\.atspace\.com" -SecRule REQUEST_URI|ARGS "\.thecurse\.pop\.com\.br" -SecRule REQUEST_URI|ARGS "www\.w3zone\.com" -SecRule REQUEST_URI|ARGS "freecoolsite\.com" -SecRule REQUEST_URI|ARGS "freewebs\.com" -SecRule REQUEST_URI|ARGS "\.geocities\.com/chnsekip" -SecRule REQUEST_URI|ARGS "webcindario\.com" -SecRule REQUEST_URI|ARGS "ripdisk\.ma\.cx" -SecRule REQUEST_URI|ARGS "sinanreklam\.net" -SecRule REQUEST_URI|ARGS "members\.cox\.net/xjasonx" -SecRule REQUEST_URI|ARGS "\.bh-net\.dk" -SecRule REQUEST_URI|ARGS "\.mediaserve\.net" -SecRule REQUEST_URI|ARGS "\.inchon\.ne\.kr" -SecRule REQUEST_URI|ARGS "\.noti-auto.\com\.ar" -SecRule REQUEST_URI|ARGS "go0gler\.com" -SecRule REQUEST_URI|ARGS "hackbox\.t35\.com" -SecRule REQUEST_URI|ARGS ".*\.hpgvip\.ig\.com\.br" -SecRule REQUEST_URI|ARGS "honestgame\.net" -SecRule REQUEST_URI|ARGS "\.ecobook\.or\.kr" -SecRule REQUEST_URI|ARGS "\.fasecolda\.com" -SecRule REQUEST_URI|ARGS "212\.50\.30\.60" -SecRule REQUEST_URI|ARGS "\.nbail\.com" -SecRule REQUEST_URI|ARGS "\.kit\.net/" -SecRule REQUEST_URI|ARGS "\.ubbi\.com\.br" -SecRule REQUEST_URI|ARGS "\.k4boom\.biz/" -SecRule REQUEST_URI|ARGS "00freehost\.com" - -#Sites that host remote shells, etc. -SecRule REQUEST_URI|ARGS "security-protocols\.com" - -#Known sources that leak thru proxies -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 69\.50\.182\.154 -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 202\.81\.60\.58 -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.252\.91" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 211\.185\.59\.124 -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "209\.165\.131\.23" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.246\.22" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.89\.50\.28" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.208\.48" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "159\.148\.29\.158" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.188\.73" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "200\.168\.0\.246" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.90\.52" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.27\.2" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "195\.55\.222\.19" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.32\.81" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.150\.163\.82" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.237\.226\.70" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.96\.125\.38" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.97\.97\.168" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.98\.122\.111" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.8\.64\.21" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.191\.119\.122" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.33\.104\.158" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.171\.131" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.109\.180\.3" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.37\.184\.196" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "83\.57\.132\.206" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.13\.249" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "85\.129\.229\.111" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "86\.60\.16\.81" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "172\.168\.0\.1" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.4\.62" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.123\.250\.184" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "212\.116\.209\.234" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.127\.56\.24" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.36\.245\.100" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.78\.98" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.91\.33" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "unsecure-services" -SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "205\.177\.122\.162" - - - -#bad proxies -SecRule HTTP_FORWARDED "mangostino\.ut\.edu\.co" -SecRule HTTP_FORWARDED ".*\.cnh\.com" -SecRule HTTP_FORWARDED "phenix-prog-phr" -SecRule HTTP_FORWARDED "alfred\.nssi\.telus\.com" -SecRule HTTP_FORWARDED "wadsworth\.nssi\.telus\.com" -SecRule HTTP_VIA "\.ownsalldomains\.org" -SecRule HTTP_VIA "cache\.topflash\.co\.kr" -SecRule HTTP_VIA "\.quasar\.net\.id:8080" -SecRule HTTP_VIA "\.serverpronto\.com" -SecRule HTTP_VIA "\.fetish-expert\.org" -SecRule HTTP_VIA "proxy\.hwai\.edu\.tw" -SecRule HTTP_VIA "interno-1-1\.edn\.org\.br" -SecRule HTTP_VIA "\.pt-server1\.bt\.com" -SecRule HTTP_VIA "1\.1 cache-test-dtv-kno" -SecRule HTTP_VIA "kdnproxy\.kdn\.gov\.my" -SecRule HTTP_VIA "\.wisdomchina\.com" -SecRule HTTP_VIA "1\.1 PALACIOISA" -SecRule HTTP_VIA "1\.1 cache7\:80 \(squid" -SecRule HTTP_VIA "1\.1 www\.pt-server1\.bt\.com" -SecRule HTTP_VIA "revProxy\.foredu\.com\.cn" -SecRule HTTP_VIA "\.salmanetwork\.com" -SecRule HTTP_VIA "\.warnet\.com" -SecRule HTTP_VIA "moses\.frc\.org" -SecRule HTTP_VIA "1\.0 SQCNT3" -SecRule HTTP_VIA "phenix-prog-phr" -SecRule HTTP_VIA "1\.0 TIETONG" -SecRule HTTP_VIA "webshield\.beitberl\.ac\.il" -SecRule HTTP_VIA "1\.1 www\.any\.com" -SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" -SecRule HTTP_VIA "poczta\.prochowa12\.waw\.pl" -SecRule HTTP_VIA "1\.1 ICACHE1" -SecRule HTTP_VIA "1\.1 New-Proxy2" -SecRule HTTP_VIA "1\.1 SERVEUR2000" -SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" -SecRule HTTP_VIA "1\.1 PROXY, 1\.0 NC2100" -SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" -SecRule HTTP_VIA "1\.1 revproxy2" -SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" -SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" -SecRule HTTP_VIA "1\.1 CAE-SERVER" -SecRule HTTP_VIA "1\.1 WORKGROU-OYOU4X" -SecRule HTTP_VIA "1\.1 INKABANPINPROXY" -SecRule HTTP_VIA "1\.1 DNS4" -SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" -SecRule HTTP_VIA "1\.1 DBSV1008" -SecRule HTTP_VIA "1\.1 NEWISA" -SecRule HTTP_VIA "1\.1 CPGATEWAY02" -SecRule HTTP_VIA "1\.1 router\:3128 \(KEN\!\)" -SecRule HTTP_VIA "1\.1 PROXYSRV\, 1\.0 supercache5" -SecRule HTTP_VIA "1\.1 ATIPLS1" -SecRule HTTP_VIA "1\.0 SMART\, 1\.0 LOIER2800\:" -SecRule HTTP_VIA "1\.1 62\.93\.34\.160" -SecRule HTTP_VIA "1\.1 fwall\.belcomct\.net" -SecRule HTTP_VIA "1\.1 ZERT-EWDGNMVXUF" -SecRule HTTP_VIA "1\.1 su\.tkp\.edu\.hk" -#SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1.*" -SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1E0247" -SecRule HTTP_VIA "1\.1 compujuan\.com\.es" -SecRule HTTP_VIA "1\.1 FEDERATION" -#SecRule HTTP_VIA "1\.1 SERVER-ISA" -SecRule HTTP_VIA "1\.1 EXACTWAPPROXY" -SecRule HTTP_VIA "1\.1 GRNSERVER" -SecRule HTTP_VIA "1\.1 www\.satem\.gob\.ve" -SecRule HTTP_VIA "1\.1 nilcombi\.nilcom\.fr" -SecRule HTTP_VIA "1\.1 cellulant\.lifeismobile\.com" -SecRule HTTP_VIA "1\.1 SR2300-SE7501-H" -SecRule HTTP_VIA "1\.1 www\.dmi\.es" -#SecRule HTTP_VIA "1\.0 cache2\.jed" -SecRule HTTP_VIA "1\.1 BRHCYBER" -SecRule HTTP_VIA "1\.1 132\.110\.2\.12" -SecRule HTTP_VIA "1\.1 .*\.pivotoffice\.com" -SecRule HTTP_VIA "1\.1 .*\.mundo-r\.com" -SecRule HTTP_VIA "1\.1 FAMILYCAREREHAB" -SecRule HTTP_VIA "1\.1 INFORMASERVER" -SecRule HTTP_VIA "1\.1 ITISA" -#SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1" -SecRule HTTP_VIA "1\.1 .*\.as5587\.net" -SecRule HTTP_VIA "1\.1 Maua" -SecRule HTTP_VIA "1\.1 JUNIOR" -SecRule HTTP_VIA "1\.1 offsetinternet" -SecRule HTTP_VIA ".*codevasf\.gov\.br" -SecRule HTTP_VIA "1\.1 www\.aha\.at" -SecRule HTTP_VIA "1\.1 ucavilapruebas\.es" -SecRule HTTP_VIA "1\.1 .*\.insightfirst\.com" -SecRule HTTP_VIA "1\.1 if3\.insightfirst\.com" -SecRule HTTP_VIA "1\.1 SERV132" -SecRule HTTP_VIA "1\.1 CacheFORCE" -SecRule HTTP_VIA "1\.1 dgc-squid" -#SecRule HTTP_VIA "1\.1 CS6200C" -SecRule HTTP_VIA "1\.1 NTS-SERVER" -SecRule HTTP_VIA "1\.1 AJF-JTC-ISA01" -SecRule HTTP_VIA "1\.1 neptun\.ci\.uw\.edu\.pl" -SecRule HTTP_VIA "1\.1 2-net\.ro" -SecRule HTTP_VIA "1\.1 .*\.usscript\.com" -SecRule HTTP_VIA "1\.1 SSIP_SERVER3" -SecRule HTTP_VIA "1\.1 SYVKOV422GX" -SecRule HTTP_VIA "1\.1 .*\.arbuzowa\.net" -SecRule HTTP_VIA "1\.1 www\.kevsclub\.com" -SecRule HTTP_VIA "1\.0 KALIMBA" -SecRule HTTP_VIA "1\.0 NETOUT-SERVER" -SecRule HTTP_VIA "1\.0 NTMARVWALL01" -SecRule HTTP_VIA "1\.0 PROXYSES2" -SecRule HTTP_VIA "1\.0 ptcdb\.edu\.ps" -SecRule HTTP_VIA "1\.0 px1nr \(NetCache NetApp/5\.6\.1D25\)" -SecRule HTTP_VIA "1\.0 px8so \(NetCache NetApp/5\.6\.1D25\)" -SecRule HTTP_VIA "1\.0 SERV132, 1\.0 netcache1 \(NetCache NetApp/6\.0\.1\)" -SecRule HTTP_VIA "1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\), TEKIYA03, 1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\)" -#SecRule HTTP_VIA "1\.1 10\.0\.1\.20" -#SecRule HTTP_VIA "1\.1 127\.0\.0\.1" -SecRule HTTP_VIA "1\.1 146\.83\.216\.207" -SecRule HTTP_VIA "1\.1 202\.88\.250\.211" -SecRule HTTP_VIA "1\.1 213\.155\.209\.204" -SecRule HTTP_VIA "1\.1 accel10\.click21\.com\.br" -SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" -SecRule HTTP_VIA "1\.1 athos\.chem\.demokritos\.gr" -SecRule HTTP_VIA "1\.1 ATIPLS1" -SecRule HTTP_VIA "1\.1 BBSM52" -#SecRule HTTP_VIA "1\.1 bnb-cache1 \(NetCache NetApp.*\), 1\.1 rba-cache1" -SecRule HTTP_VIA "1\.1 cacheB\.ipko\.net" -SecRule HTTP_VIA "1\.1 CAE-SERVER" -SecRule HTTP_VIA "1\.1 CATHODE" -#SecRule HTTP_VIA "1\.1 cha-cache1 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 CSB-NC2 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 cuchimilco\.huaral\.org" -SecRule HTTP_VIA "1\.1 DBSV1008" -SecRule HTTP_VIA "1\.1 dns2\.araxa\.com\.br" -SecRule HTTP_VIA "1\.1 EMERSON, 1\.0 C6100 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 EPPD_SERVER" -SecRule HTTP_VIA "1\.1 fox-server1\.foxschool\.lan" -SecRule HTTP_VIA "1\.1 http-istcf1" -SecRule HTTP_VIA "1\.1 JUNIOR" -#SecRule HTTP_VIA "1\.1 lnac2 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 LTSP03\.glenwood\.k12\.mo\.us" -#SecRule HTTP_VIA "1\.1 MAILSERVER" -SecRule HTTP_VIA "1\.1 natty\.intranet" -#SecRule HTTP_VIA "1\.1 netcache1-ctn \(NetCache NetApp.*" -#SecRule HTTP_VIA "1\.1 netcache1 \(NetCache NetApp.*" -#SecRule HTTP_VIA "1\.1 NetCache3 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1 \(NetCache NetApp.*" -#SecRule HTTP_VIA "1\.1 nme-nxg-pr1\.tpg\.com\.au" -SecRule HTTP_VIA "1\.1 no-dns\.as5587\.net" -SecRule HTTP_VIA "1\.1 ns07\.contentex\.net" -SecRule HTTP_VIA "1\.1 NYNETSRV01" -SecRule HTTP_VIA "1\.1 OTXXSERV" -SecRule HTTP_VIA "1\.1 proxy\.marshall\.k12\.wi\.us" -SecRule HTTP_VIA "1\.1 SERV132, 1\.0 netcache1 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 SERVER-ISA" -SecRule HTTP_VIA "1\.1 SERVEUR-CYBER" -SecRule HTTP_VIA "1\.1 slave02\.terrarica\.net" -SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" -SecRule HTTP_VIA "1\.1 spacebears" -SecRule HTTP_VIA "1\.1 squid2-sydny\.eftel\.com" -SecRule HTTP_VIA "1\.1 SSIP_SERVER3" -SecRule HTTP_VIA "1\.1 SYVKOV422GX" -SecRule HTTP_VIA "1\.1 trixie" -SecRule HTTP_VIA "1\.1 wc-02 \(NetCache NetApp.*" -SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" -SecRule HTTP_VIA "1\.1 www\.arbuzowa\.net" -SecRule HTTP_VIA "1\.1 www\.gkcabunoc\.com" -SecRule HTTP_VIA "1\.1 addyon\.webair\.com" -SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" -SecRule HTTP_VIA "1\.1 proxy\.pcdl\.gov\.br" -SecRule HTTP_VIA "1\.1 ichigo\.icsmail\.net" -SecRule HTTP_VIA "1\.1 80\.177\.18\.74" -SecRule HTTP_VIA "1\.1 raptor[0-9][a-z]\.watchdog\.net\.nz" -SecRule HTTP_VIA "1\.0 proxy[0-9]\..*\.maxnet\.net\.nz" -SecRule HTTP_VIA "1\.0 proxy[0-9]\.akl[0-9]\.maxnet\.net\.nz" -SecRule HTTP_VIA "1\.1 POMGFIREWALL" -SecRule HTTP_VIA "1\.1 alfred\.nssi\.telus\.com" -SecRule HTTP_VIA "1\.1 .*\.acdi-cida\.gc\.ca" -SecRule HTTP_VIA "CIDA13\.acdi-cida\.gc\.ca" - -#generic sig for a bad site -SecRule REQUEST_URI "(http|https|ftp).*\.exs\.cx/.*/nc4hk\.swf" - diff --git a/files/mod_security/custom_rules/exclude.conf b/files/mod_security/custom_rules/exclude.conf deleted file mode 100644 index 081400c..0000000 --- a/files/mod_security/custom_rules/exclude.conf +++ /dev/null @@ -1,179 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Exclusion Rules for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/exclude.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# IMPORTANT NOTE! These rules must be loaded FIRST in your rule orderset to override -# other rules. If you load them later, they will not work! -# -# Version: N-20061022-01 -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - - -########################################### -#Generic SQL injection rule exclusions -########################################### - -#generic PHP forum posting exclusion -<LocationMatch "/posting.php"> -SecRuleRemoveById 300013 -SecRuleRemoveById 300015 -SecRuleRemoveById 300016 -</LocationMatch> - - -#PhpMyadmin -<LocationMatch "/tbl_change.php"> - SecRuleRemoveById 300016 -</LocationMatch> - -<LocationMatch "/sql.php"> - SecRuleRemoveById 300016 -</LocationMatch> - -#/xde/managecontent.php -<LocationMatch "/xde/managecontent.php"> - SecRuleRemoveById 300016 -</LocationMatch> - - -<LocationMatch "/dbad/import.php"> - SecRuleRemoveById 300016 -</LocationMatch> - -#PhpBB posting -<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*"> -SecRuleRemoveById 300013 -</LocationMatch> - -#postnuke admin -<LocationMatch "/admin.php"> - SecRuleRemoveById 300016 -</LocationMatch> - -#Postnuke uploads -<LocationMatch "/modules.php?op=modload&name=Downloads.*"> -SecRuleRemoveById 300013 -</LocationMatch> - -#Tikiwiki forum -<LocationMatch "/tiki-view_forum_thread.php"> -SecRuleRemoveById 300013 -</LocationMatch> - -#Squirrel mail and Horde postings -<LocationMatch "/horde/imp/compose.php"> -SecRuleRemoveById 300013 -SecRuleRemoveById 300015 -SecRuleRemoveById 300016 -</LocationMatch> - -#Provided by Todd Holforty -<LocationMatch "/squirrelmail/src/compose.php"> -SecRuleRemoveById 300013 -SecRuleRemoveById 300015 -SecRuleRemoveById 300016 -</LocationMatch> - -#Phorum posting -<LocationMatch "/phorum/post.php"> -SecRuleRemoveById 300013 -</LocationMatch> - -#Tikiwiki edit -<LocationMatch "/tiki-editpage.php"> -SecRuleRemoveById 300013 -</LocationMatch> - -<LocationMatch "/misc.php"> -SecRuleRemoveById 300013 -</LocationMatch> - -<LocationMatch "/forum/posting.php\?mode=.*"> -SecRuleRemoveById 300016 -</LocationMatch> - -########################################### -#Double pipe exclusion rules -########################################### -<LocationMatch "/_vti_bin/fpcount.exe"> -SecRuleRemoveById 300014 -</LocationMatch> - -########################################### -#Front page exclusions -########################################### -<LocationMatch "/_vti_bin/_vti_aut/author.exe"> - SecRuleInheritance Off -</LocationMatch> - -<Location /modules.php?name=Forums&file=posting> -SecRuleRemoveById 300016 -</Location> - -<Location /modules.php?name=Private_Messages&file=index> -SecRuleRemoveById 300016 -</Location> - -########################################### -#Mambo/Joomla exclusions -########################################### -<LocationMatch "/index.php"> - SecRuleRemoveById 380000 - SecRuleRemoveById 300013 -</LocationMatch> -<LocationMatch "/administrator/index2.php"> - SecRuleRemoveById 300013 - SecRuleRemoveById 300016 - SecRuleRemoveById 380000 - SecRuleRemoveById 360001 -</LocationMatch> - -#Added 27AUG2006 -#Courtesy of Tom Donovan -#ColdFusion RDS -<LocationMatch "/CFIDE/main/ide.cfm"> - SecRuleRemoveById 360001 -</LocationMatch> - -#servlet/webacc -<LocationMatch "/servlet/webacc"> - SecRuleRemoveById 300013 -</LocationMatch> - -#WordPRess -<LocationMatch "/wp-admin/options-reading.php"> - SecRuleRemoveById 300015 -</LocationMatch> - -#/profile.php -<LocationMatch "/profile.php"> - SecRuleRemoveById 300015 -</LocationMatch> - -#Open-Exchange -<LocationMatch "/servlet/webdav.calendar/foo.xml"> - SecRuleRemoveById 300015 -</LocationMatch> - - -#owl intranet -<LocationMatch "/intranet/setacl.php"> - SecRuleRemoveById 300015 -</LocationMatch> diff --git a/files/mod_security/custom_rules/jitp.conf b/files/mod_security/custom_rules/jitp.conf deleted file mode 100644 index 3fb523c..0000000 --- a/files/mod_security/custom_rules/jitp.conf +++ /dev/null @@ -1,4442 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Just In Time Patches for Vulnerable Applications Rules for modsec 2.x -# -# Version: N-20061022-01 -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/jitp.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. -# - -#-------------------------------- -# notes -#-------------------------------- -# Rules work with modsecurity 2.x and above only - -#-------------------------------- -#start rules -#-------------------------------- - -# WEB-CGI formmail -SecRule REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)" - -#pals-cgi arbitrary file access attempt -SecRule REQUEST_URI "/pals-cgi.*documentName=" - -# WEB-CGI phf arbitrary command execution attempt -SecRule REQUEST_URI "/phf" chain -SecRule REQUEST_URI "\x0a/" -# WEB-CGI phf access -SecRule REQUEST_URI "/phf\?" - -# WEB-CGI htsearch arbitrary file read attempt -SecRule REQUEST_URI "/htsearch\?exclude=\`" - -# WEB-CGI csSearch.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/csSearch\.cgi\?" chain -SecRule REQUEST_URI "\`" - -## WEB-CGI FormHandler.cgi directory traversal attempt attempt -SecRule REQUEST_URI "/FormHandler\.cgi" chain -SecRule REQUEST_URI "/\.\./" - -# WEB-CGI FormHandler.cgi external site redirection attempt -SecRule REQUEST_URI "/FormHandler\.cgi" chain -SecRule REQUEST_URI "redirect=http" - -# WEB-PHP squirrel mail spell-check arbitrary command attempt -SecRule REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" chain -SecRule REQUEST_URI "SQSPELL_APP\[" - -# WEB-PHP squirrel mail theme arbitrary command attempt -SecRule REQUEST_URI "/left_main\.php" chain -SecRule REQUEST_URI "cmdd=" - -# WEB-PHP directory.php arbitrary command attempt -SecRule REQUEST_URI "/directory\.php\?" chain -SecRule REQUEST_URI "\;" - -# WEB-PHP PHPLIB remote commanSelective REQUEST_URI|REQUEST_BODYd attempt -SecRule REQUEST_URI|REQUEST_BODY "_PHPLIB\[libdir\]" - -# WEB-PHP PHPLIB remote command attempt -SecRule REQUEST_URI "/db_mysql\.inc" - -# Exploit phpBB Highlighting Code Execution Attempt -SecRule REQUEST_URI|REQUEST_BODY "(\;|\&)highlight=\'\.system\(" - -# Exploit phpBB Highlighting SQL Injection -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.mysql_query\(" - -# Exploit phpBB Highlighting Code Execution - Santy.A Worm -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.fwrite\(fopen\(" - -# Exploit phpBB Highlight Exploit Attempt -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\x2527\x252Esystem\(" - -# WEB-CGI dcforum.cgi directory traversal attempt -SecRule REQUEST_URI "/dcforum\.cgi" chain -SecRule REQUEST_URI "forum=\.\./\.\." - -# WEB-CGI dcboard.cgi invalid user addition attempt -SecRule REQUEST_URI "/dcboard\.cgi.*\|admin" - -# WEB-CGI alchemy http server PRN arbitrary command execution attempt -SecRule REQUEST_URI|REQUEST_BODY "/PRN/\.\./\.\./" - -# WEB-CGI alchemy http server NUL arbitrary command execution attempt -SecRule REQUEST_URI|REQUEST_BODY "/NUL/\.\./\.\./" - -# WEB-CGI AltaVista Intranet Search directory traversal attempt -SecRule REQUEST_URI "/query\?mss=\.\." - -# WEB-CGI hello.bat arbitrary command execution attempt -SecRule REQUEST_URI "/hello\.bat" chain -SecRule REQUEST_URI "\&" - -# WEB-CGI Home Free search.cgi directory traversal attempt -SecRule REQUEST_URI "/search\.cgi" chain -SecRule REQUEST_URI "letter=\.\./\.\." - -#campus attempt -SecRule REQUEST_URI "/campus\?\|0A\|" - -# WEB-CGI pfdispaly.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/pfdispaly\.cgi\?\'" - -# WEB-CGI talkback.cgi directory traversal attempt -SecRule REQUEST_URI "/talkbalk\.cgi" chain -SecRule REQUEST_URI "article=\.\./\.\./" - -# WEB-CGI technote main.cgi file directory traversal attempt -SecRule REQUEST_URI "/technote/main\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI technote print.cgi directory traversal attempt -SecRule REQUEST_URI "/technote/print\.cgi.*\x00" - -# WEB-CGI eXtropia webstore directory traversal -SecRule REQUEST_URI "/web_store\.cgi" chain -SecRule REQUEST_URI "page=\.\./" - -# WEB-CGI shopping cart directory traversal -SecRule REQUEST_URI "/shop\.cgi" chain -SecRule REQUEST_URI "page=\.\./" - -# WEB-CGI Allaire Pro Web Shell attempt -SecRule REQUEST_URI "/authenticate\.cgi\?PASSWORD" chain -SecRule REQUEST_URI "config\.ini" - -# WEB-CGI Armada Style Master Index directory traversal -SecRule REQUEST_URI "/search\.cgi\?keys" chain -SecRule REQUEST_URI "catigory=\.\./" - -# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal -SecRule REQUEST_URI "/cached_feed\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI Talentsoft Web+ exploit attempt -SecRule REQUEST_URI "/webplus\.cgi\?Script=/webplus/webping/webping\.wml" - -# WEB-CGI txt2html.cgi directory traversal attempt -SecRule REQUEST_URI "/txt2html\.cgi" chain -SecRule REQUEST_URI "/\.\./\.\./\.\./\.\./" - -# WEB-CGI store.cgi directory traversal attempt -SecRule REQUEST_URI "/store\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI mrtg.cgi directory traversal attempt -SecRule REQUEST_URI "/mrtg\.cgi" chain -SecRule REQUEST_URI "cfg=/\.\./" - -# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/whereami\.cgi\?g=" - -# WEB-CGI WhatsUpGold instancename overflow attempt -SecRule REQUEST_URI "/_maincfgret\.cgi" - -#Demarc SQL injection attempt -SecRule REQUEST_URI "/dm/demarc.*s_key=.*\'" - -# WEB-MISC apache directory disclosure attempt -SecRule REQUEST_URI|REQUEST_BODY "////////" - -# WEB-MISC htgrep attempt -SecRule REQUEST_URI "/htgrep" chain -SecRule REQUEST_URI "hdr=/" - -#musicat empower attempt -SecRule REQUEST_URI "/empower\?DB=" - -# WEB-PHP DNSTools administrator authentication bypass attempt -SecRule REQUEST_URI "/dnstools\.php" chain -SecRule REQUEST_URI "user_dnstools_administrator=true" - -# WEB-PHP DNSTools authentication bypass attempt -SecRule REQUEST_URI "/dnstools\.php" chain -SecRule REQUEST_URI "user_logged_in=true" - -#General phpbb_root_path vulnerabilities -SecRule ARGS:phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" - -# WEB-PHP phpbb quick-reply.php arbitrary command attempt -SecRule REQUEST_URI "/quick-reply\.php" chain -SecRule REQUEST_URI "phpbb_root_path=" - -# WEB-PHP Blahz-DNS dostuff.php modify user attempt -SecRule REQUEST_URI "/dostuff\.php\?action=modify_user" - -# WEB-PHP PHP-Wiki cross site scripting attempt -SecRule REQUEST_URI "/modules\.php\?*name=Wiki*\<*(script|about|applet|activex|chrome)*\>" - -# WEB-MISC *%0a.pl access -SecRule REQUEST_URI "/*\x0a\.pl" - -# WEB-PHP strings overflow -SecRule REQUEST_URI|REQUEST_BODY "\?STRENGUR" - -# WEB-PHP shoutbox.php directory traversal attempt -SecRule REQUEST_URI "/shoutbox\.php" chain -SecRule REQUEST_URI "\.\./" - -# WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt -SecRule REQUEST_URI "/gm-2-b2\.php" chain -SecRule REQUEST_URI "b2inc=(http|https|ftp)\:/" - -# WEB-PHP BLNews objects.inc.php4 remote file include attempt -SecRule REQUEST_URI "/objects\.inc\.php*" chain -SecRule REQUEST_URI "Server\[path\]=(http|https|ftp)\:/" - -# WEB-PHP ttCMS header.php remote file include attempt -SecRule REQUEST_URI "/admin/templates/header\.php" chain -SecRule REQUEST_URI "admin_root=(http|https|ftp)\:/" - -# WEB-PHP autohtml.php directory traversal attempt -SecRule REQUEST_URI "/autohtml\.php" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-PHP ttforum remote file include attempt -SecRule REQUEST_URI "forum/index\.php" chain -SecRule REQUEST_URI "template=" - -# WEB-PHP pmachine remote file include attempt -SecRule REQUEST_URI "lib\.inc\.php" chain -SecRule REQUEST_URI "pm_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "lib\.inc\.php.*pm_path.*(http|https|ftp)\:/" - -#rolis guestbook remote file include attempt -SecRule REQUEST_URI "/insert\.inc\.php*path=" - -# IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php*ideaDir*cord\.php" - -#IdeaBox notification.php file include -SecRule REQUEST_URI "/index\.php*gorumDir*notification\.php" - -# WEB-PHP DCP-Portal remote file include attempt -SecRule REQUEST_URI "/library/lib\.php" chain -SecRule REQUEST_URI "root=" - -# WEB-PHP IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "cord\.php" - -# WEB-PHP IdeaBox notification.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "notification\.php" - -# WEB-PHP Invision Board emailer.php file include -SecRule REQUEST_URI "/ad_member\.php" chain -SecRule REQUEST_URI "emailer\.php" - -# WEB-PHP WebChat db_mysql.php file include -SecRule REQUEST_URI "/defines\.php" chain -SecRule REQUEST_URI "db_mysql\.php" - -# WEB-PHP WebChat english.php file include -SecRule REQUEST_URI "/defines\.php" chain -SecRule REQUEST_URI "english\.php" - -# WEB-PHP Typo3 translations.php file include -SecRule REQUEST_URI "/translations\.php" chain -SecRule REQUEST_URI "ONLY=\x2e" - -# WEB-PHP news.php file include -SecRule REQUEST_URI "/news\.php" chain -SecRule REQUEST_URI "template" - -# WEB-PHP YaBB SE packages.php file include -SecRule REQUEST_URI "/packages\.php" chain -SecRule REQUEST_URI "packer\.php" - -# WEB-PHP newsPHP Language file include attempt -SecRule REQUEST_URI "/nphpd\.php" chain -SecRule REQUEST_URI "LangFile" - -#myphpPagetool pt_config.inc file include -SecRule REQUEST_URI "/doc/admin*ptinclude*pt_config\.inc" - -#Invision Board ipchat.php file include -SecRule REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" - -# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt -SecRule REQUEST_URI "/authentication_index\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY=(http|https|ftp)\:/" - -# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt -SecRule REQUEST_URI "/functions\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP TUTOS path disclosure attempt -SecRule REQUEST_URI "/note_overview\.php" chain -SecRule REQUEST_URI "id=" - -# WEB-PHP PhpGedView PGV base directory manipulation -SecRule REQUEST_URI "_conf\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -#PHPBB worm sigs -SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" - -#Mailto domain search possible MyDoom.M,O -SecRule REQUEST_URI "/search\?hl=en&ie=UTF-8&oe=UTF-8&q=mailto\+" chain -SecRule REQUEST_URI "Host\: www\.google\.com" - -#WEB-PHP EasyDynamicPages exploit -SecRule REQUEST_URI "edp_relative_path=" - -#Calendar XSS -SecRule REQUEST_URI "/(calendar|setup).php\?phpc_root_path=((http|https|ftp)\:/|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#phpMyAdmin Export.PHP File Disclosure Vulnerability -SecRule SCRIPT_FILENAME "export\.php$" chain -SecRule ARGS:what "\.\." - -#nmap version request -SecRule REQUEST_URI|REQUEST_BODY "^(HELP|default|\||TNMP|DmdT|\:)$" - -#More PHPBB worms -SecRule REQUEST_URI "/viewtopic\.php\?" chain -SecRule ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)" - -# TIKIWIKI -SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" - -# WEB-MISC BitKeeper arbitrary command attempt -SecRule REQUEST_URI "/diffs/" chain -SecRule REQUEST_URI "\'" - -#awstats probe -SecRule REQUEST_URI|REQUEST_BODY "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" "id:390000,rev:1,severity:2,msg:'JITP: Awstats.pl probe'" - -#/forum/viewtopic.php?x=http:// -SecRule REQUEST_URI "/forum/viewtopic\.php\?x=(http|https|ftp)\:/" - -# WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt -SecRule REQUEST_URI "/crystalimagehandler\.aspx" chain -SecRule REQUEST_URI "dynamicimage=\.\./" - -#mailman 2.x path recursion attack -SecRule REQUEST_URI|REQUEST_BODY "mailman/private/.*\.\.\./\.\.\.\.///" -SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\.\.\./" - -#ftp.pl attempt -SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." - -#Tomcat server snoop access -SecRule REQUEST_URI "/jsp/snp/.*\.snp" - -# WEB-CGI HyperSeek hsx.cgi directory traversal attempt -SecRule REQUEST_URI "/hsx\.cgi.*\x00" - -# WEB-CGI SWSoft ASPSeek Overflow attempt -SecRule REQUEST_URI "/s\.cgi" chain -SecRule REQUEST_URI "tmpl=" - -# WEB-CGI /wwwboard/passwd.txt access -SecRule REQUEST_URI "/wwwboard/passwd\.txt" - -# WEB-CGI webplus directory traversal -SecRule REQUEST_URI "/webplus\?script" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI websendmail access -SecRule REQUEST_URI "/websendmail" - -# WEB-CGI anaconda directory transversal attempt -SecRule REQUEST_URI "/(apexec|anacondaclip)\.pl" chain -SecRule REQUEST_URI "template=\.\./" - -# WEB-CGI imagemap.exe overflow attempt -SecRule REQUEST_URI "/imagemap\.exe\?" - -# WEB-CGI htmlscript attempt -SecRule REQUEST_URI "/htmlscript\?\.\./\.\." - -# WEB-CGI nph-test-cgi access -SecRule REQUEST_URI "/nph-test-cgi" - - -# WEB-CGI rwwwshell.pl access -SecRule REQUEST_URI "/rwwwshell\.pl" - -# WEB-CGI view-source directory traversal -SecRule REQUEST_URI "/view-source" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI calendar_admin.pl arbitrary command execution attempt -SecRule REQUEST_URI "/calendar_admin.pl\?config=\|7C\|" - -# WEB-CGI bb-hist.sh attempt -SecRule REQUEST_URI "/bb-hist\.sh\?HISTFILE=\.\./\.\." - -# WEB-CGI bb-hostscv.sh attempt -SecRule REQUEST_URI "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\." - -# WEB-CGI wayboard attempt -SecRule REQUEST_URI "/way-board/way-board\.cgi" chain -SecRule REQUEST_URI "\.\./\.\." - -# WEB-CGI commerce.cgi arbitrary file access attempt -SecRule REQUEST_URI "/commerce\.cgi" chain -SecRule REQUEST_URI "/\.\./" - -# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt -SecRule REQUEST_URI "/sendtemp\.pl" chain -SecRule REQUEST_URI "templ=" - -# WEB-CGI webspirs.cgi directory traversal attempt -SecRule REQUEST_URI "/webspirs\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI auktion.cgi directory traversal attempt -SecRule REQUEST_URI "/auktion\.cgi" chain -SecRule REQUEST_URI "menue=\.\./\.\./" - -# WEB-CGI cgiforum.pl attempt -SecRule REQUEST_URI "/cgiforum\.pl\?thesection=\.\./\.\." - -# WEB-CGI directorypro.cgi attempt -SecRule REQUEST_URI "/directorypro\.cgi" chain -SecRule REQUEST_URI "\.\./\.\." - -# WEB-CGI Web Shopper shopper.cgi attempt -SecRule REQUEST_URI "/shopper\.cgi" chain -SecRule REQUEST_URI "newpage=\.\./" - -# WEB-CGI cal_make.pl directory traversal attempt -SecRule REQUEST_URI "/cal_make\.pl" chain -SecRule REQUEST_URI "p0=\.\./\.\./" - -# WEB-CGI ttawebtop.cgi arbitrary file attempt -SecRule REQUEST_URI "/ttawebtop\.cgi" chain -SecRule REQUEST_URI "pg=\.\./" - -# WEB-CGI ustorekeeper.pl directory traversal attempt -SecRule REQUEST_URI "/ustorekeeper\.pl" chain -SecRule REQUEST_URI "file=\.\./\.\./" - -# WEB-CGI htsearch arbitrary configuration file attempt -SecRule REQUEST_URI "/htsearch\?\-c" - - -# WEB-CGI alibaba.pl arbitrary command execution attempt -SecRule REQUEST_URI "/alibaba\.pl(\|7C\||\x7C)" - -# WEB-CGI AltaVista Intranet Search directory traversal attempt -SecRule REQUEST_URI "/query\?mss=\.\." - -# WEB-CGI test.bat arbitrary command execution attempt -SecRule REQUEST_URI "/test.bat(\|7C\||\x7C)" - -# WEB-CGI input.bat arbitrary command execution attempt -SecRule REQUEST_URI "/input.bat(\|7C\||\x7C)" - -# WEB-CGI envout.bat arbitrary command execution attempt -SecRule REQUEST_URI "/envout.bat(\|7C\||\x7C)" - -# WEB-CGI hello.bat arbitrary command execution attempt -SecRule REQUEST_URI "/hello\.bat" chain -SecRule REQUEST_URI "\&" - -# WEB-CGI csSearch.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/csSearch\.cgi" chain -SecRule REQUEST_URI "\`" - -# WEB-CGI eshop.pl arbitrary commane execution attempt -SecRule REQUEST_URI "/eshop\.pl\?seite=(\|3B\|\x3B)" - -# WEB-CGI loadpage.cgi directory traversal attempt -SecRule REQUEST_URI "/loadpage\.cgi" chain -SecRule REQUEST_URI "file=\.\./" - -#faqmanager.cgi arbitrary file access attempt -SecRule REQUEST_URI "/faqmanager\.cgi\?toc=*/" -SecRule REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -# WEB-CGI Home Free search.cgi directory traversal attempt -SecRule REQUEST_URI "/search\.cgi" chain -SecRule REQUEST_URI "letter=\.\./\.\." - -# WEB-CGI pfdispaly.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/pfdispaly\.cgi\?'" - -# WEB-CGI pagelog.cgi directory traversal attempt -SecRule REQUEST_URI "/pagelog\.cgi" chain -SecRule REQUEST_URI "name=\.\./" - -# WEB-CGI talkback.cgi directory traversal attempt -SecRule REQUEST_URI "/talkbalk\.cgi" chain -SecRule REQUEST_URI "article=\.\./\.\./" - -# WEB-CGI emumail.cgi NULL attempt -SecRule REQUEST_URI "/emumail\.cgi.*\x00" - -# WEB-CGI technote main.cgi file directory traversal attempt -SecRule REQUEST_URI "/technote/main\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI technote print.cgi directory traversal attempt -SecRule REQUEST_URI "/technote/print\.cgi.*\x00" - -# WEB-CGI Allaire Pro Web Shell attempt -SecRule REQUEST_URI "/authenticate.cgi\?PASSWORD" chain -SecRule REQUEST_URI "config\.ini" - -# WEB-CGI Armada Style Master Index directory traversal -SecRule REQUEST_URI "/search\.cgi\?keys" chain -SecRule REQUEST_URI "catigory=\.\./" - -# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal -SecRule REQUEST_URI "/cached_feed\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI Talentsoft Web+ exploit attempt -SecRule REQUEST_URI "/webplus.cgi\?Script=/webplus/webping/webping\.wml" - -# WEB-CGI bizdbsearch attempt -SecRule REQUEST_URI "/bizdb1-search\.cgi" chain -SecRule REQUEST_URI "mail" - -# WEB-CGI sojourn.cgi File attempt -SecRule REQUEST_URI "/sojourn\.cgi\?cat=.*\x00" - -# WEB-CGI SGI InfoSearch fname attempt -SecRule REQUEST_URI "/infosrch\.cgi\?" chain -SecRule REQUEST_URI "fname=" - - -# WEB-CGI store.cgi directory traversal attempt -SecRule REQUEST_URI "/store\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI SIX webboard generate.cgi attempt -SecRule REQUEST_URI "/generate\.cgi" chain -SecRule REQUEST_URI "content=\.\./" - -# WEB-CGI story.pl arbitrary file read attempt -SecRule REQUEST_URI "/story\.pl" chain -SecRule REQUEST_URI "next=\.\./" - -# WEB-CGI mrtg.cgi directory traversal attempt -SecRule REQUEST_URI "/mrtg\.cgi" chain -SecRule REQUEST_URI "cfg=/\.\./" - -#alienform.cgi directory traversal attempt -SecRule REQUEST_URI "/alienform\.cgi.*\.\|7C\|\./\.\|7C\|\." -SecRule REQUEST_URI "/af\.cgi.*\.\|7C\|\./\.\|7C\|\." - -# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/whereami\.cgi\?g=" - -# WEB-CGI MDaemon form2raw.cgi overflow attempt -SecRule REQUEST_URI "/form2raw\.cgi" - -# WEB-CGI WhatsUpGold instancename overflow attempt -SecRule REQUEST_URI "/_maincfgret\.cgi" - -#honeypot -SecRule REQUEST_URI|REQUEST_BODY "clamav-partial " -SecRule REQUEST_URI|REQUEST_BODY "vi\.recover " - -# WEB-COLDFUSION cfcache.map access -SecRule REQUEST_URI "/cfcache\.map" - -# WEB-COLDFUSION exampleapp application.cfm -SecRule REQUEST_URI "/cfdocs/exampleapp/email/application\.cfm" - -# WEB-COLDFUSION application.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/application\.cfm" - -# WEB-COLDFUSION getfile.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/email/getfile\.cfm" - -# WEB-COLDFUSION addcontent.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/addcontent\.cfm" - -# WEB-COLDFUSION administrator access -SecRule REQUEST_URI "/cfide/administrator/index\.cfm" - -# WEB-COLDFUSION fileexists.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/fileexists\.cfm" - -# WEB-COLDFUSION exprcalc access -SecRule REQUEST_URI "/cfdocs/expeval/exprcalc\.cfm" - -# WEB-COLDFUSION parks access -SecRule REQUEST_URI "/cfdocs/examples/parks/detail\.cfm" - -# WEB-COLDFUSION cfappman access -SecRule REQUEST_URI "/cfappman/index\.cfm" - -# WEB-COLDFUSION beaninfo access -SecRule REQUEST_URI "/cfdocs/examples/cvbeans/beaninfo\.cfm" - -# WEB-COLDFUSION evaluate.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/evaluate\.cfm" - -# WEB-COLDFUSION expeval access -SecRule REQUEST_URI "/cfdocs/expeval/" - -# WEB-COLDFUSION displayfile access -SecRule REQUEST_URI "/cfdocs/expeval/displayopenedfile\.cfm" - -# WEB-COLDFUSION mainframeset access -SecRule REQUEST_URI "/cfdocs/examples/mainframeset\.cfm" - -# WEB-COLDFUSION exampleapp access -SecRule REQUEST_URI "/cfdocs/exampleapp/" - -# WEB-COLDFUSION snippets attempt -SecRule REQUEST_URI "/cfdocs/snippets/" - -# WEB-COLDFUSION cfmlsyntaxcheck.cfm access -SecRule REQUEST_URI "/cfdocs/cfmlsyntaxcheck\.cfm" - -# WEB-COLDFUSION application.cfm access -SecRule REQUEST_URI "/application\.cfm" - -# WEB-COLDFUSION onrequestend.cfm access -SecRule REQUEST_URI "/onrequestend\.cfm" - -# WEB-COLDFUSION startstop DOS access -SecRule REQUEST_URI "/cfide/administrator/startstop\.html" - -# WEB-COLDFUSION gettempdirectory.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/gettempdirectory\.cfm" - -# WEB-COLDFUSION sendmail.cfm access -SecRule REQUEST_URI "/sendmail\.cfm" - -# WEB-COLDFUSION ?Mode=debug attempt -#SecRule REQUEST_URI "Mode=debug" - -# WEB-MISC Tomcat view source attempt -SecRule REQUEST_URI|REQUEST_BODY "\x252ejsp" - -# WEB-MISC unify eWave ServletExec upload -SecRule REQUEST_URI|REQUEST_BODY "/servlet/com\.unify\.servletexec\.UploadServlet" - -# WEB-MISC Talentsoft Web+ Source Code view access -SecRule REQUEST_URI "/webplus\.exe\?script=test\.wml" - -# WEB-MISC ftp.pl attempt -SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." - -# WEB-MISC apache source.asp file access -SecRule REQUEST_URI "/site/eg/source\.asp" - -# WEB-MISC Tomcat server exploit access -SecRule REQUEST_URI "/contextAdmin/contextAdmin\.html" - -# WEB-MISC Ecommerce import.txt access -SecRule REQUEST_URI "/orders/import\.txt" - -# WEB-MISC Domino catalog.nsf access -SecRule REQUEST_URI "/catalog\.nsf" - -# WEB-MISC Domino domcfg.nsf access -SecRule REQUEST_URI "/domcfg\.nsf" - -# WEB-MISC Domino domlog.nsf access -SecRule REQUEST_URI "/domlog\.nsf" - -# WEB-MISC Domino log.nsf access -SecRule REQUEST_URI "/log\.nsf" - -# WEB-MISC Domino names.nsf access -SecRule REQUEST_URI "/names\.nsf" - -# WEB-MISC Domino mab.nsf access -SecRule REQUEST_URI "/mab\.nsf" - -# WEB-MISC Domino cersvr.nsf access -SecRule REQUEST_URI "/cersvr\.nsf" - -# WEB-MISC Domino setup.nsf access -SecRule REQUEST_URI "/setup\.nsf" - -# WEB-MISC Domino statrep.nsf access -SecRule REQUEST_URI "/statrep\.nsf" - -# WEB-MISC Domino webadmin.nsf access -SecRule REQUEST_URI "/webadmin\.nsf" - -# WEB-MISC Domino events4.nsf access -SecRule REQUEST_URI "/events4\.nsf" - -# WEB-MISC Domino ntsync4.nsf access -SecRule REQUEST_URI "/ntsync4\.nsf" - -# WEB-MISC Domino collect4.nsf access -SecRule REQUEST_URI "/collect4\.nsf" - -# WEB-MISC Domino mailw46.nsf access -SecRule REQUEST_URI "/mailw46\.nsf" - -# WEB-MISC Domino bookmark.nsf access -SecRule REQUEST_URI "/bookmark\.nsf" - -# WEB-MISC Domino agentrunner.nsf access -SecRule REQUEST_URI "/agentrunner\.nsf" - -# WEB-MISC Domino mail.box access -#SecRule REQUEST_URI "/mail.box" - -# WEB-MISC Ecommerce checks.txt access -SecRule REQUEST_URI "/orders/checks\.txt" - -# WEB-MISC mall log order access -SecRule REQUEST_URI "/mall_log_files/order\.log" - -# WEB-MISC ROADS search.pl attempt -SecRule REQUEST_URI "/ROADS/cgi-bin/search\.pl" chain -SecRule REQUEST_URI "form=" - -# WEB-MISC SWEditServlet directory traversal attempt -SecRule REQUEST_URI "/SWEditServlet" chain -SecRule REQUEST_URI "template=\.\./\.\./\.\./" - -# WEB-MISC RBS ISP /newuser directory traversal attempt -SecRule REQUEST_URI "/newuser\?Image=\.\./\.\." - -# WEB-MISC PCCS mysql database admin tool access -SecRule REQUEST_URI "pccsmysqladm/incs/dbconnect\.inc" - -# WEB-MISC ans.pl attempt -SecRule REQUEST_URI "/ans.pl\?p=\.\./\.\./" - -# WEB-MISC Demarc SQL injection attempt -SecRule REQUEST_URI "/dm/demarc" chain -SecRule REQUEST_URI "\'" - -# WEB-MISC philboard_admin.asp authentication bypass attempt -SecRule REQUEST_URI "/philboard_admin\.asp" chain -SecRule REQUEST_URI "philboard_admin=True" - -# WEB-PHP Phorum /support/common.php access -SecRule REQUEST_URI "/support/common\.php" - -# WEB-PHP rolis guestbook remote file include attempt -SecRule REQUEST_URI "/insert\.inc\.php" chain -SecRule REQUEST_URI "path=" - -# book.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/book\.cgi.*current=\|7C\|" - -# WEB-PHP gallery remote file include attempt -SecRule REQUEST_URI "/setup/" chain -SecRule REQUEST_URI "GALLERY_BASEDIR=(http|https|ftp)\:/" - -#Needinit remote file include attempt -SecRule REQUEST_URI "/needinit\.php\?" chain -SecRule REQUEST_URI "GALLERY_BASEDIR=(http|https|ftp)\:/" - -# WEB-PHP IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "cord\.php" - -# WEB-PHP Invision Board ipchat.php file include -SecRule REQUEST_URI "/ipchat\.php" chain -SecRule REQUEST_URI "conf_global\.php" - -# WEB-PHP myphpPagetool pt_config.inc file include -SecRule REQUEST_URI "/doc/admin" chain -SecRule REQUEST_URI "pt_config\.inc" - -# WEB-PHP YaBB SE packages.php file include -SecRule REQUEST_URI "/packages\.php" chain -SecRule REQUEST_URI "packer\.php" - -# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt -SecRule REQUEST_URI "/authentication_index\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt -SecRule REQUEST_URI "/functions\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt -SecRule REQUEST_URI "/config_gedcom\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV base directory manipulation -SecRule REQUEST_URI "_conf\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP WAnewsletter newsletter.php file include attempt -SecRule REQUEST_URI "newsletter\.php" chain -SecRule REQUEST_URI "start\.php" - -# WEB-PHP Opt-X header.php remote file include attempt -SecRule REQUEST_URI "/header\.php" chain -SecRule REQUEST_URI "systempath=" - -#webdav searcg attack -SecRule REQUEST_URI "/_vti_bin/_vti_aut/fp30reg\.dll" - -#/auth.php?path=http://[attacker]/ -SecRule REQUEST_URI "/auth.php\?path=(http|https|ftp)\:/" - -SecRule REQUEST_URI "/dforum/nav\.php3\?page=<[[:space:]]*(script|about|applet|activex|chrome)+.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpMyAdmin path vln -SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)" - -#PHPBB full path disclosure -SecRule REQUEST_URI "phpBB/db/oracle\.php" -SecRule REQUEST_URI "forum/db/oracle\.php" -SecRule REQUEST_URI "forums/db/oracle\.php" - - -#PHP Form Mail Script File Incusion vuln -SecRule REQUEST_URI "/inc/formmail\.inc\.php\?script_root=(http|https|ftp)\:/" - -#Download Center Lite File Incusion vuln -SecRule REQUEST_URI "/inc/download_center_lite\.inc\.php\?script_root=(http|https|ftp)\:/" - -#/modules/mod_mainmenu.php?mosConfig_absolute_path=http:// -SecRule REQUEST_URI "/modules/mod_mainmenu\.php\?mosConfig_absolute_path=(http|https|ftp)\:/" - -#phpWebLog command execution -SecRule REQUEST_URI "/init\.inc\.php\?G_PATH=(http|https|ftp)\:/" -SecRule REQUEST_URI "/backend/addons/links/index\.php\?PATH=(http|https|ftp)\:/" - -#mcNews command execution -SecRule REQUEST_URI "/mcNews/admin/header\.php\?skinfile=(http|https|ftp)\:/" - -#phpbb -SecRule REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./" -#votebox -SecRule REQUEST_URI "/votebox\.php\?VoteBoxPath=(http|https|ftp)\:/" - -#phpAdsNew path disclosure -SecRule REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" -SecRule REQUEST_URI "/maintenance/maintenance-activation\.php" -SecRule REQUEST_URI "/maintenance/maintenance-cleantables\.php" -SecRule REQUEST_URI "/maintenance/maintenance-autotargeting\.php" -SecRule REQUEST_URI "/maintenance/maintenance-reports\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/click\.php" -SecRule REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" - -#include cgi command exec -SecRule REQUEST_URI "/includer\.cgi\?=\|" - -#citrusDB -#adjust these to your system, you might need to upload -SecRule REQUEST_URI "tools/index\.php\?load=\.\./\.\./" -SecRule REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on" -SecRule REQUEST_URI "/citrusdb/tools/uploadcc\.php" - -#awstats vulns -SecRule REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()" -SecRule REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" -SecRule REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" -SecRule REQUEST_URI "/awstats\.pl\?configdir=" -SecRule REQUEST_URI "awstats\.pl\?" chain -SecRule ARGS "(debug|configdir|perl|chmod|exec|print|cgi)" - -#yabb -SecRule REQUEST_URI "/YaBB\.pl\?action=usersrecentposts\;username=\<IFRAME.*javascript\:alert\(\'" - -# WEB-FRONTPAGE .... request -SecRule REQUEST_URI|REQUEST_BODY "\.\.\.\./" - -#phpbb XSS -SecRule REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/posting\.php\\?.*(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI|REQUEST_BODY "/privmsg\.php" chain -SecRule REQUEST_URI|REQUEST_BODY "\<a href=*(script|about|applet|activex|chrome)" - -#proxy grabber -SecRule REQUEST_URI "/proxy-grabber\.com/cgi-bin/v2/nph-env\.cgi\?" - -#Unique stuff caught in our traps -SecRule REQUEST_URI "/mail_autocheck\.php\?pm_path=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -# Remote File Inclusion Vulnerability in phpWebLog -SecRule REQUEST_URI "/include/init\.inc\.php\?G_PATH=(http|https|ftp)\:/" -SecRule REQUEST_URI "addons/links/index\.php\?PATH=(http|https|ftp)\:/" - -#Multiple Vulnerabilities in ProjectBB -SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=\&desc=\&pages=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/Zip/divers\.php\?action =liste&liste=email&desc=.*\'" - -#WebChat english.php or db_mysql.php file include -SecRule REQUEST_URI "/defines\.php*WEBCHATPATH*(db_mysql\.php|english\.php)" - -#Cross-Site Scripting Vulnerability in D-Forum -SecRule REQUEST_URI "/nav\.php3\?page=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Multiple Vulnerabilities in auraCMS -SecRule REQUEST_URI "/index\.php\?query=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*\&pilih=search" -SecRule REQUEST_URI "/hits\.php\?hits=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/counter\.php\?theCount=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#vBulletin Remote Command Execution Attempt -SecRule REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" -SecRule REQUEST_URI "/forumdisplay\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\.system\(.+\)\." -SecRule REQUEST_URI "/forumdisplay\.php\?*comma=" - -#PHPNuke general XSS attempt -#/modules.php?name=News&file=article&sid=1&optionbox= -SecRule REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" -SecRule REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>" - -# PHPNuke SQL injection attempt -SecRule REQUEST_URI "/modules\.php\?*name=Search*instory=" -SecRule REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'" - -#EasyDynamicPages exploit -SecRule REQUEST_URI|REQUEST_BODY "edp_relative_path=" - -#Readfile.tcl Access -SecRule REQUEST_URI "/readfile\.tcl\?file=" - -#phpnuke sql insertion -SecRule REQUEST_URI "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" - -#WAnewsletter newsletter.php file include attempt -SecRule REQUEST_URI "newsletter\.php*waroot*start\.php" - -# Typo3 translations.php file include -SecRule REQUEST_URI "/translations\.php*ONLY" - -#PHP-Nuke remote file include attempt -SecRule REQUEST_URI "/index\.php*file=*(http|https|ftp)\:/" - -#PayPal Storefront remote file include attempt -SecRule REQUEST_URI "do=ext*/page=(http|https|ftp)\:/" - -#PHPOpenChat -SecRule REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?poc_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/ENGLISH_poc\.php\?poc_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?sourcedir=(http|https|ftp)\:/" - -#ACS Blog Search.ASP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.asp\?search=.*iframe\+src.*((javascript|script|about|applet|activex|chrome)*\>|http|https|ftp)\:/" - -#mcNews Remote command execution -SecRule REQUEST_URI "/admin/install\.php\?l=(http|https|ftp)\:/" - -#mailman XSS -SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\?.*info=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Macromedia SiteSpring XSS -SecRule REQUEST_URI|REQUEST_BODY "/error/500error\.jsp.*et=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#OWA phishing redirect -SecRule REQUEST_URI "/exchweb/bin/auth/owalogon\.asp\?url=(http|https)\:/" - -#ads.cgi command execution attempt -SecRule REQUEST_URI "/ads\.cgi.*file=.*\.\./\.\./" - -#webdist.cgi arbitrary command attemp -SecRule REQUEST_URI "/webdist\.cgi.*distloc=(\|3B\||\x3B)" - -#enter_bug.cgi arbitrary command attempt -SecRule REQUEST_URI "/enter_bug\.cgi.*who.*(\|3B\||\x3B)" - -#cross site scripting HTML Image tag set to javascript attempt -SecRule REQUEST_URI|REQUEST_BODY "img src=javascript" - -#b2 arbitrary command execution attempt -SecRule REQUEST_URI "/b2-include/.*b2inc.*http(\|3A\|//|\x3A)" - -#tomcat servlet mapping XSS -SecRule REQUEST_URI|REQUEST_BODY "/servlet/.*/org\.apache\." - -#RUNCMS,Exoops,CIAMOS highlight file access hole -SecRule REQUEST_URI "/class/debug/highlight\.php\?file=(/|\.\./)" - -#TRG/CzarNews News Script Include File Hole Lets Remote Users Execute Arbitrary Commands -SecRule REQUEST_URI "/install/(article|authorall|comment|display|displayall.)\.php\?dir=(http|https|ftp):/" - -#zpanel XSS -SecRule REQUEST_URI "/zpanel\.php\?page=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#zpanel SQL injection -SecRule REQUEST_URI "/zpanel\.php\?page=.*\'" - -#Phorum HTTP Response Splitting Vulnerability -SecRule REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:" - -#Subdreamer Light Global Variables SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?categoryid=.*\&.*_sectionid=.*\&.*_imageid=.*\'" - -#PhotoPost Pro -SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\&page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?si=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\'" -SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\'.*\&cat=" - -#betaparticle blog Discloses Database to Remote Users -#and Lets Remote Users Upload/Delete Arbitrary Files -SecRule REQUEST_URI "/bp/database/dbBlogMX\.mdb" -SecRule REQUEST_URI "/Blog\.mdb" - -#Kayako eSupport Remote Cross Site Scripting Vulnerability -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=troubleshooter\&_c=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpSysInfo XSS vulns -SecRule REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*\&VERSION=\<iframesrc=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#DigitalHive Remote Unathenticated Software Re-install and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\<script\>" -SecRule REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\<script\>" - -#Topic Calendar Mod for phpBB Cross-Site Scripting Attack -SecRule REQUEST_URI "/calendar_scheduler\.php\?start=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpSysInfo Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\<iframe src.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Interspire ArticleLive 2005 "ArticleId" Remote Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/articles/newcomment\?ArticleId=\"\>" - -#Dream4 Koobi CMS Index.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?p=articles&area=.*\'" -SecRule REQUEST_URI "/index\.php\?area.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Vortex Portal Remote File Inclusion and Path Disclosure Vulnerabilities -SecRule REQUEST_URI "/index\.php\?act=(http|https|ftp)\:/" -SecRule REQUEST_URI "/content\.php\?act=(http|https|ftp)\:/" - -#Topic Calendar Cross Site Scripting -SecRule REQUEST_URI "/calendar_scheduler\.php\?start.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#ESMI PayPal Storefront SQL inject and XSS -SecRule REQUEST_URI "/ecdis/pages.php?idpages=\'" -SecRule REQUEST_URI "/ecdis/products.*.php?id=.*&id.*=\'" -SecRule REQUEST_URI "/ecdis/products.*\.php\?id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Nuke Bookmarks Marks.php SQL Injection Vulnerability -SecRule REQUEST_URI "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9| ]+[[:space:]](from|into|table|database|index|view)" - -#Nuke Bookmarks XSS -SecRule REQUEST_URI "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#possible new vuln in tikiwiki -SecRule REQUEST_URI "/tiki-list_faqs\.php\?offset=(http|https|ftp)\:/" - -#exoops Input Validation Flaws SQL injection and XSS -SecRule REQUEST_URI "/newbb/index\.php\?viewcat=\'" -SecRule REQUEST_URI "/modules/sections/index\.php\?op=viewarticle&artid=9\x2c+9\x2c+9" -SecRule REQUEST_URI "/newbb/viewforum\.php\?sortname=p\.post_time\&sortorder=.*\&sortdays=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/newbb/index\.php\?viewcat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Valdersoft Shopping Cart SQL injection and XSS -SecRule REQUEST_URI "/(item|category).php?sid=.*\&id=\'" -SecRule REQUEST_URI "/index\.php\?sid=.*\&lang=\'" -SecRule REQUEST_URI "/search_result\.php\?sid=.*\&search.*\'" - -#OSCommerce XSS -SecRule REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Typo3 remote file retrieval -SecRule REQUEST_URI "/dev/translations\.php\?ONLY=\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/.*\x00" - -#Mambo XSS -SecRule REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)" - -#Photopost XSS and sql injection -SecRule REQUEST_URI "photos/(showgallery|showmembers|slideshow)\.php\?.*(\'|\<script|(http|https|ftp)\:/)" - -#TKai's Shoutbox XSS -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&name=default&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&name=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#EncapsBB Remote File Inclusion Vulnerability -SecRule REQUEST_URI "/index_header.php?root=(http|https|ftp)\:/" - -#CPG Dragonfly CMS Two Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.php\?name=.*\&profile=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*/pos=.*\.html" - -#PHPCoin -SecRule REQUEST_URI "phpcoin/auxpage\.php\?page=\.\./\.\." - -#PortalApp SQL injection and XSS -SecRule REQUEST_URI "/ad_click\.asp\?banner _id=\'" -SecRule REQUEST_URI "/content\.asp\?CatId=\'" -SecRule REQUEST_URI "/content\.asp\?ContentId=\'" -SecRule REQUEST_URI "/content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/content\.asp\?do_search=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Lighthouse Development Squirrelcart SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?crn=\'" - -#PunBB version <= 1.2.2 auth bypass exploit -SecRule REQUEST_URI "profile\.php\?section=admin\&id=.*\&action=foo" -SecRule REQUEST_COOKIES:punbb_cookie "a\:2\:\{i\:0\;s\:.*\;i\:1\;b\:1\;\}" - -#Multiple sql injection, and xss vulnerabilities in AspApp -SecRule REQUEST_URI "/content\.asp\?CatId=.*\&ContentType=(.*script|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/content\.asp\?CatId=\'" -SecRule REQUEST_URI "/content\.asp\?contenttype=(.*script|(http|https|ftp)\:/)" - -#PaFileDB Version 3.1 and below SQL injection and XSS -SecRule REQUEST_URI "/pafiledb\.php\?action=viewall&id=&start=\'" -SecRule REQUEST_URI "/pafiledb\.php\?action=file&id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#E-Data 2.0 XSS -SecRule REQUEST_URI "cgi-bin/dir\.pl.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#PHPNuke general SQL injection -SecRule REQUEST_URI "/modules\.php\?.*name=.*UNION.*SELECT" - -#InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php\?mod=pages&idp=\'" -SecRule REQUEST_URI "/MXShop/\?mod=category&id_ctg=\'" -SecRule REQUEST_URI "/index\.php\?mod=category&id_ctg=\'" -SecRule REQUEST_URI "/index\.php\?PHPSESSID=.*&id_man=\'" - -#CPG Dragonfly XSS -SecRule REQUEST_URI "/index\.php\?name=.*\&file=.*\&meta=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?name=.*\&mode=.*&id=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/coppermine/displayimage/meta=.*/cat=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?name=.*&profile=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/epal/\?order_num=crap&payment=\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/epal/\?order_num=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#AlstraSoft EPay Pro Remote File Include Vulnerability -SecRule REQUEST_URI "/epal/index\.php\?view=(http|https|ftp)\:/" - -#SiteEnable SQL injection and XSS -SecRule REQUEST_URI "content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpbb 2.0.13 download vuln -SecRule REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" - -#Turnkey Websites Shopping Cart SQL injection -SecRule REQUEST_URI "/SearchResults\.php\?SearchTerm=\'" -SecRule REQUEST_URI "/SearchResults\.php\?SearchTerm=.*\'" - -#Authenticaion bypass, Directory transversal and XSS vulnerabilities in PayProCart 3.0 -SecRule REQUEST_URI "/usrdetails\.php\?sgnuptype=.*((javsscript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "adminshop/index\.php\?proMod=index\&.*toedit=\.\..*shopincs.*maintopENG" - -#PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12 -SecRule REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#PHP-Nuke Input Validation Flaws in Search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks -SecRule REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpMyAdmin convcharset Parameter Cross Site Scripting -SecRule REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -##phpBB Calendar Pro catergory Parameter SQL Injection -SecRule REQUEST_URI "/cal_view_month\.php\?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" - -#cubecart SQL injection -SecRule REQUEST_URI "/index\.php\?&PHPSESSID=\'" -SecRule REQUEST_URI "/tellafriend\.php\?&product=\'" -SecRule REQUEST_URI "/view_cart\.php\?add=\'" -SecRule REQUEST_URI "/view_product\.php\?product=\'" - -#PHPBB LinksLinks Pro Module SQL Injection Vulnerability -SecRule REQUEST_URI "/links\.php\?func=show&id=\'" - -#LiteCommerce Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/cart\.php\?target=\'" -SecRule REQUEST_URI "/cart\.php\?target=category&category_id=\'" -SecRule REQUEST_URI "/cart\.php\?target=product&product_id=\'" - -#PHP-Nuke "querylang" SQL Injection Vulnerability -SecRule REQUEST_URI "/modules\.php\?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*\," - -#PHPBB DLMan Pro Module SQL Injection Vulnerability -SecRule REQUEST_URI "/dlman\.php\?func=file_info&file_id=\'" - -#ModernBill XSS and file include -SecRule REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/" -SecRule REQUEST_URI|REQUEST_BODY "/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" - -#TowerBlog! Discloses Hashed Administrative Password to Remote Users -SecRule REQUEST_URI|REQUEST_BODY "/_dat/login" - -#Invision Power Board SQL injection -SecRule REQUEST_URI "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)" -#SQL injection in jPortal version 2.3.1 -SecRule REQUEST_URI "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)" - - -#PinnacleCart XSS Attack -SecRule REQUEST_URI "/index\.php\?p=catalog&parent=.*&pg=\">" - -#Serendipity exip.php SQL injection -SecRule REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM" - -#phpbb p[lus -SecRule REQUEST_URI "/groupcp\.php\?g=.*sid=\'" -SecRule REQUEST_URI "/index\.php\?(c|mark)=*\'" -SecRule REQUEST_URI "/portal\.php\?article=*\'" -SecRule REQUEST_URI "/viewforum.php?f=.*sid=\'" -SecRule REQUEST_URI "/viewtopic.php?p=.*sid=\'" -SecRule REQUEST_URI "/album_search\.php\?mode=\'" -SecRule REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'" -SecRule REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'" -SecRule REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">" - -#EasyPHPCalendar XSS -SecRule REQUEST_URI "/index\.php\?mo=.*&yr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#CalendarScript path discolsure and XSS -SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&template=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&command=login&username=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#SPHPBlog Search.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.php\?q=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - - -#All4WWW-Homepagecreator -SecRule REQUEST_URI "/index.php?site=(http|https|ftp)\:/" - -#zOOM Media Gallery SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?option=com_zoom&Itemid=.*&catid=*(AND|OR|INSERT|UNION|DELETE)" - -#caught in honeypot -SecRule REQUEST_URI ".*\.php\?(do=.*&template=\{\$\{|inc=(http|https|ftp)\:/)" - -#phpMyAdmin path vln -SecRule REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" - -#PHP-Nuke Web_Links Multiple Variable SQL Injection -SecRule SCRIPT_FILENAME "modules\.php" chain -SecRule ARGS:email|ARGS:ratenum|ARGS:min|ARGS:show|ARGS:orderby|ARGS:url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#phpCOIN SQL injection -SecRule SCRIPT_FILENAME "mod\.php" chain -SecRule ARGS:faq_id|ARGS:id|ARGS:topic_id|ARGS:ord_id|ARGS:dom_id|ARGS:invd_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#NukeBookmarks SQL injection -SecRule SCRIPT_FILENAME "modules\.php" chain -SecRule ARGS:category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#e107 SQL injection -SecRule SCRIPT_FILENAME "news\.php" chain -SecRule ARGS:list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#squirrelcart SQL injection -SecRule SCRIPT_FILENAME "index\.php" chain -SecRule ARGS:crn "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" - -#PHP-Nuke HTTP Response Splitting vuln -SecRule REQUEST_URI "modules\.php\?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#AzDGDatingPlatinum view.php id Variable XSS -SecRule REQUEST_URI "/view\.php\?l=.*&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# AzDGDatingPlatinum index.php from Variable SQL Injection -SecRule REQUEST_URI "/members/index\.php\?l=.*&a=.*&from=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -# AzDGDatingPlatinum view.php id Variable SQL Injection -SecRule REQUEST_URI "/view.php\?l=.*&id=.*\'" - -#PHPBB Remote Mod.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/moddb/mod\.php\?id=\'" - -#CityPost PHP LNKX Input Validation Hole Permits Cross-Site Scripting Attacks -SecRule REQUEST_URI "/lnkx/message\.php\?msg=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Coppermine Photo Gallery Multiple XSS -SecRule REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHP-Nuke Blind SQL Injection -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*]+(from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#UBB Thread /ubbthreads/printthread.php SQL Injection Yes\No vulnerability -SecRule REQUEST_URI "/printthread\.php*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#coppermine remote file inclusion -SecRule REQUEST_URI "/theme\.php\?THEME_DIR=(http|https|ftp)/:/" - -#E-Cart Mod remote command execution -SecRule REQUEST_URI "/index\.cgi\?action=.*&cat=.*&art=.*\|" - -#phpBB Auction Mod SQL injection -SecRule REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*\'" -SecRule REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*\'" - -#kali's tagboard remote command execution -SecRule REQUEST_URI "/admin/banned\.php\?&cmd=" - -#PHPBB Profile.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" - -#PHPBB Viewtopic.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" - -#Netref Remote Arbitrary File Creation Vulnerability -SecRule REQUEST_URI "script/cat_for_gen\.php" - -# eGroupWare index.php cats_app Variable SQL Injection -SecRule REQUEST_URI "/index\.php\?menuaction=preferences\.uicategories\.index\&cats_app=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# eGroupWare tts/index.php filter Variable SQL Injection -SecRule REQUEST_URI "/tts/index\.php\?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# eGroupWare sitemgr-site/index.php category_id Variable XSS -SecRule REQUEST_URI "/sitemgr/sitemgr-site/\?category_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# eGroupWare wiki/index.php Multiple Variable XSS -SecRule REQUEST_URI "/index\.php\?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?action=history&page=.*&lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# eGroupWare index.php Multiple Variable XSS -SecRule REQUEST_URI "/index\.php\?menuaction=addressbook\.uiaddressbook\.edit\&ab_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=manual\.uimanual\.view\&page=ManualAddressbook.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=forum\.uiforum\.post\&type=new.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=wiki\.uiwiki\.edit\&page=setup.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#SQL Injections in MetaBid Auctions -SecRule REQUEST_URI "/item\.asp\?intAuctionID=\'" - -#honeypot catch -SecRule REQUEST_URI "tiki-print\.php\?page=(http|https|ftp)\:/" - -# phpBB Notes Mod SQL Injection Vulnerability -SecRule REQUEST_URI "/posting_notes\.php\?mode=editpost\&*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#phpCOIN SQL injection attacks -SecRule REQUEST_URI "/index\.php\?title=.*&search=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/login\.php\?w=.*&o=.*&phpcoinsessid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'" -SecRule REQUEST_URI "/mod\.php\?mod=siteinfo&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'&phpcoinsessid=" -SecRule REQUEST_URI "/mod\.php\?mod=pages&mode=list&(dcat_id|topic_id)=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'\&phpcoinsessid=" - -#honeypot catch -SecRule REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/" - -#honeypot catch -#ideabox code injection -SecRule REQUEST_URI "/ideabox/include\.php" chain -SecRule REQUEST_URI "(Dir=(http|https|ftp)\:/|\?\&(cmd|id|inc|name)=)" - -#12Planet Chat Server Path Disclosure -# CVE: "CVE-MAP-NOMATCH" -SecRule REQUEST_URI "/qwe/qwe/index\.html" - -#Agora CGI Cross Site Scripting -# CVE: "CVE-2001-1199" -SecRule REQUEST_URI "/store/agora\.cgi\?cart_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Apache Remote Command Execution via .bat files -# CVE: "CVE-2002-0061" -SecRule REQUEST_URI "/test-cgi\.bat\?\|" - -#cpanel remote command execution -SecRule REQUEST_URI "/cgi-sys/guestbook\.cgi\?user=cpanel&template=\|" - -#Oracle 9iAS mod_plsql directory traversal -# CVE: "CAN-2001-1217" -SecRule REQUEST_URI "/pls/sample/admin_/help/\.\." - -#Zeus Admin Interface XSS -SecRule REQUEST_URI "/apps/web/vs_diag\.cgi\?server=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Oracle 9iAS iSQLplus XSS -SecRule REQUEST_URI|REQUEST_BODY "/isqlplus\?action=logon&username=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# main.cgi directory traversal and file access -SecRule REQUEST_URI "/main\.cgi\?next_file=*/" - -#TorrentTrader SQL Injection -SecRule REQUEST_URI "/download\.php\?id=\'" - -#OpenCA HTML Injection -# CVE: "CAN-2004-0787" -SecRule REQUEST_URI "/cgi-bin/pub/pki\?cmd=serverInfo" - -#pdesk directory traversal and file theft -SecRule REQUEST_URI "/cgi-bin/pdesk\.cgi\?lang=\.\./\.\./" - -#ShowCenter XSS -SecRule REQUEST_URI "/ShowCenter/SettingsBase\.php\?Skin=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#honeypot XSS attack -SecRule REQUEST_URI "/page\.php\?action=view&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#i-mall remote command execution attack -SecRule REQUEST_URI "/i-mall/i-mall\.cgi\?p=\|" - -#PArser XSS -SecRule REQUEST_URI "/parser/parser\.php\?file=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#caught in honeypot -SecRule REQUEST_URI "/check_user_id\.php\?user_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#formmail probe -#SecRule REQUEST_URI|REQUEST_BODY "/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "GET .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "HEAD .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "POST .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" - -#JGS-Portal ID Variable SQL Injection Vulnerability -SecRule REQUEST_URI "/jgs_portal\.php\?id=\'" - -#SitePanel 2 command exec, file access -SecRule REQUEST_URI "/users/index\.php\?lang=en\.inc/\.\./\.\./" -SecRule REQUEST_URI "/users/main.php?p=(http|https|ftp)\:/" -SecRule REQUEST_URI "/admin/5\.php\?do=rmattach&rm=yes&id=\.\./" - -#osTicket directory traversal -SecRule REQUEST_URI "/attachments\.php\?file=\.\./\.\." - -#osticket remote file inclusion -SecRule REQUEST_URI "/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/" - -#osticket SQL injection -SecRule REQUEST_URI "/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#Woltlab Burning Board JGS-Portal "id" SQL Injection -SecRule REQUEST_URI "/jgs_portal\.php" chain -SecRule REQUEST_URI "id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#eSKUeL "ConfLangCookie" and "lang_config" Local File Inclusion -SecRule REQUEST_URI "include/functions\.inc\.php" chain -SecRule REQUEST_URI "(ConfLangCookie|lang_config)=*\.\./" - -#FishCart Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "display\.php" chain -SecRule REQUEST_URI "nlst=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -SecRule REQUEST_URI "upstracking\.php" chain -SecRule REQUEST_URI "(eqagree|m|trackingnum)=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -SecRule REQUEST_URI "display\.php" chain -SecRule REQUEST_URI "psku=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -SecRule REQUEST_URI "upstnt\.php" chain -SecRule REQUEST_URI "cartid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# vBulletin calendar.php comma Parameter Arbitrary Command Execution -SecRule REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" -SecRule REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" - -#FishCart SQL injection -SecRule REQUEST_URI "/display\.php\?cartid=.*&zid=*&lid=*&nlst=*&olimit=*&cat=*&key*=&psku=\'" -SecRule REQUEST_URI "/upstnt\.php\?zid=.*&lid=.*&cartid=\'" - -#PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion -SecRule REQUEST_URI "/admin_styles\.php\?phpbb_root_path=(http|https|ftp)\:/" - -# Apache Jakarta-Tomcat? /admin Context Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/admin/\?op=\xc0" - -#generic Common HTTP vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/\?cwd=/" - -#XSS in phpBB -SecRule REQUEST_URI|REQUEST_BODY "/(viewtopic|privmsg|bbcode)\.php\?" chain -SecRule REQUEST_URI "\[url=(script|javascript|about|applet|activex|chrome)\:/" - -#phbb admin forums XSS -SecRule REQUEST_URI "/admin_forums\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\<[[:space:]]*(script|about|applet|activex|chrome)" - -#HTMLJunction EZGuestbook Remote Database Disclosure Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/datastores/guestbook\.mdb" - -#phpbb XSS -SecRule REQUEST_URI "/admin/admin_forums\.php\?sid=.*" chain -SecRule REQUEST_URI|REQUEST_BODY "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)" - -#DirectTopics Topic.PHP SQL Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/topic\.php\?topic=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#honeypot -SecRule REQUEST_URI "tiki-index\.php\?page=(http|https|ftp)\:/" - -#Help Center Live Multiple Input Validation Vulnerabilities -SecRule REQUEST_URI "/faq/index\.php\?x=.*&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/tt/view\.php\?tid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/tt/download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/lh/icon\.php\?status=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/lh/chat_download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities -SecRule REQUEST_URI "/jgs_portal\.php\?anzahl_beitraege=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=mitglieder&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=themen&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=beitrag&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_beitraggraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_viewsgraf\.php\?jahr=.*&monat=.*&tag=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+(from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_themengraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_mitgraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_sponsor\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_box\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#NPDS "comments.php" and "pollcomments.php" Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI "/npds/comments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/npds/pollcomments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/npds/pollcomments\.php\?op=results&pollID=2&mode=&order=&thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#Gurgens Guest Book Remote Database Disclosure Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/db/Genit\.dat" - -#PhotoPost Arbitrary Data vuln -SecRule REQUEST_URI "/member\.php\?ppaction=.*&verifykey=.*&uid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#OpenBB SQL Injection Vulnerabilities -SecRule REQUEST_URI "/read\.php" chain -SecRule ARGS:TID "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#PostNuke "func" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)" - -#Bug Report Script Insertion Vulnerability -SecRule SCRIPT_FILENAME "bug_report\.php" chain -SecRule ARGS:name|ARGS:sujet|ARGS:commentaries|ARGS:os|ARGS:navig|ARGS:url "<[[:space:]]*(script|about|applet|activex|chrome)" - -#NPDS SQL Injection and XSS Vulnerabilities -SecRule REQUEST_URI "/(pollcomments|comments)\.php" chain -SecRule ARGS:thold "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:categories "<[[:space:]]*(script|about|applet|activex|chrome)" - -#Post tiki Wiki install rules -SecRule REQUEST_URI "/tiki-install\.php" -SecRule REQUEST_URI "/tiki-edit_templates\.php" - -#phpATM Arbitrary Remote File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php\?include_location=(http|https|ftp)\:/" - -#TOPo XSS vuln -SecRule REQUEST_URI "/index\.php\?m=(top|members)*<[[:space:]]*(script|about|applet|activex|chrome)" - -#honeypot -SecRule REQUEST_URI "/news\.php\?tpath=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "tiki-(index|print)\.php\?page=.*\?include_location=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-.*\?include_location=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-editpage\.php\?page=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-export_wiki_pages\.php\?page=(http|https|ftp)\:/" - -#sawmill remote file access -SecRule REQUEST_URI|REQUEST_BODY "/cgi-bin/sawmill5\?.*\x22" - -#mailview CGI remote file access` -SecRule REQUEST_URI "mailview\.cgi\?cmd=view&fldrname=.*&select=.*&html=\.\./\.\." - -#Javamail info disclosure -SecRule REQUEST_URI "/Download\?/.*/web/WEB-INF/web\.xml" - -#javamail file access -SecRule REQUEST_URI|REQUEST_BODY "/Download\?(\.\./|/\.\./|/etc/|/home/|/tmp/|/usr/|/backup/|/dev/|/proc/|/var/(cache|spool|mail|adm|log|tmp)/)" - -#Gforge "viewFile.php" Remote Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI "/viewFile\.php\?group_id=.*&file_name=\x0A" - -#WebAPP v0.9.9.2.1 Remote Command Execution vuln -SecRule REQUEST_URI "/apage\.cgi?f=.*\|" - -#honeypot -SecRule REQUEST_URI "/displayCategory\.php\?basepath=(http|https|ftp)\:/" - -#PHP Poll Creator Include File Error Lets Remote Users Execute Arbitrary Commands -SecRule REQUEST_URI "/poll_vote\.php\?relativer_pfad=(http|https|ftp)\:/" - -#PostNuke version : x=> 0.750 SQL injection -SecRule REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#SQL Injection Vuln for myBloggie 2.1.1 - 2.1.2 -SecRule REQUEST_URI "index\.php\?month_no=.*&year=.*&mode=viewdate&date_no=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#powerdownload remote file include -SecRule REQUEST_URI "/downloads\.php\?release_id=.*&incdir=(http|https|ftp)\:/" - -#X-Cart SQL inject vulns -SecRule REQUEST_URI "/home\.php\?(cat|printable)=\'" -SecRule REQUEST_URI "/product\.php\?(product|mode)=\'" -SecRule REQUEST_URI "/error_message\.php\?access_denied&id=\'" -SecRule REQUEST_URI "/help\.php\?section=\'" -SecRule REQUEST_URI "/(orders|register|search)\.php\?mode=\'" -SecRule REQUEST_URI "/giftcert\.php\?(gcid|gcindex)=\'" - -#Calendarix Advanced -SecRule REQUEST_URI "/cal_week\.php\?op=week&catview=.*\'" -SecRule REQUEST_URI "/cal_cat\.php\?op=cats&catview=.*\'" -SecRule REQUEST_URI "/cal_day\.php\?op=.*&date=.*&catview=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/cal_pophols\.php\?id=.*\'" - - -#MyBulletinBoard SQL injection -SecRule REQUEST_URI "/online\.php\?pidsql=\)(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/memberlist\.php\?usersearch=\%\'" -SecRule REQUEST_URI "/editpost\.php\?pid=\'" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=\'" -SecRule REQUEST_URI "/newreply\.php\?tid=\'" -SecRule REQUEST_URI "/search\.php\?action=.*&(sid|uid)=*\'" -SecRule REQUEST_URI "/showthread\.php\?(tp)id=\'" -SecRule REQUEST_URI "/usercp2\.php\?tid=\'" -SecRule REQUEST_URI "/printthread\.php\?tid=\'" -SecRule REQUEST_URI "/reputation\.php\?pid=\'" -SecRule REQUEST_URI "/portal\.php\?action=do_login&username=\'" -SecRule REQUEST_URI "/polls\.php\?action=newpoll&tid=\'" -SecRule REQUEST_URI "/ratethread\.php\?tid=\'" - -#MyBulletinBoard XSS -SecRule REQUEST_URI "/misc\.php\?action=syndication&forums.*=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/misc\.php\?action=syndication&forums.*=.*&version*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/misc\.php\?action=syndication&limit=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=.*&datecut=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=.*&page=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/member\.php\?agree=.*&username=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/member\.php\?agree=.*&(email|email2)=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/memberlist\.php\?(page|usersearch)=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/showthread\.php\?mode=linear&tid=.*&pid=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/showthread\.php\?mode=linear&tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/printthread\.php?tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)" - -#Wordpress SQL injection -SecRule REQUEST_URI "/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/wp-trackback\.php" chain -SecRule ARGS:tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#MWChat remote file inclusion vuln -SecRule REQUEST_URI "/libs/start_lobby\.php\?CONFIG.*=(http|https|ftp)\:/" - -#phpCMS "class.layout_phpcms.php" Remote Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/parser\.php\?&phpcmsaction=FILEMANAGER&language=.*(/\.\./|(http|https|ftp)\:/)" - -#Exhibit Engine Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/search_row=ee_photo\.ee_photo_exif_iso.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/list\.php" chain -SecRule ARGS:search_row|ARGS:sort_row|ARGS:order|ARGS:perpage "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#phpCMS "language" Local File Inclusion Vulnerability -SecRule SCRIPT_FILENAME "/parser\.php" chain -SecRule ARGS:laguage "/\.\./" - -#Popper "form" File Inclusion Vulnerability -SecRule REQUEST_URI "/childwindow\.inc\.php" chain -SecRule ARGS:form "(/\.\./|(http|https|ftp)\:/)" - -#phpThumb() "src" Exposure of Sensitive Information -SecRule SCRIPT_FILENAME "/phpThumb\.php" chain -SecRule ARGS:src "/\.\./" - -#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) -SecRule REQUEST_URI "\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" - -#e107 eTrace Plugin Shell Command Injection Vulnerability -SecRule SCRIPT_FILENAME "/dotrace\.php" chain -SecRule ARGS:etrace_cmd|ARGS:etrace_host "(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -#WebHints Shell Command Injection Vulnerability -SecRule REQUEST_URI "/hints\.pl.*\|" - -#Invision Gallery SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#Ovidentia FX "babInstallPath" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:babInstallPath "(/\.\./|(http|https|ftp)\:/)" - -#Siteframe "LOCAL_PATH" File Inclusion Vulnerability -SecRule SCRIPT_FILENAME "/siteframe\.php" chain -SecRule ARGS:LOCAL_PATH "(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/siteframe\.php\?LOCAL_PATH=(http|https|ftp)\:/" - -#e107 ePing Plugin Shell Command Injection Vulnerability -SecRule REQUEST_URI "/doping\.php" chain -SecRule ARGS:eping_cmd|ARGS:eping_host|ARGS:eping_count "(cd|\;|(ba|tc|c|z)sh|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -#Invision Community Blog Module SQL injection -SecRule REQUEST_URI "/index.php" chain -SecRule ARGS:mid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#MWChat "CONFIG[MWCHAT_Libs]" File Inclusion Vulnerability -SecRule REQUEST_URI "CONFIG\[MWCHAT_Libs\]" chain -SecRule REQUEST_URI "(/\.\./|(http|https|ftp)\:/)" - -#YaPiG Multiple Vulnerabilities -SecRule REQUEST_URI "last_gallery\.php" chain -SecRule ARGS:YAPIG_PATH "(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "BASE_DIR.*(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/upload\.php" chain -SecRule ARGS:dir "(/\.\./|.*\.\./)" - -#honeypot catch -SecRule REQUEST_URI "/write\.php\?dir=(http|https|ftp)\:/" - -#socialMPN Remote SQL Injection and Path Disclosure Vulnerabilities -SecRule REQUEST_URI "/article\.php\?sid=\x27" -SecRule REQUEST_URI "/user\.php\?uname=\'" -SecRule REQUEST_URI "/viewforum\.php\?forum=.*&siteid=\x2527" -SecRule REQUEST_URI "/newtopic\.php\?username=\'&password=" -SecRule REQUEST_URI "/sections.php\?op=listarticles&secid=(\x27|\x2527)" -SecRule REQUEST_URI "/index\.php\?siteid=\'&op=show&aftersid=" -SecRule REQUEST_URI "/friend\.php\?sid=\x2527&yname=.*&ymail=.*&fname=.*&fmail=.*&op=SendStory" - -#JBOSS Installation Path and Configuration File disclosure -SecRule REQUEST_URI|REQUEST_BODY "^\%\." -SecRule REQUEST_URI|REQUEST_BODY "^\%server\.policy" - -#Mambo 'com_contents' Input Validation Hole in 'user_rating' SQL Injection -SecRule REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" - - -#Web Store remote command execution -SecRule REQUEST_URI "web_store\.cgi\?page=.*\|" - -#Mambo "user_rating" SQL Injection Vulnerability -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Cacti remote file inclusion vuln -SecRule REQUEST_URI "/(top_graph_header|config_settings)\.php\?.*=(http|https|ftp)\:/" - -#Claroline E-Learning SQL injection -SecRule REQUEST_URI "/(userInfo|exercises_details)\.php\?(uInfo|exo_id)=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "\?uInfo=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" - -#Forum Russian Board 4.2 Full command execution vuln -SecRule REQUEST_URI|REQUEST_BODY "message=.*&form_h=.*&style_edit_ok=\xC8x\E7x\ECx\E5x\EDx\E8x\F2x\FC" - -#SMF Modify SQL Injection vuln -SecRule REQUEST_URI "/index\.php\?action=(login|profile).*msg=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#cpanel XSS vuln -SecRule REQUEST_URI|REQUEST_BODY "/login\?user=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Cacti command execution vuln -SecRule REQUEST_URI "\.php\?rrdtool=*(cd |\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" -SecRule REQUEST_URI "/graph_image\.php\?local_graph_id=.*\x0a" - -#honeypot -SecRule REQUEST_URI "/index\.php\?pagina=(http|https|ftp)\:/" - -#PHPNuke spam hole -SecRule REQUEST_URI "/modules\.php\?name=WebMail\&file=nlmail" - -#Community Link Pro "file" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/login\.cgi\?username=.*command=.*do=.*password=.*file=\|" - -#Pavsta Auto Site "sitepath" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "user_check\.php" chain -SecRule ARGS:sitepath "((http|https|ftp)\:/|(/\.\./|.*\.\./))" - -#Comdevn eCommerce Form Handler Vulnerabilities -SecRule REQUEST_URI "/index\.php\?homeinclude=catalog&category_id=&parent_id=.*" chain -SecRule REQUEST_URI "<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" - -#Plans "evt_id" SQL Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "plans\.cgi" chain -SecRule ARGS:evt_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Sukru Alatas Guestbook Exposure of User Credentials -SecRule REQUEST_URI|REQUEST_BODY "db/gbdb\.mdb" - -#CSV_DB / i_DB Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "csv_db\.cgi" chain -SecRule ARGS:file "\|" - -#PHP-Fusion database backup file retrieval vuln -SecRule REQUEST_URI|REQUEST_BODY "/(fusion_admin|administration)/db_backups/" - -#PHP-Fusion XSS vuln -SecRule REQUEST_URI|REQUEST_BODY "/submit\.php?.*(news_body|article_description|article_body).*<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" - -#UBB.threads SQL Injection -SecRule REQUEST_URI|REQUEST_BODY "/download\.php\?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/calendar\.php\?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/calendar\.php\?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*" -SecRule REQUEST_URI|REQUEST_BODY "/modifypost\.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8" -SecRule REQUEST_URI|REQUEST_BODY "/mailthread\.php\?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/viewmessage\.php\?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(addfav\|notifymod|grabnext).php\?Cat=.*&Board=.*&main=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Xoops XML sql injection -SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain -SecRule REQUEST_BODY "<methodName>blogger\.getUsersBlogs</methodName>" chain -SecRule REQUEST_BODY ".*\' AND ascii\(substring\(pass" - -#Wordpress cat vuln -SecRule REQUEST_URI "/wordpress/" chain -SecRule ARGS:cat "!^[0-9]*$" - -#Atomicboard path recursion -SecRule REQUEST_URI|REQUEST_BODY "/atomicboard/index\.php\?location=\.\./\." - -#basilix path recursion -SecRule REQUEST_URI|REQUEST_BODY "/basilix\.php3\?request_id\[.*\]=\.\./\." - -#bigconf path recursion vuln -SecRule REQUEST_URI|REQUEST_BODY "/bigconf\.cgi\?command=view_textfile&file=/" - -#a1disp3 path recursion vuln -SecRule REQUEST_URI "/a1disp3\.cgi\?/\.\./" - -#contacts remote file inclusion -SecRule REQUEST_URI "/contacts\.php\?cal_dir=(http|https|ftp)\:/" - -#CuteNews Search remote file inclusion -SecRule REQUEST_URI "/cutenews/search\.php\?cutepath=(http|https|ftp)\:/" - -#Dynamic Pages config remote file inclusion -SecRule REQUEST_URI "/config_page\.php\?do=.*&du=site&edp_relative_path=(http|https|ftp)\:/" - -#Edit_image file recursion vuln -SecRule REQUEST_URI "/edit_image\.php\?dn=.*&userfile=/" - -#export.php directory recursion vuln -SecRule REQUEST_URI "/export\.php\?\?what=\.\./\." - -#awol-condensed remote file inclusion -SecRule REQUEST_URI "/awol-condensed\.inc\.php\?path=(http|https|ftp)\:/" - -#config.php remote file inclusion -SecRule REQUEST_URI "/config\.php\?relative_script_path=(http|https|ftp)\:/" - -#hnmain remote file inclusion -SecRule REQUEST_URI "/hnmain\.inc\.php3\?config\[incdir\]=(http|https|ftp)\:/" - -#template remote file inclusion -SecRule REQUEST_URI "/index\.php\?board=.*;action=.*;ext=.*;template=(http|https|ftp)\:/" - -#generic remote file inclusion vulns -SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" -SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" - -#Cacti no_http_headers security vuln -SecRule REQUEST_URI "/config\.php\?" chain -SecRule ARGS:no_http_headers ".*" - -#Quick & Dirty PHPSource Printer Directory Traversal Vulnerability -SecRule REQUEST_URI "/source\.php\?" chain -SecRule ARGS:file "\.\." - -#nabopoll "path" File Inclusion Vulnerability -SecRule REQUEST_URI "/survey\.inc\.php\?" chain -SecRule ARGS:path "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))" -SecRule REQUEST_URI "/survey\.inc\.php\?path=(http|https|ftp)\:/" - -#DCP-Portal remote file include -SecRule REQUEST_URI "/editor/editor\.php\?root=(http|https|ftp)\:/" - -#phpBB remote code execution vuln -SecRule REQUEST_URI "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()" - -#Unknown Malware -SecRule REQUEST_URI "/mcp/mcp\.cgi" - -# osTicket "t" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Mark Kronsbein MyGuestbook "lang" File Inclusion Vulnerability -SecRule REQUEST_URI "/form\.inc\.php3" chain -SecRule ARGS:lang "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))" - -#phpPgAdmin "formLanguage" Local File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/index\.php" chain -SecRule ARGS:formLanguage "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#PPA Include File Bug remote file inclusion -SecRule REQUEST_URI|REQUEST_BODY "/functions\.inc\.php\?config\[ppa_root_path\]=(http|https|ftp)\:/" - -#SPiD Include File Bug remote file inclusion -SecRule REQUEST_URI|REQUEST_BODY "/lang/lang\.php\?lang_path=(http|https|ftp)\:/" - -#Id Board 'tbl_suff' Input Validation Hole SQL injection -SecRule REQUEST_URI|REQUEST_BODY "/index\.php\?site=.*&f=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#DownloadProtect "file" Disclosure of Sensitive Information -SecRule REQUEST_URI|REQUEST_BODY "/download\.php\?" chain -SecRule ARGS:file "\.\./" - -#phpSecurePages "cfgProgDir" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "phpSecurePages/secure\.php" chain -SecRule ARGS:cfgProgDir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#PunBB SQL Injection and PHP Code Execution Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/profile\.php" chain -SecRule ARGS:temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "redirect_url.*(http|https|ftp)\:/.*cmd=" - -#pngcntrp "kaiseki.cgi" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/kaiseki\.cgi.*\|" - -#phpWebSite SQL Injection and Disclosure of Sensitive Information -SecRule REQUEST_URI|REQUEST_BODY "index\.php" chain -SecRule ARGS:mod|ARGS:module "(\.\./|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view))" - -#Simple PHP Blog Exposure of User Credentials -SecRule REQUEST_URI|REQUEST_BODY "config/password\.txt" - -#Squito Gallery "photoroot" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "photolist\.inc\.php" chain -SecRule ARGS:photoroot "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#iPhotoAlbum File Inclusion Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/getpage\.php" chain -SecRule ARGS:docpath|ARGS:path "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" -SecRule REQUEST_URI|REQUEST_BODY "header\.php" chain -SecRule ARGS:set_menu "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Yawp "_Yawp[conf_path]" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "_Yawp\[conf_path\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Phpauction GPL Multiple Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:lan "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" -SecRule REQUEST_URI "/adsearch\.php" chain -SecRule ARGS:category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#USANet Creations Products Shell Command Injection Vulnerability -SecRule REQUEST_URI "/dispallclosed\.pl.*\|" - -#Web-Portal-System 'wps_shop.cgi' Remote Command Execution -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:art "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])" -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:cat "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])" -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:art "\|.+\|" - -#class-1 Forum Software SQL Injection -SecRule REQUEST_URI "/viewattach\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/users\.php" chain -SecRule ARGS:viewuser_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/viewforum\.php" chain -SecRule ARGS:forum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#MooseGallery "type" File Inclusion Vulnerability -SecRule REQUEST_URI "/display\.php" chain -SecRule ARGS:type "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#honetpot catch -SecRule REQUEST_URI "\x03\x03\x03\x03\x18\x18\x18\x18\x1a\x1c\x1a\x1c\x1c4r43tr" - -#CaLogic "CLPATH" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "(clmcpreload|mcconfig)\.php" chain -SecRule ARGS:CLPATH "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#OpenBB sql injection -SecRule REQUEST_URI "/index\.php\?CID=.*\+union\+select\+.*\,.*\,password.*from\+profiles\+where" - -#ReviewPost PHP Pro "sort" SQL Injection Vulnerability -SecRule REQUEST_URI "/showproduct\.php" chain -SecRule ARGS:sort "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHPNews "user" and "password" SQL Injection Vulnerability -SecRule REQUEST_URI "/auth\.php" chain -SecRule ARGS:user|ARGS:password "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP Surveyor Remote SQL Injection -SecRule REQUEST_URI "/admin/" chain -SecRule ARGS:sid|ARGS:start|ARGS:id|ARGS:lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Invision PowerBoard 1.3.x - 2.0 SQL injection -SecRule REQUEST_URI "/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)" - -#sendcard "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/sendcard\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Report from user -SecRule REQUEST_URI "/functions_admin\.php\?phpbb_root_path=(http|https|ftp)\:/" - -#SQL injection vuln in Contrexx -SecRule REQUEST_URI "/index\.php\?section=gallery&cmd=.*&cid*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP FirstPost remote file include -SecRule REQUEST_URI "/block\.php\?Include=(http|https|ftp)\:/" - -#DCForum remote file viewing -SecRule REQUEST_URI "/dcforum\.cgi\?az=.*&forum=*\.\./\.\." - -#Atomic Photo Album "apa_module_basedir" File Inclusion -SecRule REQUEST_URI "/apa_phpinclude\.inc\.php" chain -SecRule ARGS:apa_module_basedir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#VBZooM "SubjectID" SQL Injection Vulnerability -SecRule REQUEST_URI "/show\.php" chain -SecRule ARGS:SubjectID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Phorm remote file inclusion protections -SecRule REQUEST_URI "/phorm\.php" chain -SecRule ARGS:PHORM_* "(http|https|ftp)\:/" - -#Athena Web Registration Remote Command Execution Vuln -SecRule REQUEST_URI "/athenareg\.php\?pass=\x20\;" - -#wowBB view_user.php SQL Injection -SecRule REQUEST_URI "/wowbb/view_user\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "sort_by=\'" chain -SecRule REQUEST_URI|REQUEST_BODY "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Simplicity oF Upload remote command exec and remote file inclusion -SecRule REQUEST_URI "/download\.php\?language=(upload\.php|(http|https|ftp)\:/)" - -#uguestbook exploit -SecRule REQUEST_URI "/mdb-database/guestbook\.mdb" - -#FtpLocate remote command execution -SecRule REQUEST_URI "/flsearch\.pl" chain -SecRule ARGs:query "\|" - -#PHPmyGallery "confdir" File Inclusion Vulnerability -SecRule REQUEST_URI "/common-tpl-vars\.php" chain -SecRule ARGS:confdir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Netquery 3.1 Remote Command Execution vuln -SecRule REQUEST_BODY "op=modload*&name=Net.*&file=*&query=ping&host=*\|" - -#MySQL Eventum SQL Injection Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/includes/class\.auth\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Kayako LiveResponse SQL injection -SecRule REQUEST_URI|REQUEST_BODY "/index\.php\?date=.*\x20.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHPlist SQL injection -SecRule REQUEST_URI|REQUEST_BODY "lists/admin/\?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#ChurchInfo SQL injection vulns -SecRule REQUEST_URI|REQUEST_BODY "/(PersonView|MemberRoleChange|PropertyAssign|WhyCameEditor|GroupPropsEditor|Reports/PDFLabel|UserDelete)\.php" chain -SecRule ARGS:PersonID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/DepositSlipEditor\.php" chain -SecRule ARGS:DepositSlipID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/QueryView\.php" chain -SecRule ARGS:QueryID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(GroupView|GroupMemberList|MemberRoleChange|GroupDelete|/Reports/ClassAttendance|/Reports/GroupReport)\.php" chain -SecRule ARGS:GroupID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/PropertyEditor\.php" chain -SecRule ARGS:PropertyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/PledgeDetails\.php" chain -SecRule ARGS:PledgeID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(AutoPaymentEditor|Canvas05Editor|CanvassEditor)\.php" chain -SecRule ARGS:FamilyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#denial of service attack on Flex PHPNews 0.0.4 -SecRule REQUEST_URI "/news\.php?(prenumber|nextnumber)=[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+" - -#SQL admin bypass for Flex PHPNews 0.0.4 -SecRule REQUEST_URI "/admin/" chain -SecRule REQUEST_URI "\' OR \'a\'='a*\' OR \'a\'=\'a" - -#Naxtor Shopping Cart SQL Injection -SecRule REQUEST_URI "/(lost_passowrd|lost_password)\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/shop_display_products\.php\?cat_id=\'" - -#OpenBook "admin.php" Remote SQL Injection Vulnerability -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:userid "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)" -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:password "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)" - -#'web content management'Add admin user bypass vuln -SecRule REQUEST_URI "/Admin/Users/AddModifyInput\.php" - -#Silvernews 2.0.3 command injection backdoor -SecRule REQUEST_URI "/templates/tpl_global\.php\?command=" -SecRule REQUEST_URI "/templates/tpl_global\.php\?" - -#PortailPHP Index.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?affiche=Forum-read_mess&id=\'" - -#python namespace exposure with karrigell services -SecRule REQUEST_URI|REQUEST_BODY ".*\.ks/.*\?\x22" -SecRule REQUEST_URI|REQUEST_BODY ".*\.ks/(file|input|open|raw_input|reload|((s|g)et|del|has)attr|import|callable|compile|execfile|exec|globals)" - -#Flatnuke remote command vuln -SecRule REQUEST_URI "/forum/users/.*\.php\?command=" - -#Forum Russian Board (FRB) SQL injection vulns -SecRule REQUEST_URI "/reply_in.php?subject_reply=.*&name_reply=.*\'" -SecRule REQUEST_URI "(search_msg_us|view_profile.php)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/send_mail_user\.php" chain -SecRule ARGS:id_mail "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/(set|new|reply)\.php" chain -SecRule ARGS:name_ig_array "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/menu_header\.php" chain -SecRule ARGS:table_sql "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/registr_1\.php" chain -SecRule ARGS:telephone "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" - -#Owl Intranet Engine SQL injection -SecRule REQUEST_URI "/browse\.php\?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP-Fusion Messages.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php\?msg_view=\'" - -#MySQL Eventum SQL injection -SecRule REQUEST_URI "/login\.php" chain -SecRule REQUEST_URI "cat=login&url=&email=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#phpIncludes News System SQL Injection Vulnerability -SecRule REQUEST_URI "/news_change_category\.php" chain -SecRule ARGS:category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Comdev eCommerce File Inclusion Vulnerability -SecRule REQUEST_URI "/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#honeypot -SecRule REQUEST_URI "/write.php" chain -SecRule ARGS:dir "(http|https|ftp)\:/" - -#Gravity Board X SQL injection vuln -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -#Gravity Board X command injection vulnerability -SecRule REQUEST_URI "/editcss\.php\?" chain -SecRule ARGS:csscontent "\</style\>\<\?php" - -#Open Bulletin Board SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#XMB Forum 1.9.1 sql injection -SecRule REQUEST_URI "/xmb\.php" chain -SecRule ARGS:in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Funkboard command injection vuln -SecRule REQUEST_URI "/info\.php\?command=" - -#honeypot catch -SecRule REQUEST_URI "/forum/users/jimyhendrix\.php\?command=" - -#XMB Forum sql injection -SecRule REQUEST_URI "include/u2u\.inc\.php" chain -SecRule ARGS:u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#WordPress "cache_lastpostdate" PHP Code Insertion -SecRule ARGS:cache_lastpostdate "<\?php" - -#honeypot -SecRule REQUEST_URI "/lib\.php\?root=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php\?(content|menu)=(http|https|ftp)\:/" - -#PHPTB Topic Boards 2.0 sql injection vulnerability -SecRule REQUEST_URI "/index\.php\?act=emailvalidate&mid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#FreznoShop product_details.php id Variable SQL Injection -SecRule REQUEST_URI "/product_details\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#ECW Shop SQL injection -SecRule REQUEST_URI "/index\.php\?c=.*&ctg=.*&id=.*&key=.*&comp=.*&min.*\'" - -#Mig Remote Cross-Site Scripting vuln -SecRule REQUEST_URI "/index\.php\?currDir=.*[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#ezupload remote file inclusion vuln -SecRule REQUEST_URI "(customize|initialize|form|index)\.php\?path=(http|https|ftp)\:/" - -#Dokeos Multiple Directory Traversal Vulnerabilities -SecRule REQUEST_URI "/scorm/scormdocument\.php" chain -SecRule REQUEST_URI "\.\." -SecRule REQUEST_URI "/claroline/document/document\.php" chain -SecRule ARGS:move_file "\.\." -SecRule REQUEST_URI "/claroline/document/document\.php" chain -SecRule ARGS:move_to "\.\." - -#PHPOpenChat Script Insertion Vulnerabilities -SecRule REQUEST_URI "/(profile|profile_misc|mail)\.php" chain -SecRule ARGS:title|ARGS:content|ARGS:motto|ARGS:subject "[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -# FunkBoard mysql_install.php Email Field Arbitrary PHP Code Injection -SecRule REQUEST_URI "/mysql_install\.php" chain -SecRule ARGS:Email "\<.*php" - -#phpPgAds SQL injection -SecRule REQUEST_URI "/lib-view-direct\.inc\.php" chain -SecRule ARGS:clientid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Honeypot catch -SecRule REQUEST_URI "/guest\.php\?page=(http|https|ftp)\:/" - -#PHPTB "absolutepath" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI ".*\.php\?absolutepath=(http|https|ftp)\:/" - -#PHPFreeNews SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/SearchResults\.php" chain -SecRule ARGS:Match|ARGS:CatID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#w-Agora "site" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php\?site=.*\x00" - -#Zorum prod.php Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI "/prod\.php\?argv\[.*\]=\|" - -#Zorum path disclosure -SecRule REQUEST_URI "/gorum/(notification|trace|badwords|flood)\.php" -SecRule REQUEST_URI "/zorum/(user|attach|blacklist|forum|globalstat)\.php" - -#Land Down Under SQL injection vulns -SecRule REQUEST_URI "/forums\.php\?m=topics&s=\'" -SecRule REQUEST_URI "/list\.php\?c=.*&s=.*&.*\'" -SecRule REQUEST_URI "/list\.php\?c=.*&s=\'" -SecRule REQUEST_URI "/links\.php\?c=.*&s=.*&w=\'" -SecRule REQUEST_URI "/journal\.php?m=.*\'" -SecRule REQUEST_URI "/forums\.php?filter=forums.*x='" -SecRule REQUEST_URI "/forums\.php?m=.*\'" -SecRule REQUEST_URI "/forums\.php?m=\'" - -#Woltlab Burning Board ModCP.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/modcp\.php\?action=post_del&x=\'" -SecRule REQUEST_URI "/modcp\.php\?action=post_del&x.*\'" - -#Cacti graph_image.php Remote Command Execution -SecRule REQUEST_URI "/graph_image\.php" chain -SecRule ARGS:graph_start "x0a.+x0a" - -#AreaEdit SpellChecker Plugin Code Execution Vulnerability -SecRule REQUEST_URI "/aspell_setup\.php" chain -SecRule ARGS:dictionary "(\;|\|)" - -#WebCalendar "includedir" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/send_reminders\.php" chain -SecRule ARGS:includedir "(\.\./|(http|https|ftp)\:/)" - -#PHPKit SQL Injection Vulnerabilities -SecRule REQUEST_URI "login/imcenter\.php" chain -SecRule ARGS:im_receiver "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "login/member\.php" chain -SecRule ARGS:letter "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Netquery "host" Parameter Arbitrary Command Execution -SecRule REQUEST_URI "/nquser\.php" chain -SecRule ARGS:host "\|" - -#SaveWebPortal include PHP scripts vuln -SecRule REQUEST_URI "admin/PhpMyExplorer/editerfichier\.php\?chemin=\.&fichier=header\.php&type=Source" - -#SaveWebPortal remote/local file inclusion vuln -SecRule REQUEST_URI "menu_dx\.php" chain -SecRule ARGS:SITE_Path "(\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "menu_sx\.php" chain -SecRule ARGS:CONTENTS_Dir "(\.\./|(http|https|ftp)\:/)" - -#RunCMS SQL Injection Vulnerabilities -SecRule REQUEST_URI "newbb_plus/newtopic\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "newbb_plus/print\.php\?msgid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&op=" -SecRule REQUEST_URI "newbb_plus/(edit|reply)\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*post_id=.*&topic_id=.*&viewmode=.*&order=.*" - -#honeypot catch -SecRule REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/" - -#PostNuke "show" Parameter SQL Injection Vulnerability -SecRule REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain -SecRule ARGS:show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -# PaFileDB cookie SQL injection -SecRule REQUEST_URI "/pafiledb\.php\?action=admin" chain -SecRule REQUEST_COOKIES:pafiledbcookie ".*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)|union.*select.*[0-9]+\,[0-9]+\,\'.*pass)" - -#Looking Glass v20040427 arbitrary commands execution -SecRule REQUEST_URI "/lg\.php" chain -SecRule REQUEST_URI "func=.*&ipv=.*&target.*\|" -SecRule REQUEST_URI "/lg\.php" chain -SecRule ARGS:target "\|" - -#probe.cgi remote file inclusion and command execution -SecRule REQUEST_URI "/probe\.cgi\?olddat=(\||(http|https|ftp)\:/)" - -# phpMyAdmin XSS vulns -SecRule REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain -SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/error\.php" chain -SecRule ARGS:error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Looking Glass v20040427 XSS vulns -SecRule REQUEST_URI "/(footer|header)\.php\?version\[.*\]=" chain -SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpLDAPadmin welcome.php Arbitrary File Inclusion -SecRule REQUEST_URI "/welcome\.php\?custom_welcome_page=(http|https|ftp)\:/" - -#Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion -SecRule REQUEST_URI "/comment_delete_cgi\.php" chain -SecRule ARGS:comment "(/|\.\.|config/password\.txt)" - -#nested URL tags exploit for some BBcode implementations -SecRule REQUEST_URI ".*\.php" chain -SecRule REQUEST_BODY|ARGS "\[url=\[url=" - -#AutoLinks Pro "alpath" File Inclusion Vulnerability -SecRule REQUEST_URI "/al_initialize\.php" chain -SecRule ARGS:alpath "(ftp|http|https)\:/" - -#Simple PHP Blog Image File Upload Vulnerability -SecRule REQUEST_URI "/upload_img_cgi\.php" chain -SecRule REQUEST_BODY|ARGS "\.php" - -#phpWebNotes Include File Error in 'php_api.php' -SecRule REQUEST_URI "/api\.php\?t_path_core=(http|https|ftp)\:/" - -#FlatNuke "id" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "(http|https|.ftp)\:/" - -#CMS Made Simple File Inclusion -SecRule REQUEST_URI "admin/lang\.php.*nls\[file\]\[vx\]\[vxsfx\].*(http|https|.ftp)\:/" - -#Phorum "Username" Script Insertion Vulnerability -SecRule REQUEST_URI "register\.php" chain -SecRule ARGS:Username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Test CGI probe -SecRule REQUEST_URI|REQUEST_BODY "/test-cgi HTTP\/(0\.9|1\.0|1\.1)$" - -#Annoying Cisco IOS HTTP configuration probe attempts -SecRule REQUEST_URI "/level/[0-9]+/exec/-/+pwd" - -#myBloggie "username" SQL Injection Vulnerability -SecRule REQUEST_URI "/login\.php" chain -SecRule ARGS:username "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PBLang <= 4.65 remote commands exec exploit sig -SecRule REQUEST_URI|REQUEST_BODY "Content-Length:.*user=.*pass=.*pass2=.*oldpass=.*loc.*(\x22|system)" - -#man2web cgi-scripts remote command spawn -SecRule REQUEST_URI "/(man-cgi|man2web|man2html)" chain -SecRule REQUEST_URI "\x20" -SecRule REQUEST_URI "/(man-cgi|man2web|man2html)" chain -SecRule REQUEST_URI "\|" - -#SimplePHPBplog vulns -SecRule REQUEST_URI "/comment_delete_cgi\.php\?y=.*&m=.*&comment.*(/|\.\.)" -SecRule REQUEST_URI "/comment_delete_cgi\.php\?.*/config/password\.txt" -SecRule REQUEST_URI "/images/reset\.php" -SecRule REQUEST_URI "/images/cmd\.php\?cmd=" -SecRule REQUEST_URI "/upload_img_cgi.php" chain -SecRule REQUEST_BODY "(Content.*\.php|cmd\.php|reset\.php)" -SecRule REQUEST_URI "/install03_cgi\.php\?blog_language=english.*[A-Z|a-z|0-9]" -SecRule REQUEST_URI|REQUEST_BODY "<hr+><pre>.*Command\: [A-Z|a-z|0-9|\w].*pre><hr" - -#aMember Pro "config['root_dir']" Remote File Inclusion Vulnerabilities -SecRule REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php\?config\[root_dir\]=(http|https|ftp):/" -SecRule REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php" chain -SecRule REQUEST_URI "(http|https|ftp):/" -SecRule REQUEST_URI "\.inc\.php\?config\[root_dir\]=(http|https|ftp):/" - -#CuteNews Input Validation Hole -SecRule REQUEST_URI "/cute/data/flood\.db\.php" - -#DeluxeBB SQL injection -SecRule REQUEST_URI "community/index\.php\?limit=\'" - - -#honeypoit -SecRule REQUEST_URI "/admin_module_deldir\.php\?config\[.*\]=(http|https|ftp)\:/" - -#honeypot catch -SecRule REQUEST_URI "/view\.php\?inc=(http|https|ftp)\:/" - -#Alkalay contribute "template" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/contribute\.pl" chain -SecRule ARGS:template "\|" -SecRule REQUEST_URI "/contribute\.pl.*\|" - -#Alkalay man-cgi "topic" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/man-cgi\.cgi" -SecRule ARGS:topic "\|" -SecRule REQUEST_URI "/man-cgi\.cgi.*\|" - -#Alkalay notify "from" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/notify\.cgi" chain -SecRule ARGS:from "\|" -SecRule REQUEST_URI "/notify\.cgi.*\|" - -#Alkalay nslookup Shell Command Injection Vulnerabilities -SecRule REQUEST_URI "/nslookup\.cgi" chain -SecRule ARGS:type|ARGS:queryARGS:ns "\|" -SecRule REQUEST_URI "/nslookup\.cgi.*\|" - -#Simplog SQL Injection Vulnerabilities -SecRule REQUEST_URI "/archive\.php" chain -SecRule ARGS:pid|ARGS:blogid|ARGS:cid|ARGS:m "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/blogadmin\.php" chain -SecRule ARGS:blogid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#vbulletin vulnerabilities, SQL injection -SecRule REQUEST_URI "/joinrequests\.php" chain -SecRule REQUEST_URI "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/user\.php" chain -SecRule REQUEST_URI "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/(usertitle|usertools)\.php" chain -SecRule REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/modcp/announcement\.php" chain -SecRule REQUEST_URI "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/admincalendar\.php" chain -SecRule REQUEST_URI "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/email\.php" chain -SecRule REQUEST_URI "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/help\.php" chain -SecRule REQUEST_URI "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "admincp/language\.php" chain -SecRule REQUEST_URI "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/phrase\.php" chain -SecRule REQUEST_URI "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP Advanced Transfer Manager Multiple Vulnerabilities -SecRule REQUEST_URI "/(txt|htm|html|zip)\.php" chain -SecRule ARGS:current_dir|ARGS:filename "\.\." -SecRule REQUEST_URI "/txt\.php" chain -SecRule ARGS:font|ARGS:normalfontcolor|ARGS:mess\[31\] "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpCommunityCalendar SQJ injection Vulnerabilities -SecRule REQUEST_URI "/webadmin/login\.php" chain -SecRule ARGS:Username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/week\.php" chain -SecRule ARGS:LocationID "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#MyBulletinBoard SQL Injection Vulnerabilities -SecRule REQUEST_URI "/misc\.php" chain -SecRule ARGS:fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/newreply\.php" chain -SecRule ARGS:icon "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#WEB//NEWS SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules/startup\.php" chain -SecRule ARGS:wn_userpw "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "include_this/news\.php" chain -SecRule ARGS:cat|ARGS:id|ARGS:stof "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/print\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PBLang Local File Inclusion and PHP Code Injection -SecRule REQUEST_URI "/setcookie.php" chain -SecRule ARGS:u "\.\." -SecRule REQUEST_URI "/ucp\.php" chain -SecRule REQUEST_URI "\"" - -#mimicboard2 Exposure of User Credentials -SecRule REQUEST_URI "/mimic2\.dat" - -#Mall23 eCommerce "idPage" SQL Injection Vulnerability -SecRule ARGS:idPage "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP-Nuke SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:name|ARGS:sid|ARGS:pid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability -SecRule REQUEST_URI "/s\.pl" chain -SecRule ARGS:l "\.\." - -#TWiki "rev" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/TWikiUsers" chain -SecRule ARGS:rev "![0-9]+" -SecRule REQUEST_URI "/TWikiUsers\?rev=.*(\'|\|)" - -#DeluxeBB SQL Injection Vulnerabilities -SecRule REQUEST_URI "/topic\.php\?tid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/misc\.php\?sub=profile&uid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/forums\.php\?fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/pm\.php\?sub=newpm&uid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/newpost\.php\]?sub=newthread&fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Noah's Classified SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:rollid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#AzDGDatingLite "l" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/include/security\.inc\.php" chain -SecRule ARGS:l "(\.\.|/)" - -#ATutor Password Reminder SQL Injection Vulnerability -SecRule REQUEST_URI "/password_reminder\.php" chain -SecRule REQUEST_URI "email.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/password_reminder\.php.*form_email=.+UNION\s+SELECT" - -#Digital Scribe "username" SQL Injection -SecRule REQUEST_URI "/login\.php" chain -SecRule ARGS:username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#aeDating "Country[]" SQL Injection Vulnerability -SecRule REQUEST_URI "/search_result.php" chain -SecRule ARGS:Country\[\] "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#NooToplist "o" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:o "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#HTTP header PHP code injection attacks -SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" - -#phpWebSite SQL-injection -SecRule REQUEST_URI "/index\.php\?module=\x27\+union\+select\+username\,password\+from\+mod_users\+where\+username=" - -#HP-Nuke <=7.8 SQL injection exploit -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:name= "\'.*UNION.*SELECT.*FROM.*users.*WHERE.*user_id=.*AND" - -#My Little Forum 1. SQL injection -SecRule REQUEST_URI "/search\.php\?search.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw).*&ao=phrase" - -#Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities -SecRule REQUEST_URI "pages/forum/submit.html" chain -SecRule REQUEST_URI "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\[include\])" - -#Ikonboard "st" and "keywords" SQL Injection Vulnerability -SecRule REQUEST_URI "/ikonboard\.cgi" chain -SecRule ARGS:st|ARGS:keywords "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#ikonboard arbitary file access -SecRule REQUEST_URI "/help\.cgi\?helpon=\.\./" - -#Ikonboard remote file includion -SecRule REQUEST_URI "/register\.cgi" chain -SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/" - -#IkonBoard 3.1.1/3.1.2a arbitrary command execution -SecRule REQUEST_URI "/ikonboard\.cgi" chain -SecRule REQUEST_COOKIES:lang "\|" - -#phpMyFAQ vulns -SecRule REQUEST_URI "/index\.php\?LANGCODE=/\.\." -SecRule REQUEST_URI "/admin/password\.php" chain -SecRule REQUEST_URI|ARGS "(user\: \' or isnull\(1/0\)|mail\:)" -SecRule REQUEST_URI "/footer\.php\?PMF_CONF\[version\].*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/admin/header\.php\?PMF_LANG\[metaLanguage\].*(\"|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#Riverdark RSS Syndicator XSS attack -SecRule REQUEST_URI "/rss\.php\?(forum|topic).*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#ContentServ "ctsWebsite" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/admin/about\.php" chain -SecRule ARGS:ctsWebsite "\.\." - -#AlstraSoft E-Friends "mode" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:mode "(\.\.|/|(http|https|ftp)\:/)" - -#SEO-Board SQL Injection Vulnerability -SecRule REQUEST_URI "/(admin|index)\.php" chain -SecRule ARGS:user_pass_sha1 "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#CJ LinkOut "123" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/top\.php" chain -SecRule ARGS:123 "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#jPortal Download Search SQL Injection Vulnerability -SecRule REQUEST_URI "/download\.php" chain -SecRule ARGS:word "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#CJ Tag Board Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/details\.php" chain -SecRule ARGS:date|ARGS:time|ARGS:name|ARGS:ip|ARGS:agent "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/display\.php" chain -SecRule ARGS:msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#CJ Web2Mail Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/thankyou\.php" chain -SecRule ARGS:message|ARGS:ip|ARGS:name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/web2mail\.php" chain -SecRule ARGS:emsg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#postnuke Local file inclusion via GeSHi library -SecRule REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php" - -#TWiki "%INCLUDE" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "INCLUDE.*rev=.*\|.*\}" - -#Barracuda Anti-spam firewall IMG.PL Remote Command Execution -SecRule REQUEST_URI "/img\.pl\?f=(\x2e\x2e|\;|\.\.|qq\#|\|)" - -#PHP-Fusion "msg_send" SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php" chain -SecRule ARGS:msg_send "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT user_password FROM fusion_users WHERE user_name|\')" - -#SquirrelMail Address Add Plugin "first" Cross-Site Scripting -SecRule REQUEST_URI "/add\.php" chain -SecRule ARGS:first "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/tiki-view_forum_thread\.php\?forumid.*=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/upgrade_album\.php\?GALLERY_BASEDIR=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php\?page=\|" - -#MediaWiki Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "\<(math|nowiki)\.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/modules\.php\?op=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=.*file=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=.*file=.*sid=(http|https|ftp)\:/" -SecRule REQUEST_URI "/view\.php\?cat=.*(http|https|ftp)\:/" - -#PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/photogallery\.php" chain -SecRule ARGS:album|ARGS:photo "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#honeypot -SecRule REQUEST_URI "/forumpollrenderer\.php\?bbPath\[.*\]=(http|https|ftp)\:/" - -#phorum spam rules -SecRule ARGS:PHORUM_CONFIG "(@|(http|https|ftp)\:/)" - -#osCommerce "products_id" Additional Images Module SQL Injection -SecRule REQUEST_URI "/product_info\.php" chain -SecRule ARGS:products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP-Fusion SQL Injection Vulnerabilities -SecRule REQUEST_URI "/register\.php" chain -SecRule ARGS:activate "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:cat_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Utopia News Pro 1.1.3 SQL injection -SecRule REQUEST_URI "/news\.php\?action=.*&newsid=" chain -SecRule REQUEST_URI|ARGS "(UNION.*SELECT.*username,password,null,email,null|(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,])" -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:newsid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION.*SELECT.*username,password,null,email,null)" - -#wormsign -SecRule REQUEST_URI|REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" - -#Utopia News Pro Cross-Site Scripting -SecRule REQUEST_URI "/header\.php" chain -SecRule ARGS:sitetitle "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/footer\.php" chain -SecRule ARGS:query_count|ARGS:version "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpMyAdmin "subform" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain -SecRule ARGS:subform "(/|\.\.|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain -SecRule ARGS "(?:/|\.\.|(http|https|ftp)\:/)" - - -#Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "/newmsg\.php" chain -SecRule ARGS:fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/lostpwd\.php" chain -SecRule ARGS:email|ARGS:nick "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/include/footer\.php" chain -SecRule ARGS:t_login "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpbb wormsign -SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_" - -#versatileBulletinBoard 1.00 RC2 sql injection -SecRule REQUEST_URI "/userlistpre\.php\?list=\'" - -#honeypot -SecRule REQUEST_URI "/BlogModel\.php\?path=(http|https|ftp)\:/" - -#YaPiG Multiple Vulnerabilities -SecRule ARGS:Website "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:img_size "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule ARGS:title "<.*php .*php*\>" - -#honeypot -SecRule REQUEST_URI "/guest\.php\?name=.*web=.*homepage=.*home=&phone=" - -#W-Agora Remote commands execution -SecRule REQUEST_URI "extras/quicklist\.php\?fake.*(<\?|\;system)" -SecRule REQUEST_URI "avatars/suntzu\.php\?suntzu=" -SecRule REQUEST_URI "extras/quicklist\.php\?suntzu=" -SecRule REQUEST_URI "/browse_avatar\.php" chain -SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain -SecRule REQUEST_BODY "\<\?php" chain -SecRule REQUEST_BODY "\?>" - -#PHPBB remote command execution SQL injection step -SecRule REQUEST_URI "/admin_db_utilities\.php\?sid=.*(ALTER TABLE.*VARCHAR.*NOT NULL|DELETE FROM.*WHERE style_name=|SELECT .*passthru.*FROM.*users LIMIT 1 INTO OUTFILE)" -SecRule REQUEST_URI "/theme_info\.cfg" - -#honeypot -SecRule REQUEST_URI "/item\.php\?pathtoroot=(http|https|ftp)\:/" - -#PunBB "old_searches" SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:old_searches "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#W-Agora Local File Inclusion -SecRule REQUEST_URI "/extras/quicklist\.php" chain -SecRule ARGS:site "(/|\.\./\.\.)" - -#Gallery "g2_itemId" Disclosure of Sensitive Information -SecRule REQUEST_URI "/main\.php" chain -SecRule ARGS:g2_itemId "(/|\.\./\.\.)" - -#e107 0.617 resetcore.php SQL Injection -SecRule REQUEST_URI "/resetcore\.php" chain -SecRule REQUEST_BODY|ARGS|REQUEST_URI "(\'or isnull|siteadmin=suntzu&siteadminemail=fakefakefake@suntzu\.com|a_password=d41d8cd98f00b204e9800998ecf8427e)" - -#e107 "a_name" SQL Injection Vulnerability -SecRule REQUEST_URI "/resetcore\.php" chain -SecRule ARGS:a_name "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#honeypot -SecRule REQUEST_URI "/main\.php\?x=(http|https|ftp)\:/" - -# MySource PEAR_PATH Remote File Inclusion -SecRule REQUEST_URI "/(socket|span|request|mimeDecode|mime|mail|date)\.php" chain -SecRule ARGS:PEAR_PATH "(http|https|ftp)\:/" -SecRule REQUEST_URI "/new_upgrade_functions\.php" chain -SecRule ARGS:INCLUDE_PATH|ARGS:SQUIZLIB_PATH "(http|https|ftp)\:/" -SecRule REQUEST_URI "/init_mysource\.php" chain -SecRule ARGS:INCLUDE_PATH "(http|https|ftp)\:/" - -#MySource XSS -SecRule REQUEST_URI "/upgrade_in_progress_backend.php?target_url=\">" -SecRule REQUEST_URI "/insert_table\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_cell_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/header\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_row_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_cell_type_wysiwyg.php?stylesheet=\">" - -#Chipmunk Topsites "ID" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/recommend\.php" chain -SecRule ARGS:ID|ARGS:entryID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Chipmunk Forum "forumID" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/(newtopic|quote|index|reply)\.php" chain -SecRule ARGS:ForumID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Nuke NukeFixes Addon "file" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:files "\.\./" - -#ManageEngine NetFlow Analyzer "grDisp" Cross-Site Scripting -SecRule REQUEST_URI "/index\.jsp" chain -SecRule ARGS:grDisp "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#IBM Lotus Domino XSS attempts -SecRule REQUEST_URI "OpenForm.*/BaseTarget=.*\"" -SecRule REQUEST_URI "OpenFrameSet.*/src=.*\"><\/FRAMESET>.*<script>.*<\/script>" - -#HP OpenView Network Node Manager Remote Command Execution Attempt -SecRule REQUEST_URI "/OvCgi/connectedNodes\.ovpl\?" chain -SecRule ARGS:node "\|" - -# -SecRule REQUEST_URI "/chat\.php" chain -SecRule ARGS:Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "detail\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" -SecRule REQUEST_URI "/(get|index)\.php" chain -SecRule ARGS:catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#Basic Analysis and Security Engine SQL Injection Vulnerability -SecRule REQUEST_URI "/base_qry_main\.php\?new=.*&sig\[.*\]=\x3D&sig\[.*\]=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#TClanPortal "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" -SecRule REQUEST_URI "/index\.php\?action=.*id.*UNION.*SELECT.*id=" - -#SaphpLesson "forumid" SQL Injection Vulnerability -SecRule REQUEST_URI "/(showcat|add)\.php" chain -SecRule ARGS:forumid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#PHP-Nuke SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION SELECT)" -SecRule REQUEST_URI "/modules\.php\?name=Web_Links&d_op=.*title=.*description.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP-Fusion "news_body" Script Insertion Vulnerability -SecRule REQUEST_URI "/submit\.php" chain -SecRule ARGS:news_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#FlatNuke Cross-Site Scripting and Disclosure of Sensitive Information -SecRule REQUEST_URI "/index\.php\?op=profile&user=\.\./" -SecRule REQUEST_URI "/index\.php\?op=newtopic&mode=ris&quale=\.\./.*&page=" -SecRule REQUEST_URI "/index\.php\?op=.*&(user|nome|from)=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Mantis File Inclusion -SecRule REQUEST_URI "/bug_sponsorship_list_view_inc\.php\?t_core_path.*((http|https|ftp)\:/|\.\.)" - -#PHP iCalendar File Inclusion Vulnerability and XSS -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:phpicalendar "((http|https|ftp)\:/|\.\.)" -SecRule REQUEST_URI "phpicalendar=.*cookie_view.*(http|https)\:/" - -#RSA ACE/Agent for Web "image" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/webauthentication\?GetPic\?image.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/tiki-view_cache\.php\?url=\.\./\.\." - -#Woltlab Burning Board Database Module SQL Injection Vulnerabilities -SecRule REQUEST_URI "/info_db\.php" chain -SecRule ARGS:fileid|ARGS:subkatid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#gCards "limit" SQL Injection Vulnerability -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:limit "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ATutor Multiple Vulnerabilities -SecRule REQUEST_URI "/forum\.inc\.php\?addslashes.*(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)&(asc|desc)=" -SecRule REQUEST_URI "/(body_header\.inc|print)\.php\?section.*(/|\.\.)" -SecRule REQUEST_URI "admin/translate\.php" chain -SecRule ARGS:_base_href "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "include/html/editor_tabs/news\.inc\.php" chain -SecRule ARGS:_base_path "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "documentation/add_note\.php" chain -SecRule ARGS:p "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP config recon attack -SecRule REQUEST_URI "/php\.ini$" - -#saphp Lesson add.php forumid Variable SQL Injection -SecRule REQUEST_URI "/(showcat|add)\.php\?forumid.*(UNION.*SELECT|\|)" - -# SaveWebPortal menu_dx.php and menu_sx.php Multiple Variable XSS -SecRule REQUEST_URI "/menu_dx\.ph" chain -SecRule ARGS:L_InsertCorrectly|ARGS:L_MENUDX_Login|ARGS:L_MENUDX_Username|ARGS:L_MENUDX_Password|ARGS:L_Ok|ARGS:IMAGES_Url|ARGS:L_MENUDX_Registration|ARGS:BANNER_Url|ARGS:L_MENUSX_Newsletter|ARGS:L_MENUDX_InsertEMail "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/menu_sx\.php" chain -SecRule ARGS:L_InsertNOK3Char|ARGS:L_MENUSX_Channels|ARGS:L_MENUSX_Home|ARGS:L_MENUSX_Archive|ARGS:L_Search|ARGS:L_Ok|ARGS:IMAGES_Url|ARGS:L_MENUSX_Services|ARGS:L_MENUSX_Links|ARGS:L_MENUSX_Newsletter|ARGS:L_MENUSX_Polls|ARGS:L_MENUSX_ECards|ARGS:L_MENUSX_Downloads|ARGS:L_MENUSX_Community|ARGS:L_MENUSX_Forum|ARGS:L_MENUSX_Chat|ARGS:L_MENUSX_Nicknames|ARGS:L_MENUSX_Membership|ARGS:L_MENUSX_Login|ARGS:L_MENUSX_UserProfile|ARGS:L_MENUSX_PasswordForgot|ARGS:L_MENUSX_Logout|ARGS:L_MENUSX_Contacts|ARGS:L_MENUSX_Guestbook|ARGS:L_MENUSX_ContactUs "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpbb xss, sql injection and PHP code injection -SecRule REQUEST_URI "usercp_register\.php" chain -SecRule ARGS:error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "login\.php" chain -SecRule ARGS:forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "search\.php" chain -SecRule ARGS:list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "usercp_register\.php" chain -SecRule ARGS:signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule ARGS:signature_bbcode_uid "(<.*php|<php)" - -#honeypot -SecRule REQUEST_URI "index\.php?x=(http|https|ftp)\:/" -SecRule REQUEST_URI "/classes\.php\?LOCAL_PATH=(http|https|ftp)\:/" - -#News2Net "category" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#eyeOS Script Insertion and Exposure of User Credentials -SecRule REQUEST_URI "desktop\.php" chain -SecRule ARGS:motd "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/usrinfo\.xml" - -#Invision Gallery "st" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#oaboard SQL Injection Vulnerabilities -SecRule REQUEST_URI "forum\.php" chain -SecRule ARGS:channel|ARGS:topic "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "/main\.php\?\*=(http|https|ftp)\:/" - -#CuteNews "template" Local File Inclusion and remote code execution Vulnerabilities -SecRule REQUEST_URI "/show_archives\.php" chain -SecRule ARGS:template "(/|\.\.)" -#cutenews shell injection vuln -SecRule REQUEST_URI "/inc/ipban\.mdu" chain -SecRule ARGS:add_ip "(php|system)" -SecRule REQUEST_URI "/ipban\.db\.php\?cmd=" - - -#phpWebThings "forum" SQL Injection Vulnerability -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Handicapper Multiple Vulnerabilities -SecRule REQUEST_URI "/msg\.php" chain -SecRule ARGS:msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/process_signup\.php" chain -SecRule ARGS:login "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/process_signup\.php" chain -SecRule ARGS:serviceid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Simple PHP Blog Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/preview(_cgi|_static_cgi)\.php" chain -SecRule ARGS:entry "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "preview_cgi\.php" chain -SecRule ARGS:blog_subject|ARGS:blog_text "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/preview_static_cgi\.php" chain -SecRule ARGS:blog_subject|ARGS:blog_text|ARGS:file_name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/colors_cgi\.php" chain -SecRule ARGS:scheme_name|ARGS:bg_color "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "tiki-pagehistory\.php\?page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/uniq_login\.php\?login.*(http|https|ftp)\:/" -SecRule REQUEST_URI "/viewtopic\.php\?t=.*&highlight=\'" - -#sumthin scan -SecRule REQUEST_URI "/sumthin" - -#PHPKIT XSS Vulnerability -SecRule REQUEST_URI "admin/admin\.php" chain -SecRule ARGS:site_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#toendaCMS Disclosure of Sensitive Information -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:id_user "(\.\.|/|(http|https|ftp)\:/)" - -#Phorum "forum_ids[]" SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:forums_ids "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Tonio Gallery "galid" SQL Injection Vulnerability -SecRule REQUEST_URI "/showgallery\.php" chain -SecRule ARGS:galid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ibProArcade Module "user" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#XMB "username" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/u2u\.php" chain -SecRule ARGS:username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#tikiwiki XSS -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" chain -SecRule ARGS:topics_sort_mode|ARGS:topics_offset "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Tikiwiki tiki-user_preferences Command Injection Vulnerability -SecRule REQUEST_URI "/tiki-user_preferences\.php" chain -SecRule ARGS:language "(/|\.\.)" - -#Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability -SecRule REQUEST_URI "/tiki-editpage\.php" chain -SecRule ARGS:suck_url "(/|\.\.)" - -#phpAdsNew SQL Injection Vulnerability -SecRule REQUEST_URI "/logout\.php" chain -SecRule ARGS:sessiodID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Moodle "datalib.php" Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(datalib|category|info)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/plot\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:Config_absolute_path|ARGS:configFile "(http|https|ftp)\:/" -SecRule REQUEST_URI "/error\.php\?dir=(http|https|ftp)\:/" -SecRule REQUEST_URI "/common\.php\?pun_root=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-wiki_rss\.php\?ver=.*(http|https|ftp)\:/" - -#Winmail Server Multiple Vulnerabilities -SecRule REQUEST_URI "admin/main\.php" chain -SecRule ARGS:sid "\.\./\.\." -SecRule REQUEST_URI "badlogin\.php" chain -SecRule ARGS:retid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Pearl Forums SQL Injection and Local File Inclusion Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:forumsid|ARGS:topicid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:mode "(\.\./\.\.|/)" - -#Peel "rubid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:rubid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#CodeGrrl Products "siteurl" File Inclusion Vulnerability -SecRule REQUEST_URI "protection\.php" chain -SecRule ARGS:siteurl "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Wizz Forum Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "ForumauthDetails\.php" chain -SecRule ARGS:AuthID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "ForumTopicDetails\.php" chain -SecRule ARGS:TopicID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#iCMS "page" File Inclusion Vulnerability -SecRule REQUEST_URI "ForumauthDetails\.php" chain -SecRule ARGS:page "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability -SecRule REQUEST_URI "editor_registry\.php" chain -SecRule REQUEST_URI "xoopsConfig\[language\].*(\.\./\.\.|/|(http|https|ftp)\:/)" - -#PollVote "pollname" File Inclusion Vulnerability -SecRule REQUEST_URI "pollvote\.php" chain -SecRule ARGS:pollname "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Xoops WF-Downloads Module "list" SQL Injection Vulnerability -SecRule REQUEST_URI "viewcat\.php" chain -SecRule ARGS:list "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpwcms Disclosure of Sensitive Information and Cross-Site Scripting -SecRule REQUEST_URI "login\.php" chain -SecRule ARGS:form_lang "(\.\./\.\.|/|(http|https|ftp)\:/)" -SecRule REQUEST_URI "random_image\.php" chain -SecRule ARGS:imgdir "\.\./\.\." - -#OnContent // CMS "pid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:pid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Mambo "register_globals" Emulation Layer Overwrite Vulnerability -#Mambo <= 4.5.2 Globals overwrite / remote commands execution -SecRule ARGS:mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "id:390075,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'" -SecRule REQUEST_URI "\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/" "id:390076,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'" - - -#Arki-DB "catid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#EkinBoard 1.0.3 config.php SQL Injection through cookie -SecRule REQUEST_COOKIES:username "or isnull\(1" -SecRule REQUEST_URI "&activate=1&allow_attch=1&attch_exts=.*php&.*attch_max_size=" -SecRule REQUEST_URI "attachments/suntzu.*\?cmd=" - -#HPWebThings 1.4 "msg" and "forum" SQL injection -SecRule REQUEST_URI "forum\.php\?act=.*&msg.*UNION.*SELECT.*(name|password|outfile).*forum=" -SecRule REQUEST_URI "forum\.php\?forum=.*UNION.*SELECT.*(name|password|outfile)" -SecRule REQUEST_URI "forum\.php\?act=.*&forum.*UNION.*SELECT.*ORD" - -#phpnuke query sql injection -SecRule REQUEST_URI "modules\.php" chain -SecRule ARGS:query "(\'|UNION.*SELECT)" - -#Cyphor Forum SQL Injection Exploit -SecRule REQUEST_URI "show\.php" chain -SecRule ARGS:id|ARGS:fid "(\'|UNION.*SELECT)" - -#OTRS vulnerabilities, SQL injection and XSS -SecRule REQUEST_URI "/index\.pl\?Action=(Login&User|AgentTicketPlain&(ArticleID|TicketID))=.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/index\.pl\?(QueueID|Action)=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Omnistar Live SQL Injection Vulnerabilities -SecRule REQUEST_URI "/kb\.php" chain -SecRule ARGS:id|ARGS:category_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Ezyhelpdesk Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/\?mid=.*&m2id=.*page=.*(faq_id|c_id).*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/\?edit=spec_view&edit_id.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#1-2-3 Music Store "AlbumID" SQL Injection Vulnerability -SecRule REQUEST_URI "/process\.php" chain -SecRule ARGS:AlbumID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Labs Top Auction SQL Injection Vulnerabilities -SecRule REQUEST_URI "/viewcat\.php" chain -SecRule ARGS:category|ARGS:type "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Labs Survey Wizard "sid" SQL Injection Vulnerability -SecRule REQUEST_URI "/survey\.php" chain -SecRule ARGS:sid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AFFCommerce Shopping Cart Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/subcategory\.php" chain -SecRule ARGS:cl "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(iteminfo|itemreview)\.php" chain -SecRule ARGS:item_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#WSN Forum "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/memberlist\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Tunez SQL Injection and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/songinfo\.php" chain -SecRule ARGS:songid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:searchfor "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -# PmWiki 2.0.12 Cross Site Scripting -SecRule REQUEST_URI "/Search\?action=search.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Post Cross-Site Scripting -SecRule REQUEST_URI "/(profile|mail)\.php" chain -SecRule ARGS:user "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#CommodityRentals "user_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/usersession" chain -SecRule ARGS:userid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Joomla! mod_poll SQL Injection -SecRule REQUEST_URI "/mod_poll" chain -SecRule ARGS:itemid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Advanced Poll "popup.php" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/popup\.php" chain -SecRule ARGS:poll_ident "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Fusion SQL Injection Vulnerabilities -SecRule REQUEST_URI "/options\.php" chain -SecRule ARGS:forum_id|ARGS:thread_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(viewforum|index)\.php" chain -SecRule ARGS:lastvisted "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpComasy "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "_head\.php\?_zb_path=(http|https|ftp)\:/" - -#vTiger code inclusion attack -SecRule REQUEST_URI "/vtigercrm\.log" - -#Comdev Vote Caster "campaign_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:campaign_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Softbiz Web Host Directory Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(search_result|browsecats)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/review\.php" chain -SecRule ARGS:sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/email\.php" chain -SecRule ARGS:h_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Nicecoder iDesk "cat_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#IsolSoft Support Center SQL Injection Vulnerabilities -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:field|ARGS:lorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AgileBill "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/\?_page=product_cat\:t_" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:page "(\.\./\.\.|/(etc|tmp|var)|(http|https|ftp)\:/)" - -#sNews "index.php" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Online Work Order Suite Lite Edition SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:keyword "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpWordPress SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:poll|ARGS:category|ARGS:ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Pdjk-support Suite Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:news_id|ARGS:faq_id|ARGS:rowstart "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -# freeForum 1.x "cat" and "thread" SQL inj. -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:cat|ARGS:thread "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ActiveCampaign KnowledgeBuilder SQL Injection -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:article "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Helpdesk Issue Manager SQL Injection Vulnerabilities -SecRule REQUEST_URI "/issue\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/find\.php" chain -SecRule ARGS:orderdir|ARGS:orderby "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/find\.php" chain -SecRule REQUEST_URI "detail\[\].*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Q-News "id" File Inclusion Vulnerability -SecRule REQUEST_URI "/q-news\.php" chain -SecRule ARGS:id "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#ADC2000 NG Pro "cat" SQL Injection Vulnerability -SecRule REQUEST_URI "/adcbrowres\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Enterprise Connector "messageid" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/send\.php" chain -SecRule ARGS:messageid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Softbiz Resource Repository Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/showcats\.php" chain -SecRule ARGS:sbcat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(details_res|refer_friend|report_link)\.php" chain -SecRule ARGS:sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Doc System Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:show "(\.\./\.\.|/)" - -#Netzbrett "p_entry" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:pentry "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ShockBoard "offset" SQL Injection Vulnerability -SecRule REQUEST_URI "/topic\.php" chain -SecRule ARGS:offset "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#K-Search SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:stat|ARGS:source "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AllWeb Search "search" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:search "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Simple Document Management System SQL Injection Vulnerability -SecRule REQUEST_URI "/message\.php" chain -SecRule ARGS:mid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/list\.php" chain -SecRule ARGS:folder_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -# edmoBBS SQL inj. vuln. -SecRule REQUEST_URI "/edmobbs9r\.php" chain -SecRule ARGS:table|ARGS:messageID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Joels Bulletin Board SQL Injection Vulnerabilities -SecRule REQUEST_URI "/topiczeigen\.php" chain -SecRule ARGS:nr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(showforum|newtopic)\.php" chain -SecRule ARGS:forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/showforum\.php" chain -SecRule ARGS:zeigeseite "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/neuerbeitrag\.php" chain -SecRule ARGS:tidnr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#UGroup Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:FORUM_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/topic\.php" chain -SecRule ARGS:TOPIC_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Fantastic News "category" SQL Injection Vulnerability -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ClientExec Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:billshowid|ARGS:billdetailid|ARGS:frmClientID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Entergal MX SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:idcat|ARGS:action "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#GuppY PHP Code Injection and Local File Inclusion Vulnerabilities -SecRule REQUEST_URI "/error\.php" chain -SecRule REQUEST_URI "_SERVER\[REMOTE_ADDR\].*(php|system\()" -SecRule REQUEST_URI "/editorTypetool\.php" chain -SecRule ARGS:meskin "(\.\./\.\.|/|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/(archbatch|nwlmail)\.php" chain -SecRule ARGS:lng "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#DMANews Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:sortorder|ARGS:display_num "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#BosDates SQL Injection Vulnerabilities -SecRule REQUEST_URI "/calendar\.php" chain -SecRule ARGS:year|ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Post Affiliate Pro "sortorder" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#BedengPSP Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(index|download)\.php" chain -SecRule ARGS:cwhere "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/baca\.php" chain -SecRule ARGS:ckode "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#randshop SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:kategorieid|ARGS:katid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#SourceWell "cnt" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cnt "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpGreetz Include File Bug -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:content "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Athena Include File Bug -SecRule REQUEST_URI "/athena\.php" chain -SecRule ARGS:athena_dir "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Athena Include File Bug vulns -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:module "\.\./" -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "Users\&Action.*templatename.*/" -SecRule REQUEST_URI "/index\.php\?module=uploads&action=add2db" chain -SecRule REQUEST_URI|REQUEST_BODY "\.php" - -#Fake gif file shell attacvk -SecRule HTTP_Content-Type "image/gif" -SecRule REQUEST_BODY "chr\(" - -#bogus graphics file -SecRule HTTP_Content-Disposition "\.php" chain -SecRule HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" - -#Post Affiliate Pro "sortorder" Remote SQL Injection and Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:md "(\.\./\.\.|/)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#EkinBoard 1.0.3 (config.php) SQL Injection / Command Execution -SecRule REQUEST_URI "/(index|viewforum|newtopic)\.php" chain -SecRule REQUEST_COOKIES:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/newtopic\.php" chain -SecRule HTTP_Content-Disposition "topic_title" chain -SecRule REQUEST_BODY "php.*system\(" - -#Unclassified NewsBoard 1.5.3 patch level 3 "Datefrom" blind SQL injection -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:DateFrom "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPNuke <= 7.8 sql injection -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:query "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Moodle <= 1.6dev get record() SQL injection -SecRule REQUEST_URI "/plot\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/info\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#interesting new pattern -SecRule REQUEST_URI "/ThisFileMustNotExist" - -#honeypot -SecRule REQUEST_URI "/tiki-backlinks\.php\?page=(http|https|ftp)\:/" - -# SocketKB 1.1.x file include Vuln -SecRule REQUEST_URI "\?__f=(http|https|ftp)\:/" -SecRule REQUEST_URI "\?__f=rating_add&" -SecRule ARGS:art_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "\?__f=category&" -SecRule ARGS:node "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Xaraya "module" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:module "(\.\./\.\.|/)" - -#N-13 News "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Softbiz B2B Trading Marketplace Script "cid" SQL Injection -SecRule REQUEST_URI "/(selloffers|buyoffers|products|profiles)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# WEB-MISC mod_gzip_status access -SecRule REQUEST_URI "/mod_gzip_status" log,pass - -#honeypot -SecRule REQUEST_URI "/index\.php\?main=/" - -#PHP Fusion CMS SQL injection Vulnerabilities -SecRule REQUEST_URI "/viewforum\.php\?" chain -SecRule ARGS:lastvisited "\'" - -#Saxon XSLT command execution attacks -SecRule REQUEST_URI|REQUEST_BODY "xsl\:value-of select=\"run\:exec\(" -SecRule REQUEST_URI|REQUEST_BODY "xsl.*run\:getRuntime\(\)\, \'\"" - -#Lore Article.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/article\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#honeypoy -SecRule REQUEST_URI "/imageviewer\.php\?filename=" - -#PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution -SecRule REQUEST_URI "/admin/" chain -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM|or user_id=2)" -SecRule REQUEST_URI "files/.*\.php\.menu\?cmd=" - -#NetClassifieds Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(ViewCat|gallery)\.php" chain -SecRule ARGS:Catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/ViewItem\.php" chain -SecRule ARGS:ItemNum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration -SecRule REQUEST_URI "/relocate_server\.php" - -#WebCalendar HTTP Response Splitting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "/edit_report_handler\.php" chain -SecRule ARGS:time_range "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/layers_toggle\.php" chain -SecRule ARGS:ret "HTTP" - -#Instant Photo Gallery SQL Injection Vulnerabilities -SecRule REQUEST_URI "/portfolio\.php" chain -SecRule ARGS:cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Lore "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/article\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DotClear "dc_xd" SQL Injection Vulnerability -SecRule REQUEST_URI "/session\.php" chain -SecRule REQUEST_COOKIES:cd_xd "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DotClear "dc_xd" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:x "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#O-Kiraku Nikki "day_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/nikki\.php" chain -SecRule ARGS:day_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# AltantisFAQ SQL inj. vuln. -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:searchStr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FAQRing "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/answer\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WSN Knowledge Base SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:catid|ARGS:perpage|ARGS:ascdesc|ARGS:orderlinks "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/(comments|memberlist)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Softbiz FAQ Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(faq_qanda|refer_friend|print_article|add_comment)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#OmniStar KBase SQL Injection Vulnerabilities -SecRule REQUEST_URI "/comments\.php" chain -SecRule ARGS:article_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/kb\.php" chain -SecRule ARGS:category_id|ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FAQ System SQL Injection Vulnerabilities -SecRule REQUEST_URI "/viewFAQ\.php" chain -SecRule ARGS:FAQ_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:CATEGORY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#KBase Express SQL Injection Vulnerabilities -SecRule REQUEST_URI "/category\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Knowledgebase "qid" SQL Injection Vulnerability -SecRule REQUEST_URI "/knowledgebase\.php" chain -SecRule ARGS:qid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Survey System "SURVEY_ID" SQL Injection Vulnerability -SecRule REQUEST_URI "/survey\.php" chain -SecRule ARGS:SURVEY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Blog SQL inj. vuln. -SecRule REQUEST_URI "/blog\?msg=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Ringmaker "start" SQL Injection Vulnerability -SecRule REQUEST_URI "/ringmaker\.php" chain -SecRule ARGS:start "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#ltwCalendar "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/calendar\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nephp Publisher SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.html" chain -SecRule ARGS:id|ARGS:nnet_catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Zainu SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:start|ARGS:term "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Babe Logger "gal" and "id" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:gal "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/comments\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Zen Cart Input Validation Hole in 'password_forgotten.php' sql injection -SecRule REQUEST_URI "admin/password_forgotten\.php" chain -SecRule ARGS:admin_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" - -#Sugar Suite "beanFiles[1]" File Inclusion Vulnerability -SecRule REQUEST_URI "acceptDecline\.php" chain -SecRule REQUEST_URI "beanFiles\[1\].*(http|https|ftp)\:/" - -#phpMyAdmin register_globals Emulation "import_blacklist" Manipulation -SecRule REQUEST_URI "/grab_globals\.php" chain -SecRule ARGS:import_blacklist "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" - -#Magic Forum Personal Cross-Site Scripting and SQL Injection -SecRule REQUEST_URI "/view_forum\.cfm" chain -SecRule ARGS:ForumID|ARGS:Thread|ARGS:ThreadID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" -SecRule REQUEST_URI "/search_forums\.cfm" chain -SecRule ARGS:Words "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Magic List Pro "ListID" SQL Injection Vulnerability -SecRule REQUEST_URI "/view_archive\.cfm" chain -SecRule ARGS:ListID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" - -#CF_Nuke Directory Traversal and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.cfm" chain -SecRule ARGS:sector|ARGS:page "\.cfm" - -#phpForumPro SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:parent|ARGS:day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Cars Portal SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:page|ARGS:car "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PluggedOut Blog "index.php" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:categoryid|ARGS:entryid|ARGS:year|ARGS:month|ARGS:day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PluggedOut Nexus SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:firstname|ARGS:lastname|ARGS:location "(((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" -SecRule REQUEST_URI "/search_forums\.cfm" chain -SecRule ARGS:Words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#honeypot -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390083,rev:1,severity:2,msg:'JITP: tikiwiki XSS Vulnerability'" -SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(<+(script|about|applet|activex|chrome)|onmouseover=\'javascript)" -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: tikiwiki Remote File Inclusion Vulnerability'" -SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(ht|f)tps?\:/" - -#wormsign -SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" - -#phpMyAdmin Cross-Site Scripting Vulnerabilities -SecRule ARGS:HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Web4Future eCommerce Products SQL Injection Vulnerabilities -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:prod|ARGS:brid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/viewbrands\.php" chain -SecRule ARGS:bid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:grp|ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DoceboLMS Information Disclosure -SecRule REQUEST_URI "/connector\.php" chain -SecRule ARGS:Type "\.\." - -#Web4Future Affiliate Manager Pro "pid" SQL Injection Vulnerability -SecRule REQUEST_URI "/functions\.php" chain -SecRule ARGS:pid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHP-addressbook "view.php" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Blog System SQL Injection Vulnerabilities -SecRule REQUEST_URI "/blog\.php" chain -SecRule ARGS:note "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Multiple vendor vulnerability -#Amazon Search Directory "search.cgi" Cross-Site Scripting -#Warm Links "search.cgi" Cross-Site Scripting Vulnerability -#Hot Links SQL "search.cgi" Cross-Site Scripting Vulnerability -#Hot Links Pro "search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.cgi" chain -SecRule ARGS:search "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#1-Search "1search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/1search\.cgi" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Easy Search System "search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.cgi" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#phpYellow SQL Injection Vulnerabilities -SecRule REQUEST_URI "/search_result\.php" chain -SecRule ARGS:haystack "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/print_me\.php" chain -SecRule ARGS:ckey "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Relative Real Estate Systems "mls" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:mls "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#LandShop SQL Injection Vulnerabilities -SecRule REQUEST_URI "/ls\.php" chain -SecRule ARGS:search_order|ARGS:search_type|ARGS:search_area|ARGS:keyword "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Widget Imprint "product_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/create\.php" chain -SecRule ARGS:product_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Widget Property SQL Injection Vulnerabilities -SecRule REQUEST_URI "/property\.php" chain -SecRule ARGS:property_id|ARGS:zip_code|ARGS:property_type_id|ARGS:price|ARGS:city_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Web4Future Portal Solutions Information Disclosure and SQL Injection -SecRule REQUEST_URI "/comentarii\.php" chain -SecRule ARGS:idp "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/archiva\.php" chain -SecRule ARGS:dir "\.\." - -#HobSR "view.php" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:arrange "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Web4Future eDating Professional SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:s|ARGS:pg|ARGS:sortb "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/(gift|fq)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/articles\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FileLister "searchwhat" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/definesearch\.jsp" chain -SecRule ARGS:searchwhat "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#PHP-Fusion "srch_text" SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php" chain -SecRule ARGS:srch_text "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nortel SSL VPN Web Interface XSS -SecRule REQUEST_URI "/tunnelform\.yaws" chain -SecRule ARGS:a "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Scout Portal Toolkit Possible Sql Injection..and XSS -SecRule REQUEST_URI "BrowseResources\.php\?ParentId=\'" -SecRule REQUEST_URI "SPT\-\-UserLogin\.php" chain -SecRule ARGS:F_UserName|ARGS:F_Password "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-FullRecord\.php" chain -SecRule ARGS:ResourceId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-BrowseResources\.php" chain -SecRule ARGS:ParentId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-Home\.php" chain -SecRule ARGS:ResourceOffset "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-QuickSearch\.php" chain -SecRule ARGS:ss|ARGS:F_SearchString "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-BrowseResources\.php" chain -SecRule ARGS:ParentId "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-AdvancedSearch\.php" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Magic Book v2.0 Professional XSS Vuln -SecRule REQUEST_URI "/book\.cfm\?StartRow.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#flatnuke remote shell -SecRule REQUEST_URI "verify\.php" chain -SecRule REQUEST_URI|REQUEST_BODY "mod=modcont&from=index\.php&body=.*\<\?php.*&file=forum.*users.*\.php" -SecRule REQUEST_URI "forum/users/.*\.php\?cmd=" - -#Netref "cat" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#milliscripts Redirection "domainname" Cross-Site Scripting -SecRule REQUEST_URI "register\.php" chain -SecRule ARGS:domainname "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#phpnuke exploit -SecRule REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors" - -#limbo exploit -SecRule REQUEST_URI "index2\.php\?cmd.*\&_SERVER\[\]=\&_SERVER\[REMOTE_ADDR\]=" chain -SecRule REQUEST_URI|REQUEST_BODY "system" - -#Plogger '/admin/plog-admin-functions.php' Include File Bug Lets Remote Users Execute -SecRule REQUEST_URI "admin/plog-admin-functions\.php\?config\[basedir\]=(http|https|ftp)\:/" - -#PHPGedView <= 3.3.7 remote commands execution -SecRule REQUEST_URI "help_text_vars\.php\?.*=.*PGV_BASE_DIRECTORY=./index/pgv.*\.log" -SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" - -#AlstraSoft EPay Enterprise Script Insertion Vulnerabilities -SecRule REQUEST_URI "(profile|card|bank|subscriptions|send|request|forgot|escrow|donations|products)\.htm" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#PHP-Fusion Multiple Vulnerabilities -SecRule REQUEST_URI "members\.php" chain -SecRule ARGS:sortby "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "ratings_include\.php" chain -SecRule ARGS:rating "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#e-publish Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "printer_friendly\.cfm" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "show\.cfm" chain -SecRule ARGS:obcatid|ARGS:comid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#eggblog "q" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "search\.php" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -# SyntaxCMS XSS vuln. -SecRule REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#SPIP Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "spip_(login|pass)\.php3" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#SiteSage "norelay_highlight_words" Cross-Site Scripting Vulnerability -SecRule ARGS:norelay_highlight_words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#OpenEdit Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "results\.html" chain -SecRule ARGS:oe-action|ARGS:page "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Portfolio NetPublish "template" Disclosure of Sensitive Information -SecRule REQUEST_URI "server\.np\?base&site=\[.*\]&catalog=.*&template=*\.\./" - -#Papoo SQL Injection Vulnerabilities -SecRule REQUEST_URI "(index|guestbook)\.php" chain -SecRule ARGS:menuid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "print\.php" chain -SecRule ARGS:forumid|ARGS:reporeid_print "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpSlash "story_id" SQL Injection Vulnerability -SecRule REQUEST_URI "article\.php" chain -SecRule ARGS:story_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PhpGedView File Inclusion and PHP Code Injection Vulnerabilities -SecRule REQUEST_URI "authenticate\.php" chain -SecRule ARGS:user_language|ARGS:user_email|ARGS:user_gedcomid "\<.*php" - -#Miraserver SQL Injection Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:page "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "newsitem\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "article\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Information Call Center "CallCenterData.mdb" Exposure of User Credentials -SecRule REQUEST_URI "CallCenterData\.mdb" - -#phpBB <= 2.0.17 remote command execution exploit -SecRule REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00" -SecRule REQUEST_URI|REQUEST_BODY "r57phpBB2017xpl" -SecRule REQUEST_BODY "_bill_gates@microsoft\.com" - -#phpDocumentor File Inclusion Vulnerabilities -SecRule REQUEST_URI "Documentation/tests/bug-559668\.php" chain -SecRule ARGS:FORUM\[LIB\] "(http|https|ftp)\:/" -SecRule REQUEST_URI "docbuilder/file_dialog\.php" chain -SecRule ARGS:root_dir "(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/tiki-index\.php\?page=(\||/|\.)" -SecRule REQUEST_URI "/tech_o\.php\?absolute_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "moblog_lib\.php\?basedir=(cmd|(http|https|ftp)\:/)" - -#FlatCMS <=1.01 Remote Command Execution Exploit -SecRule REQUEST_URI "/admin/cijfer\.php\?cij=" -SecRule REQUEST_URI "/admin/file_editor\.php" chain -SecRule REQUEST_URI "\?save_file=cijfer\.php&f_content=" -SecRule REQUEST_URI "/admin/file_editor\.php" chain -SecRule REQUEST_URI "\x3C\x3F\x24" -#the specific payload, if you prefer -#SecRule REQUEST_URI "\x3C\x3F\x24handle\x3Dpopen\x5C\x28\x24_GET\x5Bcij\x5D\x2C\x22r\x22\x29\x3Bwhile\x28\x21feof\x28\x24handle\x29\x29\x7B\x24line\x3Dfgets\x28\x24handle\x29\x3Bif\x28strlen\x28\x24line\x29\x3E\x3D1\x29\x7Becho\x22\x24line\x22\x3B\x7D\x7Dpclose\x28\x24handle\x29\x3B\x3F\x3E" - -#Valdersoft Shopping Cart <=3.0 Remote Command Execution Exploit -SecRule REQUEST_URI "/include/templates/categories/default\.php\?.*\;echo" -SecRule REQUEST_URI "/include/templates/categories/default\.php\?.*<\?passthru\(\$_GET\[cmd\]\)\;\?>" -SecRule ARGS:catalogDocumentRoot "(https|http|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "index\.php\?p=(http|https|ftp)\:/" - -#Phgstats "phgdir" File Inclusion Vulnerability -SecRule REQUEST_URI "phgstats\.inc\.php" chain -SecRule ARGS:phgdir "(http|https|ftp)\:/" - -#VenomBoard SQL Injection Vulnerabilities -SecRule REQUEST_URI "post\.php3" chain -SecRule ARGS:topic_id|ARGS:root|ARGS:parent "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# PHPNuke EV 7.7 'search' module 'query' variable SQL injection -SecRule REQUEST_URI "/modules\.php\?name=Search" chain -SecRule REQUEST_URI "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#honeypot -SecRule REQUEST_URI "/admin\.php\?op=AddAuthor&add_aid=.*&add_name=.*&add_pwd=.*&add_email=r00t_System@hush\.com" - -#Etomite "cij" shell command backdoor -SecRule REQUEST_URI "manager/includes/todo\.inc\.php" - -#openSRS exploit -SecRule REQUEST_URI "mod_opensrs/mod_config\.php\?this_mod_opensrs_config.*=.*&DIR=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:lp "(http|https|ftp)\:/" -SecRule REQUEST_URI "\.php\?forum=.*union.*select.*password,password,null,null" -SecRule REQUEST_URI "/wwForum\.mdb" - -#ImpExData.php?systempath= -SecRule REQUEST_URI "/ImpExData\.php" chain -SecRule ARGS:systempath "(http|https|ftp)\:/" - -#SQuery <= 4.5 Remote File Inclusion Exploit -SecRule REQUEST_URI "lib/(armygame|ase|devi|doom3|et|flashpoint.php|gameSpy|gameSpy2|gore|gsvari|halo|hlife|hlife2|igi2|main.lib|netpanzer|old_hlife|pkill|q[23]a|qworlp|rene|rvbshld|savage|simracer|sof1|sof2|unreal|ut2004|vietcong)\.php" chain -SecRule ARGS:libpath "(http|https|ftp)\:/" - -#MonAlbum Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:pc "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "image_agrandir.php" chain -SecRule ARGS:pnom|ARGS:pcourriel "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPNuke-Clan "vwar_root" File Inclusion Vulnerability -#VWar <= 1.5.0 R12 Remote File Inclusion Exploit -SecRule REQUEST_URI "(/includes/functions_(common|install)|/includes/get_header)\.php" "chain,id:390039,rev:2,severity:2,msg:'JITP: vwar_root remote/local file inclusion'" -SecRule ARGS:vwar_root "((http|https|ftp)\:/|\.\./\.\.)" - -#gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities -SecRule REQUEST_URI "new(Project|List|WaitingOn|ChecklistContext|Category.php|Goal)\.php" chain -SecRule ARGS "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "listReport\.php" chain -SecRule ARGS:listTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "projectReport\.php" chain -SecRule ARGS:projectName "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "checklistReport\.php" chain -SecRule ARGS:checklistTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#aWebBB Multiple Vulnerabilities -SecRule REQUEST_URI "post\.php" "chain,id:390001,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on post.php'" -SecRule ARGS:tname|ARGS:fpost "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "editac\.php" "chain,id:390002,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on editac.php'" -SecRule ARGS:fullname|ARGS:emailadd|ARGS:country|ARGS:sig|ARGS:otherav "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "register\.php" "chain,id:390003,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on register.php'" -SecRule ARGS:fullname|ARGS:emailadd|ARGS:country "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "(accounts|changep|editac|feedback|fpass|login|post|reply|reply_log)\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB XSS attack'" -SecRule ARGS:Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "dpost\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:p "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "(ndis|list)\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:c "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "search\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:q "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpBB "cur_password" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "profile\.php" "chain,id:390006,rev:1,severity:2,msg:'JITP: phpBB cur_password XSS attack'" -SecRule ARGS:cur_password "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit -SecRule REQUEST_URI "modules/vWar_Account/includes/functions_(common|front)\.php" "chain,id:390007,rev:2,severity:2,msg:'JITP: PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit'" -SecRule ARGS:vwar_root2 "(http|https|ftp)\:/" - -#Claroline <= 1.7.4 scormExport.inc.php remote command vuln -SecRule REQUEST_URI "scormExport\.inc\.php" "chain,id:390008,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'" -SecRule ARGS:includePath "((http|https|ftp)\:/|\.\./\.\.)" -SecRule REQUEST_URI "scormExport\.inc\.php\?cmd=" "id:390009,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'" - -#Claroline <= 1.7.4 XSS and recursion attack -SecRule REQUEST_URI "rqmkhtml\.php" "chain,id:390010,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 XSS attack'" -SecRule ARGS:cmd "(rqEdit|rwEditHtml)" chain -SecRule ARGS:file "(><|\.\./\.\.)" - -#aWebNews Multiple Vulnerabilities -SecRule REQUEST_URI "visview\.php" "chain,id:390011,rev:1,severity:2,msg:'JITP: aWebNews XSS attack'" -SecRule ARGS:yname|ARGS:emailadd|ARGS:subject|ARGS:comment "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "(login|fpass)\.php" "chain,id:390012,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'" -SecRule ARGS:user123 "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "visview\.php" "chain,id:390013,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'" -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WebAPP Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "index\.cgi" "chain,id:390014,rev:1,severity:2,msg:'JITP: aWebAPP XSS attack'" -SecRule ARGS:action|ARGS:id|ARGS:num|ARGS:board|ARGS:cat|ARGS:writer|ARGS:viewcat|ARGS:img|ARGS:curcatname|ARGS:vsSD "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#qliteNews "loginprocess.php" SQL Injection Vulnerability -SecRule REQUEST_URI "loginprocess\.php" "chain,id:390015,rev:1,severity:2,msg:'JITP: qliteNEws SQL injection attack'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#RedCMS SQL Injection and Script Insertion Vulnerabilities -SecRule REQUEST_URI "login\.php" "chain,id:390016,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "profile\.php" "chain,id:390017,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'" -SecRule ARGS:u "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "register\.php" "chain,id:390018,rev:1,severity:2,msg:'JITP: RedCMS XSS attack'" -SecRule ARGS:Email|ARGS:Location|ARGS:Website "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Oxygen "fid" SQL Injection Vulnerability -SecRule REQUEST_URI "post\.php" "chain,id:390019,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'" -SecRule ARGS:fid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Mantis Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "view_set_all\.php" "chain,id:390020,rev:1,severity:2,msg:'JITP: Mantis XSS attack'" -SecRule ARGS:start_day|ARGS:start_year|ARGS:start_month "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#vCounter "url" SQL Injection Vulnerability -SecRule REQUEST_URI "vCounter\.php" "chain,id:390021,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'" -SecRule ARGS:url "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHP Classifieds "searchword" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390022,rev:1,severity:2,msg:'JITP: Mantis XSS attack'" -SecRule ARGS:searchword "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection -SecRule REQUEST_URI "/sendpassword\.php\?action=send" "chain,id:390023,rev:1,severity:2,msg:'JITP: PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection'" -SecRule REQUEST_BODY "UNION SELECT.*concat.*password.*admin\.php" - -#Sourceworkshop newsletter "email" SQL Injection Vulnerability -SecRule REQUEST_URI "/newsletter\.php" "chain,id:390024,rev:1,severity:2,msg:'JITP: Sourceworkshop newsletter SQL Injection Vulnerability'" -SecRule ARGS:newsletteremail "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#X-Changer SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'" -SecRule ARGS:from|ARGS:into|ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Cholod Mysql based message board Script Insertion and SQL Injection -SecRule REQUEST_URI "/mb\.cgi" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'" -SecRule ARGS:topicnumber|ARGS:threadnumber "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/mb\.cgi" "chain,id:390026,rev:1,severity:2,msg:'JITP: X-Changer XSS Vulnerability'" -SecRule ARGS:Name|ARGS:Subject|ARGS:Message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Null news Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(sub|unsub)\.php" "chain,id:390027,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:user_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/lostpass\.php" "chain,id:390028,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:user_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#VSNS Lemon SQL injection Vulnerabilities -SecRule REQUEST_URI "/functions/final_functions\.php" "chain,id:390029,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPLiveHelper 1.8 remote command execution Xploit -SecRule REQUEST_URI "initiate\.php" "chain,id:390030,rev:1,severity:2,msg:'JITP: PHPLiveHelper 1.8 remote command execution Xploit'" -SecRule ARGS:abs_path "(http|https|ftp)\:/" - -#Pixel Motion Blog SQL Injection Vulnerabilities -SecRule REQUEST_URI "admin/index\.php" "chain,id:390031,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'" -SecRule ARGS:user|ARGS:pass "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "index\.php" "chain,id:390032,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'" -SecRule ARGS:date "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nuked-Klan "m" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390033,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'" -SecRule ARGS:m "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#TFT Gallery "passwd" Exposure of User Credentials -SecRule REQUEST_URI "admin/passwd$" "id:390035,rev:1,severity:2,msg:'JITP: TFT Gallery passwd Exposure of User Credentials'" - -#PHP Ticket "frm_search_in" SQL Injection Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390036,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'" -SecRule ARGS:frm_search_in "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WEBalbum Local File Inclusion Vulnerability -SecRule REQUEST_COOKIES:skin2 "\.\." "id:390037,rev:1,severity:2,msg:'JITP: WEBalbum Local File Inclusion Vulnerability'" - -#G-Book "g_message" Script Insertion Vulnerability -SecRule REQUEST_URI "/guestbook\.php" "chain,id:390038,rev:1,severity:2,msg:'JITP: G-Book g_message Script Insertion Vulnerability'" -SecRule ARGS:g_message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPMyChat exploit -SecRule REQUEST_URI "messagesL\.php.?\?L=.*R=.*N=.*&T=.*cmd=" "id:390039,rev:1,severity:2,msg:'JITP: PHPMyChat exploit'" - -#Horde Help Module Remote Execution -SecRule REQUEST_URI "/services/help/\?show=.*&module=;\"" "id:390040,rev:1,severity:2,msg:'JITP: Horde Help Module Remote Execution'" - -#Internet PhotoShow Remote File Inclusion Exploit -SecRule REQUEST_URI "index\.php?page=(ht|f)tps?:/.*\?&[a-z]+=[a-z]" "id:390041,rev:1,severity:2,msg:'JITP: Internet PhotoShow Remote File Inclusion Exploit'" - -#Censtore.cgi exploit -SecRule REQUEST_URI "/censtore\.cgi\?page=\|" "id:390042,rev:1,severity:2,msg:'JITP: Censtore.cgi exploit'" - -#quizz.pl exploit -SecRule REQUEST_URI "quizz\.pl/ask/\;" "id:390043,rev:1,severity:2,msg:'JITP: quizz.pl exploit'" - -#phpinfo.cgi command execution -SecRule REQUEST_URI "/phpinfo\.php\?cmd=" "id:390044,rev:1,severity:2,msg:'JITP: phpinfo.cgi command execution'" - -#phpRaid "phpbb_root_path" File Inclusion Vulnerability -SecRule REQUEST_URI "auth/auth_phpbb\.php" "chain,id:390045,rev:1,severity:2,msg:'JITP: phpRaid phpbb_root_path File Inclusion Vulnerability'" -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#openEngine "template" Parameter Local File Inclusion Vulnerability -SecRule REQUEST_URI "website\.php" "chain,id:390046,rev:1,severity:2,msg:'JITP: openEngine template Parameter Local File Inclusion Vulnerability'" -SecRule ARGS:template "\.\./\.\." - -#ISPConfig "go_info[server][classes_root]" File Inclusion -SecRule REQUEST_URI "lib/session\.inc\.php" "chain,id:390047,rev:1,severity:2,msg:'JITP: ISPConfig go_info[server][classes_root] File Inclusion'" -SecRule REQUEST_URI "go_info\[server\]\[classes_root\].*((ht|f)tps?:/|\.\./\.\.)" - -#ManageEngine OpManager "searchTerm" Cross-Site Scripting -SecRule REQUEST_URI "search\.do" "chain,id:390048,rev:1,severity:2,msg:'JITP: ManageEngine OpManager searchTerm Cross-Site Scripting'" -SecRule ARGS:searchTerm "(javascript|script|about|applet|activex|chrome)*\>" - -#AliPAGER "ubild" Cross-Site Scripting and SQL Injection -SecRule REQUEST_URI "inc/elementz\.php" "chain,id:390049,rev:1,severity:2,msg:'JITP: AliPAGER ubild Cross-Site Scripting and SQL Injection'" -SecRule ARGS:ubild "((javascript|script|about|applet|activex|chrome)*\>|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))" - -#MxBB Portal pafileDB Module "module_root_path" File Inclusion -SecRule REQUEST_URI "includes/pafiledb_constants\.php" "chain,id:390050,rev:1,severity:2,msg:'JITP: MxBB Portal pafileDB Module module_root_path File Inclusion'" -SecRule ARGS:module_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "site/scripts/register\.php" "chain,id:390051,rev:1,severity:2,msg:'JITP: Jadu CMS register.php Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:forename|ARGS:surname|ARGS:reg_email|ARGS:email_conf|ARGS:company|ARGS:city|ARGS:postcode|ARGS:telephone "(javascript|script|about|applet|activex|chrome|php)*\>" - -#OpenFAQ "q" Parameter Script Insertion Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390052,rev:1,severity:2,msg:'JITP: OpenFAQ q Parameter Script Insertion Vulnerability'" -SecRule ARGS:q "(javascript|script|about|applet|activex|chrome)*\>" - -#phpBB foing Module "phpbb_root_path" File Inclusion -SecRule REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'" -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#Sugar Suite "sugarEntry" Parameter Security Bypass -SecRule REQUEST_URI "/modules/.*/.*\.php\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390054,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_URI "/modules/.*/.*\.php\?cmd=.*GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390055,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_URI "/modules/.*/.*\.php" "chain,id:390056,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_BODY|REQUEST_URI "\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" - -#Sugar Suite exploit -SecRule REQUEST_URI "modules/Administration/RebuildAudit\.php\?cmd=" "id:390057,rev:1,severity:2,msg:'JITP: Sugar Suite exploit'" - -#TikiWiki Multiple Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "tiki-lastchanges\.php" "chain,id:390058,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:days|ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-orphan_pages\.php" "chain,id:390059,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:find "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-listpages\.php" "chain,id:390060,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:offset|ARGS:initial "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-remind_password\.php" "chain,id:390061,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:username "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-(admin_(rssmodules|notifications|content_templates|chat)|syslog)\.php" "chain,id:390062,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-adminusers\.php" "chain,id:390063,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:numrows "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-searchindex\.php" "chain,id:390095,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:highlist "(javascript|script|about|applet|activex|chrome)+.?\>" - -#Wordpress shell injection Vulnerability -SecRule REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'" - -#Nucleus <= 3.22 arbitrary remote inclusion exploit -SecRule REQUEST_URI "PLUGINADMIN\.php\?GLOBALS\[DIR_LIBS\]=((ht|f)tps?\:/|/tmp|/opt|/etc|/export|/var|/home|/usr|\.\.)" "id:390065,rev:1,severity:2,msg:'JITP: Nucleus arbitrary remote inclusion exploit'" - -#Horde passthru protection -SecRule REQUEST_URI "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)" "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'" - -#CMS-Bandits "spaw_root" File Inclusion Vulnerabilities -SecRule REQUEST_URI "dialogs/(img|td|table)\.php" "chain,id:390067,rev:2,severity:2,msg:'JITP: CMS-Bandits spaw_root File Inclusion Vulnerability'" -SecRule ARGS:spaw_root "(ht|f)tps?\:/" - -#phpBB Blend Portal System Module "phpbb_root_path" File Inclusion -SecRule REQUEST_URI "dialogs/(img|td)\.php" "chain,id:390068,rev:1,severity:2,msg:'JITP: phpBB Blend Portal System Module phpbb_root_path File Inclusion'" -SecRule ARGS:phpbb_root_path "(ht|f)tps?\:/" - -#Admanager Pro exploit -SecRule REQUEST_URI "common\.php" "chain,id:390069,rev:1,severity:2,msg:'JITP: Admanager Pro exploit'" -SecRule ARGS:ipath "((ht|f)tps?\:/|\.\./)" - -#Bible Portal Project destination File Inclusion Vulnerability' -SecRule REQUEST_URI "Admin/rtf_parser\.php" "chain,id:390071,rev:1,severity:2,msg:'JITP: Bible Portal Project destination File Inclusion Vulnerability'" -SecRule ARGS:destination "((ht|f)tps?\:/|\.\./)" - -#Flipper Poll "root_path" File Inclusion Vulnerability -SecRule REQUEST_URI "poll\.php" "chain,id:390072,rev:1,severity:2,msg:'JITP: Flipper Poll root_path File Inclusion Vulnerability'" -SecRule ARGS:root_path "((ht|f)tps?\:/|\.\./)" - -#PictureDis Products "lang" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "(thumstbl|wpfiles|wallpapr)\.php" "chain,id:390073,rev:1,severity:2,msg:'JITP: PictureDis Products lang Parameter File Inclusion Vulnerability'" -SecRule ARGS:lang "((ht|f)tps?\:/|\.\./)" - -#Joomla and Mambo 'Weblinks' blind SQL injection / admin credentials EXPLOIT -SecRule REQUEST_URI "index\.php" "chain,id:390074,rev:1,severity:2,msg:'JITP: Joomla/Mambo Weblinks blind SQL injection'" -SecRule ARGS:title "(users[[:space:]]+WHERE[[:space:]]+usertype|UNION[[:space:]]+SELECT[[:space:]]+IF|insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" chain -SecRule ARGS:task "save" - -#new pattern -SecRule REQUEST_URI "index\.php\?mod=files&action=view&where=-1+UNION+SELECT+users_nick,0,users_pwd" - -#phpBB Mail2Forum Module "m2f_root_path" File Inclusion -SecRule ARGS:m2f_root_path "((ht|f)tps?\:/|\.\./)" "id:390076,rev:1,severity:2,msg:'JITP: Generic m2f_root_path File Inclusion Vulnerability'" - -# -SecRule REQUEST_URI "downloads\.php" "chain,id:390077,rev:1,severity:2,msg:'JITP: Generic PHP download incddir File Inclusion Vulnerability'" -SecRule ARGS:incdir "((ht|f)tps?\:/|\.\./)" - -#SiteDepth CMS "SD_DIR" Parameter Handling Remote File Inclusion Vulnerability -SecRule REQUEST_URI "constants\.php" "chain,id:390078,rev:1,severity:2,msg:'JITP: SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability'" -SecRule ARGS:SD_DIR "((ht|f)tps?\:/|\.\./)" - -#PhpLinkExchange "page" Parameter Handling Remote File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390079,rev:1,severity:2,msg:'JITP: PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?\:/|\.\./)" - -#test for valid X-forearded header -SecRule HTTP_X_FORWARDED_FOR "!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown),?(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown)?" "id:390080,rev:1,severity:2,msg:'Test: Checking for valid X-Forwarded header',log,pass" - -#authldap -SecRule REQUEST_URI "authldap\.php" "chain,id:390081,rev:1,severity:2,msg:'JITP: authldap Remote File Inclusion Vulnerability'" -SecRule ARGS:includePath "((ht|f)tps?\:/|\.\./)" - -#honeypot -SecRule REQUEST_URI "global_header\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: globalheader domain variable Remote File Inclusion Vulnerability'" -SecRule ARGS:domain "((ht|f)tps?\:/|\.\./)" - -#Generic phpbb_root_path inclusion -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390083,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path variable Remote File Inclusion Vulnerability'" - -#Generic BBCodeFile variable remote file include -SecRule ARGS:BBCodeFile "((ht|f)tps?:/|\.\./\.\.)" "id:390084,rev:1,severity:2,msg:'JITP: Generic BBCodeFile variable Remote File Inclusion Vulnerability'" - -#Generic wb_class_dir variable remote file include -SecRule ARGS:wb_class_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390085,rev:1,severity:2,msg:'JITP: Generic wb_class_dir variable Remote File Inclusion Vulnerability'" - -#Generic component_dir variable remote file include -SecRule ARGS:component_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390086,rev:1,severity:2,msg:'JITP: Generic component_dir variable Remote File Inclusion Vulnerability'" - -#Generic da_path variable remote file include -SecRule ARGS:da_path "((ht|f)tps?:/|\.\./\.\.)" "id:390087,rev:1,severity:2,msg:'JITP: Generic da_path variable Remote File Inclusion Vulnerability'" - -#Generic spaw_root variable remote file include -SecRule ARGS:spaw_root "((ht|f)tps?:/|\.\./\.\.)" "id:390088,rev:1,severity:2,msg:'JITP: Generic spaw_root variable Remote File Inclusion Vulnerability'" - -#Generic sitee variable remote file include -SecRule ARGS:sitee "((ht|f)tps?:/|\.\./\.\.)" "id:390089,rev:1,severity:2,msg:'JITP: Generic sitee variable Remote File Inclusion Vulnerability'" - -#Generic default_path variable remote file include -SecRule REQUEST_URI "\.php" "chain,id:390092,rev:1,severity:2,msg:'JITP: PHP default_path variable Remote File Inclusion Vulnerability'" -SecRule ARGS:default_path "((ht|f)tps?:/|\.\./\.\.)" - -#file_upload sbp remote file inclusion vuln -SecRule REQUEST_URI "file_upload\.php" "chain,id:390090,rev:1,severity:2,msg:'JITP: file_upload sbp variable Remote File Inclusion Vulnerability'" -SecRule ARGS:sbp "((ht|f)tps?\:/|\.\./)" - -#viewtopic sid remote file inclusion vuln -SecRule REQUEST_URI "viewtopic\.php" "chain,id:390091,rev:1,severity:2,msg:'JITP: viewtopic sid variable Remote File Inclusion Vulnerability'" -SecRule ARGS:sid "((ht|f)tps?\:/|\.\./)" - -#get_infochannel root_path remote file inclusion vuln -SecRule REQUEST_URI "get_infochannel\.inc\.php" "chain,id:390093,rev:1,severity:2,msg:'JITP: get_infochannel root_path variable Remote File Inclusion Vulnerability'" -SecRule ARGS:root_path "((ht|f)tps?\:/|\.\./)" - -#Generic root_path variable remote file include -SecRule ARGS:root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390094,rev:1,severity:2,msg:'JITP: Generic root_path variable Remote File Inclusion Vulnerability'" - -#Generic default_path variable remote file include -SecRule REQUEST_URI "\.php" "chain,id:390096,rev:1,severity:2,msg:'JITP: PHP glConf variable Remote File Inclusion Vulnerability'" -SecRule REQUEST_URI "glConf\[path_library\].*((ht|f)tps?:/|\.\./\.\.)" - -#MyNewsGroups :) "myng_root" File Inclusion Vulnerability -SecRule REQUEST_URI "layersmenu\.inc\.php" "chain,id:390097,rev:1,severity:2,msg:'JITP: MyNewsGroups myng_root Remote File Inclusion Vulnerability'" -SecRule ARGS:myng_root "((ht|f)tps?:/|\.\./\.\.)" - -#Joomla invalid arguments check -#SecRule "joomla/" "chain,id:390098,rev:1,severity:2,msg:'JITP: Joomla invalid character Vulnerability'" -#SecRule ARGS:from|ARGS:fromname|ARGS:subject "[\x00-\x1F\x7F]" - -#TikiWiki jhot.php upload exploit -SecRule REQUEST_URI "img/wiki/" "chain,id:390099,rev:1,severity:2,msg:'JITP: TikiWiki non-image upload exploit'" -SecRule REQUEST_URI "\.!(jpe?g|gif|png|bmp)" - -#pageheaderdefault sysSessionPath upload exploit -SecRule REQUEST_URI "pageheaderdefault\.inc\.php\?" "chain,id:390100,rev:1,severity:2,msg:'JITP: pageheaderdefault sysSessionPath upload exploit'" -SecRule REQUEST_URI "_sysSessionPath=((ht|f)tps?:/|\.\./\.\.)" - -#new pattern -SecRule REQUEST_URI "\.php\?" "chain,id:390101,rev:1,severity:2,msg:'JITP: possible vulnscan6 exploit'" -SecRule REQUEST_URI "(CONFIG_EXT\[LANGUAGES_DIR\]|dir\[inc\])=((ht|f)tps?:/|\.\./\.\.)" - -#Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability -SecRule REQUEST_URI "smarty_config\.php" "chain,id:390102,rev:1,severity:2,msg:'JITP: Socketwiz Bookmarks root_dir File Inclusion Vulnerability'" -SecRule ARGS:root_dir "((ht|f)tps?:/|\.\./\.\.)" - -#MyABraCaDaWeb "base" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(index|pop)\.php" "chain,id:390103,rev:1,severity:2,msg:'JITP: MyABraCaDaWeb base File Inclusion Vulnerabilities'" -SecRule ARGS:base "((ht|f)tps?:/|\.\./\.\.)" - -#Vivvo Article Management CMS SQL Injection and File Inclusion -SecRule REQUEST_URI "pdf_version\.php" "chain,id:390104,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS SQL Injection'" -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Vivvo Article Management classified_path file inclusion -SecRule ARGS:classified_path "((ht|f)tps?:/|\.\./\.\.)" "id:390105,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS File Inclusion'" - -#RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability -SecRule REQUEST_URI "raidenhttpd-admin/slice/check\.php" "chain,id:390106,rev:1,severity:2,msg:'JITP: RaidenHTTPD SoftParserFileXml File Inclusion Vulnerability'" -SecRule ARGS:SoftParserFileXml "((ht|f)tps?:/|\.\./\.\.)" - -#mcGalleryPRO "path_to_folder" File Inclusion Vulnerability -SecRule REQUEST_URI "random2\.php" "chain,id:390107,rev:1,severity:2,msg:'JITP: mcGalleryPRO path_to_folder File Inclusion Vulnerability'" -SecRule ARGS:path_to_folder "((ht|f)tps?:/|\.\./\.\.)" - -#Timesheet PHP "username" Parameter SQL Injection -SecRule REQUEST_URI "username\.php" "chain,id:390108,rev:1,severity:2,msg:'JITP: Timesheet PHP username Parameter SQL Injection'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#CCleague Pro "language" Parameter Local File Inclusion -SecRule ARGS:language "((ht|f)tps?:/|\.\./\.\.)" "id:390109,rev:1,severity:2,msg:'JITP: CCleague Pro language Parameter Local File Inclusion'" - -#TWiki "filename" Parameter Disclosure of Sensitive Information -SecRule REQUEST_URI "/TWiki/" "chain,id:390110,rev:1,severity:2,msg:'JITP: TWiki filename Parameter Disclosure of Sensitive Information'" -SecRule ARGS:filename "\.\./\.\." - -#photokorn "dir_path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(includes/cart\.inc\.php|extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'JITP: photokorn dir_path File Inclusion Vulnerabilities'" -SecRule ARGS:dir_path "((ht|f)tps?:/|\.\./\.\.)" - -#Somery "skindir" File Inclusion Vulnerability -SecRule REQUEST_URI "admin/system/include\.php" "chain,id:390112,rev:1,severity:2,msg:'JITP: Somery skindir File Inclusion Vulnerability'" -SecRule ARGS:skindir "((ht|f)tps?:/|\.\./\.\.)" - -#DokuWiki "TARGET_FN" Directory Traversal Vulnerability -SecRule REQUEST_URI "bin/dwpage\.php" "chain,id:390113,rev:1,severity:2,msg:'JITP: DokuWiki TARGET_FN Directory Traversal Vulnerability'" -SecRule ARGS:TARGET_FN "((ht|f)tps?:/|\.\./\.\.)" - -#Fantastic News "CONFIG[script_path]" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(archive|headlines)\.php" "chain,id:390114,rev:1,severity:2,msg:'JITP: Fantastic News CONFIG[script_path] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "CONFIG\[script_path\]=((ht|f)tps?:/|\.\./\.\.)" - -#BP News "bnrep" File Inclusion Vulnerability -SecRule REQUEST_URI "bp_ncom\.php" "chain,id:390115,rev:1,severity:2,msg:'JITP: BP News bnrep File Inclusion Vulnerability'" -SecRule ARGS:bnrep "((ht|f)tps?:/|\.\./\.\.)" - -#Akarru Social BookMarking Engine "bm_content" File Inclusion -SecRule REQUEST_URI "akarru\.gui/main_content\.php" "chain,id:390116,rev:1,severity:2,msg:'JITP: Akarru Social BookMarking Engine bm_content File Inclusion'" -SecRule ARGS:bm_content "((ht|f)tps?:/|\.\./\.\.)" - -#Beautifier "BEAUT_PATH" Parameter File Inclusion Vulnerability -#phpCodeGenie "BEAUT_PATH" File Inclusion Vulnerability -SecRule REQUEST_URI "Beautifier/Core\.php" "chain,id:390117,rev:1,severity:2,msg:'JITP: Beautifier BEAUT_PATH Parameter File Inclusion Vulnerability'" -SecRule ARGS:BEAUT_PATH "((ht|f)tps?:/|\.\./\.\.)" - -#phpFullAnnu "repmod" File Inclusion Vulnerability -SecRule REQUEST_URI "modules/home\.module\.php" "chain,id:390118,rev:1,severity:2,msg:'JITP: phpFullAnnu repmod File Inclusion Vulnerability'" -SecRule ARGS:repmod "((ht|f)tps?:/|\.\./\.\.)" - -#Sponge News "sndir" File Inclusion Vulnerability -SecRule REQUEST_URI "news\.php" "chain,id:390119,rev:1,severity:2,msg:'JITP: Sponge News sndir File Inclusion Vulnerability'" -SecRule ARGS:sndir "((ht|f)tps?:/|\.\./\.\.)" - -#ACGV News "PathNews" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php\?" "chain,id:390120,rev:1,severity:2,msg:'JITP: ACGV News PathNews File Inclusion Vulnerabilities'" -SecRule ARGS:PathNews "((ht|f)tps?:/|\.\./\.\.)" - -#MySpeach "my_ms[root]" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "jscript\.php\?" "chain,id:390121,rev:1,severity:2,msg:'JITP: MySpeach my_ms[root] Parameter File Inclusion Vulnerability'" -SecRule REQUEST_URI "my_ms\[root\]=((ht|f)tps?:/|\.\./\.\.)" - -#annoncesV "page" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "annonce\.php\?" "chain,id:390122,rev:1,severity:2,msg:'JITP: annoncesV page Parameter File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?:/|\.\./\.\.)" - -#GrapAgenda "page" File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php\?" "chain,id:390123,rev:1,severity:2,msg:'JITP: GrapAgenda page File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?:/|\.\./\.\.)" - -#C-News "path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "/affichage/.*\.php\?" "chain,id:390124,rev:1,severity:2,msg:'JITP: C-News path File Inclusion Vulnerabilities'" -SecRule ARGS:path "((ht|f)tps?:/|\.\./\.\.)" - -#PhpCommander "Directory" Local File Inclusion Vulnerability -SecRule REQUEST_URI "download\.php\?" "chain,id:390125,rev:1,severity:2,msg:'JITP: PhpCommander Directory Local File Inclusion Vulnerability'" -SecRule ARGS:Directory "((ht|f)tps?:/|\.\./\.\.)" - -#dyncms "x_admindir" File Inclusion Vulnerability -SecRule REQUEST_URI "0_admin/modules/Wochenkarte/frontend/index\.php" "chain,id:390126,rev:1,severity:2,msg:'JITP: dyncms x_admindir File Inclusion Vulnerability'" -SecRule ARGS:x_admindir "((ht|f)tps?:/|\.\./\.\.)" - -#MyBace Light Skript File Inclusion Vulnerabilities -SecRule REQUEST_URI "includes/login_check\.php" "chain,id:390127,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" -SecRule ARGS:hauptverzeichniss "((ht|f)tps?:/|\.\./\.\.)" -SecRule REQUEST_URI "dmin/login/content/user_daten\.php" "chain,id:390128,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" -SecRule ARGS:template_back "((ht|f)tps?:/|\.\./\.\.)" - -#YACS "context[path_to_root]" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "context\[path_to_root\]=((ht|f)tps?:/|\.\./\.\.)" - -#Pheap "lpref" File Inclusion Vulnerability -SecRule REQUEST_URI "lib/config\.php" "chain,id:390130,rev:1,severity:2,msg:'JITP: Pheap lpref File Inclusion Vulnerability'" -SecRule ARGS:lpref "((ht|f)tps?:/|\.\./\.\.)" - -#phpECard "include_path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "functions\.php" "chain,id:390131,rev:1,severity:2,msg:'JITP: phpECard include_path File Inclusion Vulnerabilities'" -SecRule ARGS:include_path "((ht|f)tps?:/|\.\./\.\.)" - -#MiniBill "config[include_dir]" Parameter File Inclusion -SecRule REQUEST_URI "actions/ipn\.php" "chain,id:390132,rev:1,severity:2,msg:'JITP: MiniBill config[include_dir] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "config\[include_dir\]=((ht|f)tps?:/|\.\./\.\.)" - -#phpGroupWare Local File Inclusion Vulnerability -SecRule REQUEST_URI "alendar/inc/class.holidaycalc\.inc\.php" "chain,id:390133,rev:1,severity:2,msg:'JITP: phpGroupWare Local File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "phpgw_info\[user\]\[preferences\]\[common\]\[country\]=\.\./\.\." - -#ExBB Italia "exbb[home_path]" File Inclusion Vulnerability -SecRule REQUEST_URI "modules/userstop/userstop\.php" "chain,id:390134,rev:1,severity:2,msg:'JITP: ExBB Italia exbb[home_path] File Inclusion Vulnerability'" -SecRule REQUEST_URI "exbb\[home_path\]=((ht|f)tps?:/|\.\./\.\.)" - -#Web3news "PHPSECURITYADMIN_PATH" File Inclusion -SecRule REQUEST_URI "security/include/_class\.security\.php" "chain,id:390135,rev:1,severity:2,msg:'JITP: Web3news PHPSECURITYADMIN_PATH File Inclusion Vulnerabilities'" -SecRule ARGS:PHPSECURITYADMIN_PATH "((ht|f)tps?:/|\.\./\.\.)" - -#phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion -SecRule REQUEST_URI "\.php\?" "chain,id:390136,rev:1,severity:2,msg:'JITP: phpCOIN _CCFG[_PKG_PATH_INCL] File Inclusion'" -SecRule REQUEST_URI "_CCFG\[_PKG_PATH_INCL\]=((ht|f)tps?:/|\.\./\.\.)" - -#Wikepage "lng" Local File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390137,rev:1,severity:2,msg:'JITP: Wikepage lng Local File Inclusion Vulnerability'" -SecRule ARGS:lng "((ht|f)tps?:/|\.\./\.\.)" - -#Empire CMS "check_path" File Inclusion Vulnerability -SecRule REQUEST_URI "e/class/CheckLevel\.php" "chain,id:390138,rev:1,severity:2,msg:'JITP: Empire CMS check_path File Inclusion Vulnerability'" -SecRule ARGS:check_path "((ht|f)tps?:/|\.\./\.\.)" - -#Dolphin "dir[inc]" File Inclusion Vulnerability -SecRule REQUEST_URI "templates/tmpl_dfl/scripts/index.php" "chain,id:390139,rev:1,severity:2,msg:'JITP: Dolphin dir[inc] File Inclusion Vulnerability'" -SecRule REQUEST_URI "dir\[inc\]=((ht|f)tps?:/|\.\./\.\.)" - -#SportsPHool "mainnav" File Inclusion Vulnerability -SecRule REQUEST_URI "includes/layout/plain\.footer\.php" "chain,id:390140,rev:1,severity:2,msg:'JITP: SportsPHool mainnav File Inclusion Vulnerability'" -SecRule ARGS:mainnav "((ht|f)tps?:/|\.\./\.\.)" - -#NES Game & NES System "phphtmllib" File Inclusion -SecRule REQUEST_URI "\.php\?" "chain,id:390141,rev:1,severity:2,msg:'JITP: NES Game & NES System phphtmllib File Inclusion'" -SecRule ARGS:phphtmllib "((ht|f)tps?:/|\.\./\.\.)" - -#PHlyMail Lite "_PM_[path][handler]" File Inclusion Vulnerability -SecRule REQUEST_URI "handlers/email/mod.listmail.php" "chain,id:390142,rev:1,severity:2,msg:'JITP: PHlyMail Lite _PM_[path][handler] File Inclusion Vulnerability'" -SecRule REQUEST_URI "_PM_\[path\]\[handler\]=((ht|f)tps?:/|\.\./\.\.)" - -#Sonium Enterprise Adressbook "folder" File Inclusion Vulnerabilities -SecRule REQUEST_URI "/plugins/(1_Adressbuch/new|2_Branchen/edit|3_Typ/delete)\.php\?" "chain,id:390143,rev:1,severity:2,msg:'JITP: Sonium Enterprise Adressbook folder File Inclusion Vulnerabilities'" -SecRule ARGS:folder "((ht|f)tps?:/|\.\./\.\.)" - -#ff_compath remote file inclusion -SecRule ARGS:ff_compath "((ht|f)tps?:/|\.\./\.\.)" "id:390150,rev:1,severity:2,msg:'JITP: ff_compath File Inclusion Vulnerabilities'" - -#phpBB "avatar_path" PHP Code Execution Vulnerability -SecRule REQUEST_URI "/admin/admin_board\.php\?" "chain,id:390151,rev:1,severity:2,msg:'JITP: phpBB avatar_path PHP Code Execution Vulnerability'" -SecRule ARGS:avatar_path "((ht|f)tps?:/|\.\./\.\.)" - -#phpMyProfiler "pmp_rel_path" File Inclusion Vulnerability -SecRule REQUEST_URI "/functions\.php\?" "chain,id:390152,rev:1,severity:2,msg:'JITP: phpMyProfiler pmp_rel_path File Inclusion Vulnerability'" -SecRule ARGS:pmp_rel_path "((ht|f)tps?:/|\.\./\.\.)" - -#Servlet auth attack -SecRule REQUEST_URI "/servlet/admin\?category=server\&method=listAll\&Authorization" "id:390153,rev:1,severity:2,msg:'JITP: Servlet Auth exposure Vulnerability'" - -#Eazy Cart Multiple Vulnerabilities -SecRule REQUEST_URI "easycart\.php" "chain,id:390154,rev:1,severity:2,msg:'JITP: Eazy Cart SQL injection'" -SecRule ARGS:price "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "admin/config/customer\.dat" "id:390155,rev:1,severity:2,msg:'JITP: Eazy Cart Customer Data Access'" -SecRule REQUEST_URI "easycart\.php" "chain,id:390156,rev:1,severity:2,msg:'JITP: Eazy Cart XSS ATTACK'" -SecRule ARGS "<[[:space:]]*(script|about|applet|activex|chrome).*(script|about|applet|activex|chrome)[[:space:]]*>" - -#WebYep "webyep_sIncludePath" File Inclusion Vulnerabilities -SecRule REQUEST_URI "webyep-system/program/((lib|elements)/|webyep\.php)" "chain,id:390157,rev:1,severity:2,msg:'JITP: WebYep webyep_sIncludePath File Inclusion Vulnerabilities'" -SecRule ARGS:webyep_sIncludePath "((ht|f)tps?:/|\.\./\.\.)" - -#Travelsized CMS "setup_folder" File Inclusion Vulnerability -SecRule REQUEST_URI "frontpage\.php" "chain,id:390158,rev:1,severity:2,msg:'JITP: Travelsized CMS setup_folder File Inclusion Vulnerabilities'" -SecRule ARGS:setup_folder "((ht|f)tps?:/|\.\./\.\.)" - -#VideoDB "config[pdf_module]" File Inclusion Vulnerability -SecRule REQUEST_URI "core/pdf\.php" "chain,id:390159,rev:1,severity:2,msg:'JITP: VideoDB File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "config\[pdf_module\].*((ht|f)tps?:/|\.\./\.\.)" - -#AllMyGuests "_AMGconfig[cfg_serverpath]" File Inclusion -SecRule REQUEST_URI "signin\.php" "chain,id:390160,rev:1,severity:2,msg:'JITP: AllMyGuests File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "_AMGconfig\[cfg_serverpath\].*((ht|f)tps?:/|\.\./\.\.)" - -#OpenBiblio Local File Inclusion and SQL Injection -SecRule REQUEST_URI "shared/(header|help)\.php" "chain,id:390161,rev:1,severity:2,msg:'JITP: OpenBiblio File Inclusion Vulnerabilities'" -SecRule ARGS "(((ht|f)tps?:/|\.\./\.\.)|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))" - -#BasiliX "BSX_LIBDIR" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php" "chain,id:390162,rev:1,severity:2,msg:'JITP: BasiliX BSX_LIBDIR File Inclusion Vulnerabilities'" -SecRule ARGS:BSX_LIBDIR "((ht|f)tps?:/|\.\./\.\.)" - -#PowerPortal "file_name[]" File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390163,rev:1,severity:2,msg:'JITP: Powerportal File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "file_name\[\].*((ht|f)tps?:/|\.\./\.\.)" - -#DeluxeBB "templatefolder" File Inclusion Vulnerability -SecRule REQUEST_URI "/templates/.*/.*/.*\.php" "chain,id:390164,rev:1,severity:2,msg:'JITP: DeluxeBB teplatefolder File Inclusion Vulnerabilities'" -SecRule ARGS:templatefolder "((ht|f)tps?:/|\.\./\.\.)" - -#TagIt! Tagboard "page" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" "chain,id:390165,rev:1,severity:2,msg:'JITP: Tagit page File Inclusion Vulnerabilities'" -SecRule ARGS:page "(ht|f)tps?:/" diff --git a/files/mod_security/custom_rules/recons.conf b/files/mod_security/custom_rules/recons.conf deleted file mode 100644 index d0d113f..0000000 --- a/files/mod_security/custom_rules/recons.conf +++ /dev/null @@ -1,50 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Search Engine Recon/Google Hacks Security Rules for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/recons.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# Version: N-20061022-01 -# -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - -# Note: For modsecurity 2.x and above only - -SecRule HTTP_Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'" -SecRule HTTP_Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'" -SecRule HTTP_Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'" -SecRule HTTP_Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'" -SecRule HTTP_Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'" -SecRule HTTP_Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'" -SecRule HTTP_Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'" -SecRule HTTP_Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'" -SecRule HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'" -SecRule HTTP_Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'" -SecRule HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" -SecRule HTTP_Referer "filetype.*blt.*buddylist" -SecRule HTTP_Referer "File Upload Manager v1\.3.*rename to" -SecRule HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" -SecRule HTTP_Referer "inurl.*passlist\.txt" -SecRule HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" -SecRule HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22" -SecRule HTTP_Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" -SecRule HTTP_Referer "inurl\.*install.*install\.php" -SecRule HTTP_Referer "Powered by PHPFM.*filetype\.php -username" -SecRule HTTP_Referer "inurl\.*phpSysInfo.*created by phpsysinfo" -SecRule HTTP_Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" -SecRule HTTP_Referer "inurl\.*webutil\.pl" diff --git a/files/mod_security/custom_rules/rootkits.conf b/files/mod_security/custom_rules/rootkits.conf deleted file mode 100644 index 0fe477b..0000000 --- a/files/mod_security/custom_rules/rootkits.conf +++ /dev/null @@ -1,182 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Known rootkits, remote toolkits, etc. signatures for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rootkits.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# modsecurity is a trademark of Thinking Stone, Ltd. -# -# Version: N-20061022-01 -# -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - -SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" -SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" -SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" -SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" - -SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" -SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " -SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" -SecRule REQUEST_URI "/\.it/viewde" -SecRule REQUEST_URI "/cmd\?&(command|cmd)=" -SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" -SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" -SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" -SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" -SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" -SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" - -#Known rootkits -SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" -SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" -SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" -SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" - -#Generic remote perl execution with .pl extension -SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" -SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" - -#Known rootkit Defacing Tool 2.0 -SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" - -#other known tools -SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" -SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" - -#New kit -SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" -SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" - -#new kir -SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" - -#suntzu -SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" - -#proxysx.gif? -SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" - -#phpbackdoor -SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" - -#new unknown kit -SecRule REQUEST_URI "/oops?&" - -# known PHP attack shells -#value of these sigs, pretty low, but here to catch -# any lose threads, honeypoting, etc. -SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" -SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" -SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" -SecRule REQUEST_URI "/phpterm" - -#Frantastico worm -SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" - -#new unknown kits -SecRule REQUEST_URI "/iblis\.htm\?" -SecRule REQUEST_URI "/gif\.gif\?" -SecRule REQUEST_URI "/go\.php\.txt\?" -SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/zehir\.asp" -SecRule REQUEST_URI "/aflast\.txt\?" -SecRule REQUEST_URI "/sikat\.txt\?&cmd" -SecRule REQUEST_URI "/t\.gif\?" -SecRule REQUEST_URI "/phpbb_patch\?&" -SecRule REQUEST_URI "/phpbb2_patch\?&" -SecRule REQUEST_URI "/lukka\?&" - -#new kit -SecRule REQUEST_URI "/c99shell\.txt" -SecRule REQUEST_URI "/c99\.txt\?" - -#remote bash shell -SecRule REQUEST_URI "/shell\.php\&cmd=" -SecRule ARGS "/shell\.php\&cmd=" - -#zencart exploit -SecRule REQUEST_URI "/ipn\.php\?cmd=" - -#new pattern -SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "dsoul/tool\?" - -#generic suntzu payload -SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\(" -SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" -SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" - -#25dec new one -SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?" - -#26dec new kit -SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/vsf\.vsf\?&" - -#27dec -SecRule REQUEST_URI "/scan1\.0/scan/" -SecRule REQUEST_URI "test\.txt\?&" - -#30dec -SecRule REQUEST_URI "\.k4ka\.txt\?" -#31dec -SecRule REQUEST_URI "/php\.txt\?" - -#1 jan -SecRule REQUEST_URI "/sql\.txt\?" -SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" - -#22feb -SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?" - -#24mar -SecRule REQUEST_URI "/docLib/cmd\.asp" -SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer" -SecRule REQUEST_URI "\.asp\?.*showUpload&thePath=" -SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath=" - -#some broken attack program -SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@" -SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" - -SecRule REQUEST_URI "/r57en\.php" - -#c99 rootshell -SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" - -#generic shell -SecRule REQUEST_URI "shell\.txt" - -#bad scanner -SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" - -#wormsign -SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" - -#New SEL attack seen -SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" - -#New SQL attack seen -SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" diff --git a/files/mod_security/custom_rules/rules.conf b/files/mod_security/custom_rules/rules.conf deleted file mode 100644 index b51ea89..0000000 --- a/files/mod_security/custom_rules/rules.conf +++ /dev/null @@ -1,546 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Application Security Rules for modsec 2.x -# -# Version: N-20061022-01 -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rules.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - -#-------------------------------- -# notes -#-------------------------------- -# Rules work with modsecurity 2.0 and above only - -#-------------------------------- -#start rules -#-------------------------------- - -#Configure for your site -SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" - -#Enforce proper HTTP requests -SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" - -#Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it -#Then post your fix eh! -#SecRule REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'" - - -# Don't accept transfer encodings we know we don't handle -# (and you don't need it anyway) -SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" - -#deny TRACE method -SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'" - -#XSS insertion into headers -SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'" - - -#Don't accept chunked encodings -#modsecurity can not look at these, so this is a hole -#that can bypass your rules, the rule before this one -#should cover this, but hey paranoia is cheap -SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" - -#Code injection via content length -SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'" - -##generic recursion signatures -SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" -SecRule REQUEST_URI "\.\./\.\./" -#generic path recurision sig - - -#generic recursion signatures -SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'" - -#generic bogus path sigs -SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'" - -#Generic PHP exploit signatures -SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" - -#Generic PHP exploit signatures -SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" - -#slightly tighter rules with narrower focus -SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" - -#generic XSS PHP attack types -SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'" -SecRule REQUEST_BODY|REQUEST_URI "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" - - -#Prevent SQL injection in cookies -SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'" - -#Prevent command injection through cookies -SecRule REQUEST_COOKIES "\; cmd=" - -#Prevent SQL injection in UA -SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" - -# Generic filter to prevent SQL injection attacks -# Understand that all SQL filters are very limited and are very difficult -# to prevent false postives and negatives. -# Pplease report false positives/negatives to mike@gotroot.com -SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'" -SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" - -#Generic SQL sigs -SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'" - -#Generic SQL sigs -SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'" - -#Generic SQL sigs -SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'" -SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" - -#Meta character SQL injection -SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)" "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'" - -#Generic command line attack filter -SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'" -SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|" - -#Generic PHP bad functions protection -#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html -SecRule ARGS compress\.zlib: - -#Generic XSS filter -#please report false positives -SecRule REQUEST_URI "!/mt\.cgi" chain -SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#XSS in referrer and UA headers -SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP Injection Attack generic signature -SecRule REQUEST_URI "\.php" chain -SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" - -#PHP Injection Attack generic signature -SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" - -#Generic PHP remote file inclusion attack signature -SecRule REQUEST_URI "\.php\?" chain -SecRule REQUEST_URI "(http|https|ftp)\:/" chain -SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" - -#Generic PHP remote file inclusion attack signature with command -SecRule REQUEST_URI "\.php\?" chain -SecRule REQUEST_URI "(http|https|ftp)\:/" chain -SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" - -#really broad furl_fopen attack sig -#tune this for your system -SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'" -SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain -SecRule ARGS "(ht|f)tps?:/" -SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'" -SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" - - -#Genenric PHP body attack -SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain -SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" - -#Generic PHP remote file injection -SecRule REQUEST_URI "!(/do_command)" chain -SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" - -#script, perl, etc. code in HTTP_Referer string -SecRule HTTP_Referer "\#\!.*/" - -#generic command line attack -SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" - -#remote file inclusion generic attack signature -SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain -SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)" - -#remote file inclusion generic attack signature -SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain -SecRule ARGS "\?\&(cmd|inc|name)=" - -#remote file inclusion generic attack signature -SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" - -#remote file inclusion generic attack signature -SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" - -#Bogus file extensions generic signature -SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" - -#PHP remote path attach generic signature -SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" -SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/" - -#generic attack sig -SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" - -# WEB-ATTACKS uname -a command attempt -SecRule REQUEST_URI "uname" chain -SecRule REQUEST_URI "\x20-a" - -#Generic argument protection rule against bad meta characters -#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$" - -#generic php attack sigs -SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)" - -# WEB-ATTACKS xterm command attempt -SecRule REQUEST_URI "/usr/X11R6/bin/xterm" - -# WEB-ATTACKS /etc/shadow access -SecRule REQUEST_URI "/etc/shadow" - -# WEB-ATTACKS /bin/ps command attempt -SecRule REQUEST_URI "/bin/ps" - -# WEB-ATTACKS /usr/bin/id command attempt -SecRule REQUEST_URI "/usr/bin/id" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS echo command attempt -SecRule REQUEST_URI "/bin/echo" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS kill command attempt -SecRule REQUEST_URI "/bin/kill" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS chmod command attempt -SecRule REQUEST_URI "/bin/chmod" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS chsh command attempt -SecRule REQUEST_URI "/usr/bin/chsh" - -# WEB-ATTACKS gcc command attempt -SecRule REQUEST_URI "gcc" chain -SecRule REQUEST_URI "x20-o" - -# WEB-ATTACKS /usr/bin/cc command attempt -SecRule REQUEST_URI "/usr/bin/cc" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS /usr/bin/cpp command attempt -SecRule REQUEST_URI "/usr/bin/cpp" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS /usr/bin/g++ command attempt -SecRule REQUEST_URI "/usr/bin/g\+\+" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS g++ command attempt -SecRule REQUEST_URI "g\+\+\x20" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS bin/python access attempt -SecRule REQUEST_URI "bin/python" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS python access attempt -#SecRule "python\x20" - -# WEB-ATTACKS bin/tclsh execution attempt -SecRule REQUEST_URI "bin/tclsh" - -# WEB-ATTACKS tclsh execution attempt -SecRule REQUEST_URI "tclsh8\x20" - -# WEB-ATTACKS bin/nasm command attempt -SecRule REQUEST_URI "bin/nasm" - -# WEB-ATTACKS nasm command attempt -SecRule REQUEST_URI "nasm\x20" - -# WEB-ATTACKS /usr/bin/perl execution attempt -SecRule REQUEST_URI "/usr/bin/perl" - -# WEB-ATTACKS traceroute command attempt -SecRule REQUEST_URI "traceroute" chain -SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" - -# WEB-ATTACKS ping command attempt -SecRule REQUEST_URI "/bin/ping" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS X application to remote host attempt -SecRule REQUEST_URI "\x20-display\x20" - -# WEB-ATTACKS mail command attempt -SecRule REQUEST_URI "/bin/mail" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS /bin/ls command attempt -SecRule REQUEST_URI "/bin/ls" chain -SecRule REQUEST_URI "\x20" - -# WEB-ATTACKS /etc/inetd.conf access -SecRule REQUEST_URI "/etc/inetd\.conf" - -# WEB-ATTACKS /etc/motd access -SecRule REQUEST_URI "/etc/motd" -# WEB-ATTACKS conf/httpd.conf attempt -SecRule REQUEST_URI "conf/httpd\.conf" - -# WEB-MISC .htpasswd access -SecRule REQUEST_URI "\.htpasswd" - -# WEB-MISC /etc/passwd access -SecRule REQUEST_URI "/etc/passwd" - -# WEB-MISC nessus 1.X 404 probe -SecRule REQUEST_URI "/nessus_is_probing_you_" - -# WEB-MISC nessus 2.x 404 probe -SecRule REQUEST_URI "/NessusTest" - -# WEB-MISC ls%20-l -SecRule REQUEST_URI "ls" chain -SecRule REQUEST_URI "\x20-l" - -# WEB-MISC apache directory disclosure attempt -SecRule REQUEST_URI "////////" - -#musicat empower attempt -SecRule REQUEST_URI "/empower\?DB=" - -# WEB-MISC *%0a.pl access -SecRule REQUEST_URI "/*\x0a\.pl" - -#PHPBB worm sigs -SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain -SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" - -#PHP defenses -SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" - -#PHP defenses -SecRule ARGS "^(globals($|\[)|php:/)" - -#PHP defenses -SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" - -#PHP defenses -SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" - -# Web-attacks chdir -SecRule REQUEST_URI "&(cmd|command)=chdir\x20" - -# TIKIWIKI -SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" - -#SMTP redirects -SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 - -#These are VERY experiemental, please report false positives/negatives, etc. -#very experimental generic remote download sig -#foo IP or FQDN, or foo http/https/ftp://whatever -SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" - -#Command inline detection -SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" - -#very experimental connect command sig -SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" - -#Commands, also need a major rework, these also have issues -SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" -#SecRule REQUEST_URI "echo\x20" -SecRule REQUEST_URI "links -dump " -SecRule REQUEST_URI "links -dump-(charset|width) " -SecRule REQUEST_URI "links (http|https|ftp)\:/" -SecRule REQUEST_URI "links -source " -#SecRule REQUEST_URI "mkdir\x20" -SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" - -SecRule REQUEST_URI "cd \.\." -SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" - -#generic block for fwrite fopen uploads -SecRule REQUEST_URI "fwrite" chain -SecRule REQUEST_URI "fopen" - -#generic sig for more bad PHP functions -SecRule REQUEST_URI "chr\(([0-9]{1,3})\)" -SecRule ARGS_NAMES "^php:/" - -# WEB-MISC Tomcat view source attempt -SecRule REQUEST_URI "\x252ejsp" - -# WEB-MISC whisker HEAD/./ -#SecRule "HEAD/./" - -# WEB-FRONTPAGE .... request -SecRule REQUEST_URI "\.\.\.\./" - -#experimental CSS rule -#SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)" - -#Generic attack rules pcre format -#cross site scripting attempt IMG onerror or onload -SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=" - -#cross site scripting attempt TYPE + JAVASCRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript" - -#cross site scripting attempt STYLE + JAVASCRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript" - -#cross site scripting attempt STYLE + JSCRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript" - -# cross site scripting attempt STYLE + VBSCRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript" - -#cross site scripting attempt STYLE + VBSCRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript" - -#cross site scripting attempt STYLE + ECMACRIPT -SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript" - -# cross site scripting attempt STYLE + EXPRESSION -SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(" - -#cross site scripting attempt STYLE + EXPRESSION -SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>" - -# cross site scripting attempt using XML -SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT" - -#cross site scripting attempt executing hidden Javascript -SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" - -#cross site scripting attempt executing hidden Javascript -SecRule REQUEST_URI "window\.execScript[\s]*\(" - -#cross site scripting attempt to execute Javascript code -SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" - -#cross site scripting stealth attempt to execute Javascript code -#may false alarm for some language sets -SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain -SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" - -#Apache /server-info accessible -SecRule REQUEST_URI "/server-info" chain -SecRule REMOTE_ADDR "!^127\.0\.0\.1$" - -#Apache /server-status accessible -#Modified so apache-protect can run -SecRule REQUEST_URI "^/server-status/$" chain -SecRule REMOTE_ADDR "!^127\.0\.0\.1$" - -#generic Common HTTP vulnerability -SecRule REQUEST_URI "/\?cwd=/" - -#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) -SecRule REQUEST_URI "\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" - -#Experimental XML-RPC generic attack sigs -SecRule REQUEST_BODY "\'\,\'\'\)\)\;" -SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;" - -#MTS -#XML-RPC generic attack sigs -SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain -SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain -SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain -SecRule REQUEST_BODY "methodCall\>" - -#Specific XML-RPC attacks on xmlrpc.php -SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain -SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain -SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" - -#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system -#SecRule REQUEST_URI "/xmlrpc\.php" chain -#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" - -#XML-RPC SQL injection generic signature -SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain -SecRule REQUEST_BODY "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" - -#generic remote file inclusion vulns -SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" -SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" - -#catch smuggling attacks -#SecRule "^(GET|POST).*Host:.*^(GET|POST)" - -#Drupal remote command execution vulnerability exploit signature -#This is already covered in another generic signature, but just in case you leave it out, here it is -#again with a slightly tigher regexp -SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>" -#Slightly stronger version of the above -SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" - -#Generic PHP attack sig -SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" - -#Generic Nessus request filter -SecRule REQUEST_URI "NessusTest*\.html" - -#Generic PHP payload command injection and upload vulnerabilities -SecRule REQUEST_BODY "<\?php" chain -SecRule REQUEST_BODY "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain -SecRule REQUEST_BODY "\<\?php" - -#Generic XML RPC attack sig -SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;" - -#HTTP header PHP code injection attacks -SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" -#wormsign -SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" -SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" - -#phpbb wormsign -SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_" - -#Generic PHP avatar upload exploits -SecRule REQUEST_URI "\.php" chain -SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain -SecRule REQUEST_BODY "\<\?php" chain -SecRule REQUEST_BODY "\?>" - -#Fake image file shell attacvk -SecRule REQUEST_HEADERS:Content-Type "image/.*" -SecRule REQUEST_BODY "chr\(" - -#bogus graphics file -SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain -SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)" - -#wormsign -SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" - -#Special account protection -SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" - -#Generic PHP fopen sig -SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" diff --git a/files/mod_security/custom_rules/useragents.conf b/files/mod_security/custom_rules/useragents.conf deleted file mode 100644 index d969960..0000000 --- a/files/mod_security/custom_rules/useragents.conf +++ /dev/null @@ -1,229 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# User Agent Security Rules for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/useragents.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# Version: N-20061022-01 -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - - -#Comment spam header line -SecRule REQUEST_HEADERS "x-aaaaaa.*" -SecRule REQUEST_BODY "X-AAAAAA.*" - -#check for bad meta characters in User-Agent field -#SecRule HTTP_User-Agent ".*\'" - -#XSS in the UA field -SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" - -#PHP code injection attack -SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" -SecRule HTTP_User-Agent ".*HTTP_GET_VARS" - -#recursion attack in UA field -SecRule HTTP_User-Agent "\.\./\.\." - -#May cause false positives with some software, comment out if it does -#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" -#SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$" - -#Exploit agent -SecRule HTTP_User-Agent "Mosiac 1\.*" - -#Bad agent -SecRule HTTP_User-Agent "Brutus/AET" - -#CGI vuln scan tool -SecRule HTTP_User-Agent cgichk -SecRule HTTP_User-Agent "DataCha0s/2\.0" - -#Damn fine UA -SecRule HTTP_User-Agent ".*THIS IS AN EXPLOIT*" -SecRule HTTP_User-Agent "Morzilla" - -#CIRT.DK Webroot auditing tool -SecRule HTTP_User-Agent ".*WebRoot " - -#Exploit UA -SecRule HTTP_User-Agent ".*T H A T \' S G O T T A H U R T*" - -#XML RPC exploit tool -SecRule HTTP_User-Agent "xmlrpc exploit*" - -#A friendly little exploit banner for a WP vuln -SecRule HTTP_User-Agent "Wordpress Hash Grabber" - -#Blocks scripts -SecRule HTTP_User-Agent lwp - -#Web leaches -SecRule HTTP_User-Agent "Web Downloader" -SecRule HTTP_User-Agent WebZIP -SecRule HTTP_User-Agent WebCopier -SecRule HTTP_User-Agent Webster -SecRule HTTP_User-Agent WebZIP -SecRule HTTP_User-Agent WebStripper -SecRule HTTP_User-Agent "teleport pro" -SecRule HTTP_User-Agent combine -SecRule HTTP_User-Agent "Black Hole" -SecRule HTTP_User-Agent "SiteSnagger" -SecRule HTTP_User-Agent "ProWebWalker" -SecRule HTTP_User-Agent "CheeseBot" - -#Bogus Mozilla UA lines -SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$" -SecRule HTTP_User-Agent "Mozilla/3\.Mozilla/2\.01$" - -#Bogus IE UA line -SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$" - -#Bogus UA -SecRule HTTP_User-Agent "FooBar/42" - -#Nessus Vuln scanner UA -SecRule HTTP_User-Agent "Mozilla.*Nessus" - -#Nikto vuln scanner UA -SecRule HTTP_User-Agent ".*Nikto" - -#BAd/Bogus UAs -SecRule HTTP_User-Agent "Indy Library" -SecRule HTTP_User-Agent "Faxobot" -SecRule HTTP_User-Agent ".*SAFEXPLORER TL" - -#Spam spinder UAs -SecRule HTTP_User-Agent ".*fantomBrowser" -SecRule HTTP_User-Agent ".*fantomCrew Browser" - -#VB development library used by many spammers, might block legite VBscripts -#comment out if you have problems -SecRule HTTP_User-Agent "Crescent Internet ToolPak" - -#Borland Delphi signature, as above, comment out if it gives you problems -#spammers sometimes use these UAs -SecRule HTTP_User-Agent "NEWT ActiveX\; Win32" -SecRule HTTP_User-Agent "Mozilla.*NEWT" - -#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if -#it causes problems, comment out. If you are a member of the Microsoft Site -#Builder Network, you probably do NOT want to block this ID. -#SecRule HTTP_User-Agent "Microsoft URL Control" -#SecRule HTTP_User-Agent "^Microsoft URL" - -#e-mail collectors and spammers -SecRule HTTP_User-Agent "WebBandit" -SecRule HTTP_User-Agent "WEBMOLE" -SecRule HTTP_User-Agent "Telesoft*" -SecRule HTTP_User-Agent "WebEMailExtractor" -SecRule HTTP_User-Agent "CherryPicker*" -SecRule HTTP_User-Agent NICErsPRO -SecRule HTTP_User-Agent "Advanced Email Extractor*" -SecRule HTTP_User-Agent EmailSiphon -SecRule HTTP_User-Agent Extractorpro -SecRule HTTP_User-Agent webbandit -SecRule HTTP_User-Agent EmailCollector -SecRule HTTP_User-Agent "WebEMailExtrac*" -SecRule HTTP_User-Agent EmailWolf - -#Spiders that eat up bandwidth for their customers -#Not a spammer, just a spider, comment out if you like -SecRule HTTP_User-Agent "CopyRightCheck" -SecRule HTTP_User-Agent "CopyGuard" -SecRule HTTP_User-Agent "Digimarc WebReader" - -#MArketing spiders -SecRule HTTP_User-Agent "Zeus .*Webster Pro*" - -#Poker spam -SecRule HTTP_User-Agent "8484 Boston Project" - -#collectors -SecRule HTTP_User-Agent "autoemailspider" -SecRule HTTP_User-Agent "ecollector" -SecRule HTTP_User-Agent "grub crawler" - -#referrer spam, not the real weblogs -SecRule HTTP_User-Agent "^www\.weblogs\.com" - -#spam bots -SecRule HTTP_User-Agent "DTS Agent" -SecRule HTTP_User-Agent "POE-Component-Client" -SecRule HTTP_User-Agent "WISEbot" -SecRule HTTP_User-Agent "^Shockwave Flash" -SecRule HTTP_User-Agent "Missigua" - -#comment spam sign -SecRule HTTP_User-Agent "compatible \; MSIE" - -#Some regexps to catch silly bots -SecRule REQUEST_URI "!/ps(zones\|comp).txt1" chain -SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" -SecRule HTTP_User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" -SecRule HTTP_User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" -SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" -SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$" - -#spammer -SecRule HTTP_User-Agent "Butch__2\.1\.1" -SecRule HTTP_User-Agent "agdm79@mail\.ru" - -#Fake Gameboy UA -SecRule HTTP_User-Agent "GameBoy\, Powered by Nintendo" - -#bogus amiga UA -SecRule HTTP_User-Agent "Amiga-AWeb/3\.4" - -#exploit UA -SecRule HTTP_User-Agent "Internet Ninja x\.0" - -#bogus googlebot UA -SecRule HTTP_User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot" - -#recently caught sending spam referrals, from their actual crawler IP -SecRule HTTP_User-Agent "BecomeBot" - -#Suverybot -#SecRule HTTP_User-Agent "SurveyBot" - -#exploit -SecRule HTTP_User-Agent "S\.T\.A\.L\.K\.E\.R\." -SecRule HTTP_User-Agent "NeuralBot/0\.2" -SecRule HTTP_User-Agent "Kenjin Spider" - -#WebvulnScan -SecRule HTTP_User-Agent "WebVulnScan" - -#broken spam tool -SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" - -#PHPBB worm UA -SecRule HTTP_User-Agent "INTERNET EXPLOITER SUX" - -#fake UA -SecRule HTTP_User-Agent "Windows-Update-Agent" - -#exploit -SecRule HTTP_User-Agent "Internet-exprorer" - -# Bad Spider -SecRule HTTP_User-Agent "hl_ftien_spider" - -# PMAFind -SecRule HTTP_User-Agent "PMAFind" diff --git a/files/php/apache2_php5_php.ini/php.ini b/files/php/apache2_php5_php.ini/php.ini deleted file mode 100644 index bd30e3f..0000000 --- a/files/php/apache2_php5_php.ini/php.ini +++ /dev/null @@ -1,1287 +0,0 @@ -[PHP] - -;;;;;;;;;;; -; WARNING ; -;;;;;;;;;;; -; This is the default settings file for new PHP installations. -; By default, PHP installs itself with a configuration suitable for -; development purposes, and *NOT* for production purposes. -; For several security-oriented considerations that should be taken -; before going online with your site, please consult php.ini-recommended -; and http://php.net/manual/en/security.php. - - -;;;;;;;;;;;;;;;;;;; -; About php.ini ; -;;;;;;;;;;;;;;;;;;; -; This file controls many aspects of PHP's behavior. In order for PHP to -; read it, it must be named 'php.ini'. PHP looks for it in the current -; working directory, in the path designated by the environment variable -; PHPRC, and in the path that was defined in compile time (in that order). -; Under Windows, the compile-time path is the Windows directory. The -; path in which the php.ini file is looked for can be overridden using -; the -c argument in command line mode. -; -; The syntax of the file is extremely simple. Whitespace and Lines -; beginning with a semicolon are silently ignored (as you probably guessed). -; Section headers (e.g. [Foo]) are also silently ignored, even though -; they might mean something in the future. -; -; Directives are specified using the following syntax: -; directive = value -; Directive names are *case sensitive* - foo=bar is different from FOO=bar. -; -; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one -; of the INI constants (On, Off, True, False, Yes, No and None) or an expression -; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo"). -; -; Expressions in the INI file are limited to bitwise operators and parentheses: -; | bitwise OR -; & bitwise AND -; ~ bitwise NOT -; ! boolean NOT -; -; Boolean flags can be turned on using the values 1, On, True or Yes. -; They can be turned off using the values 0, Off, False or No. -; -; An empty string can be denoted by simply not writing anything after the equal -; sign, or by using the None keyword: -; -; foo = ; sets foo to an empty string -; foo = none ; sets foo to an empty string -; foo = "none" ; sets foo to the string 'none' -; -; If you use constants in your value, and these constants belong to a -; dynamically loaded extension (either a PHP extension or a Zend extension), -; you may only use these constants *after* the line that loads the extension. -; -; -;;;;;;;;;;;;;;;;;;; -; About this file ; -;;;;;;;;;;;;;;;;;;; -; All the values in the php.ini-dist file correspond to the builtin -; defaults (that is, if no php.ini is used, or if you delete these lines, -; the builtin defaults will be identical). - - -;;;;;;;;;;;;;;;;;;;; -; Language Options ; -;;;;;;;;;;;;;;;;;;;; - -; Enable the PHP scripting language engine under Apache. -engine = On - -; Enable compatibility mode with Zend Engine 1 (PHP 4.x) -zend.ze1_compatibility_mode = Off - -; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized. -; NOTE: Using short tags should be avoided when developing applications or -; libraries that are meant for redistribution, or deployment on PHP -; servers which are not under your control, because short tags may not -; be supported on the target server. For portable, redistributable code, -; be sure not to use short tags. -short_open_tag = On - -; Allow ASP-style <% %> tags. -asp_tags = Off - -; The number of significant digits displayed in floating point numbers. -precision = 12 - -; Enforce year 2000 compliance (will cause problems with non-compliant browsers) -y2k_compliance = On - -; Output buffering allows you to send header lines (including cookies) even -; after you send body content, at the price of slowing PHP's output layer a -; bit. You can enable output buffering during runtime by calling the output -; buffering functions. You can also enable output buffering for all files by -; setting this directive to On. If you wish to limit the size of the buffer -; to a certain size - you can use a maximum number of bytes instead of 'On', as -; a value for this directive (e.g., output_buffering=4096). -output_buffering = Off - -; You can redirect all of the output of your scripts to a function. For -; example, if you set output_handler to "mb_output_handler", character -; encoding will be transparently converted to the specified encoding. -; Setting any output handler automatically turns on output buffering. -; Note: People who wrote portable scripts should not depend on this ini -; directive. Instead, explicitly set the output handler using ob_start(). -; Using this ini directive may cause problems unless you know what script -; is doing. -; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" -; and you cannot use both "ob_gzhandler" and "zlib.output_compression". -; Note: output_handler must be empty if this is set 'On' !!!! -; Instead you must use zlib.output_handler. -;output_handler = - -; Transparent output compression using the zlib library -; Valid values for this option are 'off', 'on', or a specific buffer size -; to be used for compression (default is 4KB) -; Note: Resulting chunk size may vary due to nature of compression. PHP -; outputs chunks that are few hundreds bytes each as a result of -; compression. If you prefer a larger chunk size for better -; performance, enable output_buffering in addition. -; Note: You need to use zlib.output_handler instead of the standard -; output_handler, or otherwise the output will be corrupted. -zlib.output_compression = Off -;zlib.output_compression_level = -1 - -; You cannot specify additional output handlers if zlib.output_compression -; is activated here. This setting does the same as output_handler but in -; a different order. -;zlib.output_handler = - -; Implicit flush tells PHP to tell the output layer to flush itself -; automatically after every output block. This is equivalent to calling the -; PHP function flush() after each and every call to print() or echo() and each -; and every HTML block. Turning this option on has serious performance -; implications and is generally recommended for debugging purposes only. -implicit_flush = Off - -; The unserialize callback function will be called (with the undefined class' -; name as parameter), if the unserializer finds an undefined class -; which should be instantiated. -; A warning appears if the specified function is not defined, or if the -; function doesn't include/implement the missing class. -; So only set this entry, if you really want to implement such a -; callback-function. -unserialize_callback_func= - -; When floats & doubles are serialized store serialize_precision significant -; digits after the floating point. The default value ensures that when floats -; are decoded with unserialize, the data will remain the same. -serialize_precision = 100 - -; Whether to enable the ability to force arguments to be passed by reference -; at function call time. This method is deprecated and is likely to be -; unsupported in future versions of PHP/Zend. The encouraged method of -; specifying which arguments should be passed by reference is in the function -; declaration. You're encouraged to try and turn this option Off and make -; sure your scripts work properly with it in order to ensure they will work -; with future versions of the language (you will receive a warning each time -; you use this feature, and the argument will be passed by value instead of by -; reference). -allow_call_time_pass_reference = On - -; -; Safe Mode -; -safe_mode = Off - -; By default, Safe Mode does a UID compare check when -; opening files. If you want to relax this to a GID compare, -; then turn on safe_mode_gid. -safe_mode_gid = Off - -; When safe_mode is on, UID/GID checks are bypassed when -; including files from this directory and its subdirectories. -; (directory must also be in include_path or full path must -; be used when including) -safe_mode_include_dir = - -; When safe_mode is on, only executables located in the safe_mode_exec_dir -; will be allowed to be executed via the exec family of functions. -safe_mode_exec_dir = - -; Setting certain environment variables may be a potential security breach. -; This directive contains a comma-delimited list of prefixes. In Safe Mode, -; the user may only alter environment variables whose names begin with the -; prefixes supplied here. By default, users will only be able to set -; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). -; -; Note: If this directive is empty, PHP will let the user modify ANY -; environment variable! -safe_mode_allowed_env_vars = PHP_ - -; This directive contains a comma-delimited list of environment variables that -; the end user won't be able to change using putenv(). These variables will be -; protected even if safe_mode_allowed_env_vars is set to allow to change them. -safe_mode_protected_env_vars = LD_LIBRARY_PATH - -; open_basedir, if set, limits all file operations to the defined directory -; and below. This directive makes most sense if used in a per-directory -; or per-virtualhost web server configuration file. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -;open_basedir = - -; This directive allows you to disable certain functions for security reasons. -; It receives a comma-delimited list of function names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -disable_functions = - -; This directive allows you to disable certain classes for security reasons. -; It receives a comma-delimited list of class names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -disable_classes = - -; Colors for Syntax Highlighting mode. Anything that's acceptable in -; <span style="color: ???????"> would work. -;highlight.string = #DD0000 -;highlight.comment = #FF9900 -;highlight.keyword = #007700 -;highlight.bg = #FFFFFF -;highlight.default = #0000BB -;highlight.html = #000000 - -; If enabled, the request will be allowed to complete even if the user aborts -; the request. Consider enabling it if executing long request, which may end up -; being interrupted by the user or a browser timing out. -; ignore_user_abort = On - -; Determines the size of the realpath cache to be used by PHP. This value should -; be increased on systems where PHP opens many files to reflect the quantity of -; the file operations performed. -; realpath_cache_size=16k - -; Duration of time, in seconds for which to cache realpath information for a given -; file or directory. For systems with rarely changing files, consider increasing this -; value. -; realpath_cache_ttl=120 - -; -; Misc -; -; Decides whether PHP may expose the fact that it is installed on the server -; (e.g. by adding its signature to the Web server header). It is no security -; threat in any way, but it makes it possible to determine whether you use PHP -; on your server or not. -expose_php = On - - -;;;;;;;;;;;;;;;;;;; -; Resource Limits ; -;;;;;;;;;;;;;;;;;;; - -max_execution_time = 30 ; Maximum execution time of each script, in seconds -max_input_time = 60 ; Maximum amount of time each script may spend parsing request data -;max_input_nesting_level = 64 ; Maximum input variable nesting level -memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) - - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Error handling and logging ; -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -; error_reporting is a bit-field. Or each number up to get desired error -; reporting level -; E_ALL - All errors and warnings (doesn't include E_STRICT) -; E_ERROR - fatal run-time errors -; E_RECOVERABLE_ERROR - almost fatal run-time errors -; E_WARNING - run-time warnings (non-fatal errors) -; E_PARSE - compile-time parse errors -; E_NOTICE - run-time notices (these are warnings which often result -; from a bug in your code, but it's possible that it was -; intentional (e.g., using an uninitialized variable and -; relying on the fact it's automatically initialized to an -; empty string) -; E_STRICT - run-time notices, enable to have PHP suggest changes -; to your code which will ensure the best interoperability -; and forward compatibility of your code -; E_CORE_ERROR - fatal errors that occur during PHP's initial startup -; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's -; initial startup -; E_COMPILE_ERROR - fatal compile-time errors -; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) -; E_USER_ERROR - user-generated error message -; E_USER_WARNING - user-generated warning message -; E_USER_NOTICE - user-generated notice message -; -; Examples: -; -; - Show all errors, except for notices and coding standards warnings -; -;error_reporting = E_ALL & ~E_NOTICE -; -; - Show all errors, except for notices -; -;error_reporting = E_ALL & ~E_NOTICE | E_STRICT -; -; - Show only errors -; -;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR -; -; - Show all errors except for notices and coding standards warnings -; -error_reporting = E_ALL & ~E_NOTICE - -; Print out errors (as a part of the output). For production web sites, -; you're strongly encouraged to turn this feature off, and use error logging -; instead (see below). Keeping display_errors enabled on a production web site -; may reveal security information to end users, such as file paths on your Web -; server, your database schema or other information. -; -; possible values for display_errors: -; -; Off - Do not display any errors -; stderr - Display errors to STDERR (affects only CGI/CLI binaries!) -; -;display_errors = "stderr" -; -; stdout (On) - Display errors to STDOUT -; -display_errors = On - -; Even when display_errors is on, errors that occur during PHP's startup -; sequence are not displayed. It's strongly recommended to keep -; display_startup_errors off, except for when debugging. -display_startup_errors = Off - -; Log errors into a log file (server-specific log, stderr, or error_log (below)) -; As stated above, you're strongly advised to use error logging in place of -; error displaying on production web sites. -log_errors = Off - -; Set maximum length of log_errors. In error_log information about the source is -; added. The default is 1024 and 0 allows to not apply any maximum length at all. -log_errors_max_len = 1024 - -; Do not log repeated messages. Repeated errors must occur in same file on same -; line until ignore_repeated_source is set true. -ignore_repeated_errors = Off - -; Ignore source of message when ignoring repeated messages. When this setting -; is On you will not log errors with repeated messages from different files or -; source lines. -ignore_repeated_source = Off - -; If this parameter is set to Off, then memory leaks will not be shown (on -; stdout or in the log). This has only effect in a debug compile, and if -; error reporting includes E_WARNING in the allowed list -report_memleaks = On - -;report_zend_debug = 0 - -; Store the last error/warning message in $php_errormsg (boolean). -track_errors = Off - -; Disable the inclusion of HTML tags in error messages. -; Note: Never use this feature for production boxes. -;html_errors = Off - -; If html_errors is set On PHP produces clickable error messages that direct -; to a page describing the error or function causing the error in detail. -; You can download a copy of the PHP manual from http://www.php.net/docs.php -; and change docref_root to the base URL of your local copy including the -; leading '/'. You must also specify the file extension being used including -; the dot. -; Note: Never use this feature for production boxes. -;docref_root = "/phpmanual/" -;docref_ext = .html - -; String to output before an error message. -;error_prepend_string = "<font color=ff0000>" - -; String to output after an error message. -;error_append_string = "</font>" - -; Log errors to specified file. -;error_log = filename - -; Log errors to syslog (Event Log on NT, not valid in Windows 95). -;error_log = syslog - - -;;;;;;;;;;;;;;;;; -; Data Handling ; -;;;;;;;;;;;;;;;;; -; -; Note - track_vars is ALWAYS enabled as of PHP 4.0.3 - -; The separator used in PHP generated URLs to separate arguments. -; Default is "&". -;arg_separator.output = "&" - -; List of separator(s) used by PHP to parse input URLs into variables. -; Default is "&". -; NOTE: Every character in this directive is considered as separator! -;arg_separator.input = ";&" - -; This directive describes the order in which PHP registers GET, POST, Cookie, -; Environment and Built-in variables (G, P, C, E & S respectively, often -; referred to as EGPCS or GPC). Registration is done from left to right, newer -; values override older values. -variables_order = "EGPCS" - -; Whether or not to register the EGPCS variables as global variables. You may -; want to turn this off if you don't want to clutter your scripts' global scope -; with user data. This makes most sense when coupled with track_vars - in which -; case you can access all of the GPC variables through the $HTTP_*_VARS[], -; variables. -; -; You should do your best to write your scripts so that they do not require -; register_globals to be on; Using form variables as globals can easily lead -; to possible security problems, if the code is not very well thought of. -register_globals = Off - -; Whether or not to register the old-style input arrays, HTTP_GET_VARS -; and friends. If you're not using them, it's recommended to turn them off, -; for performance reasons. -register_long_arrays = On - -; This directive tells PHP whether to declare the argv&argc variables (that -; would contain the GET information). If you don't use these variables, you -; should turn it off for increased performance. -register_argc_argv = On - -; When enabled, the SERVER and ENV variables are created when they're first -; used (Just In Time) instead of when the script starts. If these variables -; are not used within a script, having this directive on will result in a -; performance gain. The PHP directives register_globals, register_long_arrays, -; and register_argc_argv must be disabled for this directive to have any affect. -auto_globals_jit = On - -; Maximum size of POST data that PHP will accept. -post_max_size = 8M - -; Magic quotes -; - -; Magic quotes for incoming GET/POST/Cookie data. -magic_quotes_gpc = On - -; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. -magic_quotes_runtime = Off - -; Use Sybase-style magic quotes (escape ' with '' instead of \'). -magic_quotes_sybase = Off - -; Automatically add files before or after any PHP document. -auto_prepend_file = -auto_append_file = - -; As of 4.0b4, PHP always outputs a character encoding by default in -; the Content-type: header. To disable sending of the charset, simply -; set it to be empty. -; -; PHP's built-in default is text/html -default_mimetype = "text/html" -;default_charset = "iso-8859-1" - -; Always populate the $HTTP_RAW_POST_DATA variable. -;always_populate_raw_post_data = On - - -;;;;;;;;;;;;;;;;;;;;;;;;; -; Paths and Directories ; -;;;;;;;;;;;;;;;;;;;;;;;;; - -; UNIX: "/path1:/path2" -include_path = ".:/usr/share/php5:/usr/share/php" -; -; Windows: "\path1;\path2" -;include_path = ".;c:\php\includes" - -; The root of the PHP pages, used only if nonempty. -; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root -; if you are running php as a CGI under any web server (other than IIS) -; see documentation for security issues. The alternate is to use the -; cgi.force_redirect configuration below -doc_root = - -; The directory under which PHP opens the script using /~username used only -; if nonempty. -user_dir = - -; Directory in which the loadable extensions (modules) reside. -extension_dir = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613 - -; Whether or not to enable the dl() function. The dl() function does NOT work -; properly in multithreaded servers, such as IIS or Zeus, and is automatically -; disabled on them. -enable_dl = On - -; cgi.force_redirect is necessary to provide security running PHP as a CGI under -; most web servers. Left undefined, PHP turns this on by default. You can -; turn it off here AT YOUR OWN RISK -; **You CAN safely turn this off for IIS, in fact, you MUST.** -; cgi.force_redirect = 1 - -; if cgi.nph is enabled it will force cgi to always sent Status: 200 with -; every request. -; cgi.nph = 1 - -; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape -; (iPlanet) web servers, you MAY need to set an environment variable name that PHP -; will look for to know it is OK to continue execution. Setting this variable MAY -; cause security issues, KNOW WHAT YOU ARE DOING FIRST. -; cgi.redirect_status_env = ; - -; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's -; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok -; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting -; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting -; of zero causes PHP to behave as before. Default is 1. You should fix your scripts -; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. -; cgi.fix_pathinfo=0 - -; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate -; security tokens of the calling client. This allows IIS to define the -; security context that the request runs under. mod_fastcgi under Apache -; does not currently support this feature (03/17/2002) -; Set to 1 if running under IIS. Default is zero. -; fastcgi.impersonate = 1; - -; Disable logging through FastCGI connection -; fastcgi.logging = 0 - -; cgi.rfc2616_headers configuration option tells PHP what type of headers to -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that -; is supported by Apache. When this option is set to 1 PHP will send -; RFC2616 compliant header. -; Default is zero. -;cgi.rfc2616_headers = 0 - - -;;;;;;;;;;;;;;;; -; File Uploads ; -;;;;;;;;;;;;;;;; - -; Whether to allow HTTP file uploads. -file_uploads = On - -; Temporary directory for HTTP uploaded files (will use system default if not -; specified). -;upload_tmp_dir = - -; Maximum allowed size for uploaded files. -upload_max_filesize = 2M - - -;;;;;;;;;;;;;;;;;; -; Fopen wrappers ; -;;;;;;;;;;;;;;;;;; - -; Whether to allow the treatment of URLs (like http:// or ftp://) as files. -allow_url_fopen = Off - -; Whether to allow include/require to open URLs (like http:// or ftp://) as files. -allow_url_include = Off - -; Define the anonymous ftp password (your email address) -;from="john@doe.com" - -; Define the User-Agent string -; user_agent="PHP" - -; Default timeout for socket based streams (seconds) -default_socket_timeout = 60 - -; If your scripts have to deal with files from Macintosh systems, -; or you are running on a Mac and need to deal with files from -; unix or win32 systems, setting this flag will cause PHP to -; automatically detect the EOL character in those files so that -; fgets() and file() will work regardless of the source of the file. -; auto_detect_line_endings = Off - - -;;;;;;;;;;;;;;;;;;;;;; -; Dynamic Extensions ; -;;;;;;;;;;;;;;;;;;;;;; -; -; If you wish to have an extension loaded automatically, use the following -; syntax: -; -; extension=modulename.extension -; -; For example, on Windows: -; -; extension=msql.dll -; -; ... or under UNIX: -; -; extension=msql.so -; -; Note that it should be the name of the module only; no directory information -; needs to go here. Specify the location of the extension with the -; extension_dir directive above. - - -; Windows Extensions -; Note that ODBC support is built in, so no dll is needed for it. -; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) -; extension folders as well as the separate PECL DLL download (PHP 5). -; Be sure to appropriately set the extension_dir directive. - -;extension=php_bz2.dll -;extension=php_curl.dll -;extension=php_dba.dll -;extension=php_dbase.dll -;extension=php_exif.dll -;extension=php_fdf.dll -;extension=php_gd2.dll -;extension=php_gettext.dll -;extension=php_gmp.dll -;extension=php_ifx.dll -;extension=php_imap.dll -;extension=php_interbase.dll -;extension=php_ldap.dll -;extension=php_mbstring.dll -;extension=php_mcrypt.dll -;extension=php_mhash.dll -;extension=php_mime_magic.dll -;extension=php_ming.dll -;extension=php_msql.dll -;extension=php_mssql.dll -;extension=php_mysql.dll -;extension=php_mysqli.dll -;extension=php_oci8.dll -;extension=php_openssl.dll -;extension=php_pdo.dll -;extension=php_pdo_firebird.dll -;extension=php_pdo_mssql.dll -;extension=php_pdo_mysql.dll -;extension=php_pdo_oci.dll -;extension=php_pdo_oci8.dll -;extension=php_pdo_odbc.dll -;extension=php_pdo_pgsql.dll -;extension=php_pdo_sqlite.dll -;extension=php_pgsql.dll -;extension=php_pspell.dll -;extension=php_shmop.dll -;extension=php_snmp.dll -;extension=php_soap.dll -;extension=php_sockets.dll -;extension=php_sqlite.dll -;extension=php_sybase_ct.dll -;extension=php_tidy.dll -;extension=php_xmlrpc.dll -;extension=php_xsl.dll -;extension=php_zip.dll - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; - -[Date] -; Defines the default timezone used by the date functions -;date.timezone = - -;date.default_latitude = 31.7667 -;date.default_longitude = 35.2333 - -;date.sunrise_zenith = 90.583333 -;date.sunset_zenith = 90.583333 - -[filter] -;filter.default = unsafe_raw -;filter.default_flags = - -[iconv] -;iconv.input_encoding = ISO-8859-1 -;iconv.internal_encoding = ISO-8859-1 -;iconv.output_encoding = ISO-8859-1 - -[sqlite] -;sqlite.assoc_case = 0 - -[xmlrpc] -;xmlrpc_error_number = 0 -;xmlrpc_errors = 0 - -[Pcre] -;PCRE library backtracking limit. -;pcre.backtrack_limit=100000 - -;PCRE library recursion limit. -;Please note that if you set this value to a high number you may consume all -;the available process stack and eventually crash PHP (due to reaching the -;stack size limit imposed by the Operating System). -;pcre.recursion_limit=100000 - -[Syslog] -; Whether or not to define the various syslog variables (e.g. $LOG_PID, -; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In -; runtime, you can define these variables by calling define_syslog_variables(). -define_syslog_variables = Off - -[mail function] -; For Win32 only. -SMTP = localhost -smtp_port = 25 - -; For Win32 only. -;sendmail_from = me@example.com - -; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). -;sendmail_path = - -; Force the addition of the specified parameters to be passed as extra parameters -; to the sendmail binary. These parameters will always replace the value of -; the 5th parameter to mail(), even in safe mode. -;mail.force_extra_parameters = - -[SQL] -sql.safe_mode = Off - -[ODBC] -;odbc.default_db = Not yet implemented -;odbc.default_user = Not yet implemented -;odbc.default_pw = Not yet implemented - -; Allow or prevent persistent links. -odbc.allow_persistent = On - -; Check that a connection is still valid before reuse. -odbc.check_persistent = On - -; Maximum number of persistent links. -1 means no limit. -odbc.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -odbc.max_links = -1 - -; Handling of LONG fields. Returns number of bytes to variables. 0 means -; passthru. -odbc.defaultlrl = 4096 - -; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. -; See the documentation on odbc_binmode and odbc_longreadlen for an explanation -; of uodbc.defaultlrl and uodbc.defaultbinmode -odbc.defaultbinmode = 1 - -[MySQL] -; Allow or prevent persistent links. -mysql.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -mysql.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -mysql.max_links = -1 - -; Default port number for mysql_connect(). If unset, mysql_connect() will use -; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the -; compile-time value defined MYSQL_PORT (in that order). Win32 will only look -; at MYSQL_PORT. -mysql.default_port = - -; Default socket name for local MySQL connects. If empty, uses the built-in -; MySQL defaults. -mysql.default_socket = - -; Default host for mysql_connect() (doesn't apply in safe mode). -mysql.default_host = - -; Default user for mysql_connect() (doesn't apply in safe mode). -mysql.default_user = - -; Default password for mysql_connect() (doesn't apply in safe mode). -; Note that this is generally a *bad* idea to store passwords in this file. -; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") -; and reveal this password! And of course, any users with read access to this -; file will be able to reveal the password as well. -mysql.default_password = - -; Maximum time (in seconds) for connect timeout. -1 means no limit -mysql.connect_timeout = 60 - -; Trace mode. When trace_mode is active (=On), warnings for table/index scans and -; SQL-Errors will be displayed. -mysql.trace_mode = Off - -[MySQLi] - -; Maximum number of links. -1 means no limit. -mysqli.max_links = -1 - -; Default port number for mysqli_connect(). If unset, mysqli_connect() will use -; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the -; compile-time value defined MYSQL_PORT (in that order). Win32 will only look -; at MYSQL_PORT. -mysqli.default_port = 3306 - -; Default socket name for local MySQL connects. If empty, uses the built-in -; MySQL defaults. -mysqli.default_socket = - -; Default host for mysql_connect() (doesn't apply in safe mode). -mysqli.default_host = - -; Default user for mysql_connect() (doesn't apply in safe mode). -mysqli.default_user = - -; Default password for mysqli_connect() (doesn't apply in safe mode). -; Note that this is generally a *bad* idea to store passwords in this file. -; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") -; and reveal this password! And of course, any users with read access to this -; file will be able to reveal the password as well. -mysqli.default_pw = - -; Allow or prevent reconnect -mysqli.reconnect = Off - -[mSQL] -; Allow or prevent persistent links. -msql.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -msql.max_persistent = -1 - -; Maximum number of links (persistent+non persistent). -1 means no limit. -msql.max_links = -1 - -[OCI8] -; enables privileged connections using external credentials (OCI_SYSOPER, OCI_SYSDBA) -;oci8.privileged_connect = Off - -; Connection: The maximum number of persistent OCI8 connections per -; process. Using -1 means no limit. -;oci8.max_persistent = -1 - -; Connection: The maximum number of seconds a process is allowed to -; maintain an idle persistent connection. Using -1 means idle -; persistent connections will be maintained forever. -;oci8.persistent_timeout = -1 - -; Connection: The number of seconds that must pass before issuing a -; ping during oci_pconnect() to check the connection validity. When -; set to 0, each oci_pconnect() will cause a ping. Using -1 disables -; pings completely. -;oci8.ping_interval = 60 - -; Tuning: This option enables statement caching, and specifies how -; many statements to cache. Using 0 disables statement caching. -;oci8.statement_cache_size = 20 - -; Tuning: Enables statement prefetching and sets the default number of -; rows that will be fetched automatically after statement execution. -;oci8.default_prefetch = 10 - -; Compatibility. Using On means oci_close() will not close -; oci_connect() and oci_new_connect() connections. -;oci8.old_oci_close_semantics = Off - -[PostgresSQL] -; Allow or prevent persistent links. -pgsql.allow_persistent = On - -; Detect broken persistent links always with pg_pconnect(). -; Auto reset feature requires a little overheads. -pgsql.auto_reset_persistent = Off - -; Maximum number of persistent links. -1 means no limit. -pgsql.max_persistent = -1 - -; Maximum number of links (persistent+non persistent). -1 means no limit. -pgsql.max_links = -1 - -; Ignore PostgreSQL backends Notice message or not. -; Notice message logging require a little overheads. -pgsql.ignore_notice = 0 - -; Log PostgreSQL backends Noitce message or not. -; Unless pgsql.ignore_notice=0, module cannot log notice message. -pgsql.log_notice = 0 - -[Sybase] -; Allow or prevent persistent links. -sybase.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -sybase.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -sybase.max_links = -1 - -;sybase.interface_file = "/usr/sybase/interfaces" - -; Minimum error severity to display. -sybase.min_error_severity = 10 - -; Minimum message severity to display. -sybase.min_message_severity = 10 - -; Compatibility mode with old versions of PHP 3.0. -; If on, this will cause PHP to automatically assign types to results according -; to their Sybase type, instead of treating them all as strings. This -; compatibility mode will probably not stay around forever, so try applying -; whatever necessary changes to your code, and turn it off. -sybase.compatability_mode = Off - -[Sybase-CT] -; Allow or prevent persistent links. -sybct.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -sybct.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -sybct.max_links = -1 - -; Minimum server message severity to display. -sybct.min_server_severity = 10 - -; Minimum client message severity to display. -sybct.min_client_severity = 10 - -[bcmath] -; Number of decimal digits for all bcmath functions. -bcmath.scale = 0 - -[browscap] -;browscap = extra/browscap.ini - -[Informix] -; Default host for ifx_connect() (doesn't apply in safe mode). -ifx.default_host = - -; Default user for ifx_connect() (doesn't apply in safe mode). -ifx.default_user = - -; Default password for ifx_connect() (doesn't apply in safe mode). -ifx.default_password = - -; Allow or prevent persistent links. -ifx.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -ifx.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -ifx.max_links = -1 - -; If on, select statements return the contents of a text blob instead of its id. -ifx.textasvarchar = 0 - -; If on, select statements return the contents of a byte blob instead of its id. -ifx.byteasvarchar = 0 - -; Trailing blanks are stripped from fixed-length char columns. May help the -; life of Informix SE users. -ifx.charasvarchar = 0 - -; If on, the contents of text and byte blobs are dumped to a file instead of -; keeping them in memory. -ifx.blobinfile = 0 - -; NULL's are returned as empty strings, unless this is set to 1. In that case, -; NULL's are returned as string 'NULL'. -ifx.nullformat = 0 - -[Session] -; Handler used to store/retrieve data. -session.save_handler = files - -; Argument passed to save_handler. In the case of files, this is the path -; where data files are stored. Note: Windows users have to change this -; variable in order to use PHP's session functions. -; -; As of PHP 4.0.1, you can define the path as: -; -; session.save_path = "N;/path" -; -; where N is an integer. Instead of storing all the session files in -; /path, what this will do is use subdirectories N-levels deep, and -; store the session data in those directories. This is useful if you -; or your OS have problems with lots of files in one directory, and is -; a more efficient layout for servers that handle lots of sessions. -; -; NOTE 1: PHP will not create this directory structure automatically. -; You can use the script in the ext/session dir for that purpose. -; NOTE 2: See the section on garbage collection below if you choose to -; use subdirectories for session storage -; -; The file storage module creates files using mode 600 by default. -; You can change that by using -; -; session.save_path = "N;MODE;/path" -; -; where MODE is the octal representation of the mode. Note that this -; does not overwrite the process's umask. -;session.save_path = "/tmp" - -; Whether to use cookies. -session.use_cookies = 1 - -;session.cookie_secure = - -; This option enables administrators to make their users invulnerable to -; attacks which involve passing session ids in URLs; defaults to 0. -; session.use_only_cookies = 1 - -; Name of the session (used as cookie name). -session.name = PHPSESSID - -; Initialize session on request startup. -session.auto_start = 0 - -; Lifetime in seconds of cookie or, if 0, until browser is restarted. -session.cookie_lifetime = 0 - -; The path for which the cookie is valid. -session.cookie_path = / - -; The domain for which the cookie is valid. -session.cookie_domain = - -; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. -session.cookie_httponly = - -; Handler used to serialize data. php is the standard serializer of PHP. -session.serialize_handler = php - -; Define the probability that the 'garbage collection' process is started -; on every session initialization. -; The probability is calculated by using gc_probability/gc_divisor, -; e.g. 1/100 means there is a 1% chance that the GC process starts -; on each request. - -session.gc_probability = 1 -session.gc_divisor = 100 - -; After this number of seconds, stored data will be seen as 'garbage' and -; cleaned up by the garbage collection process. -session.gc_maxlifetime = 1440 - -; NOTE: If you are using the subdirectory option for storing session files -; (see session.save_path above), then garbage collection does *not* -; happen automatically. You will need to do your own garbage -; collection through a shell script, cron entry, or some other method. -; For example, the following script would is the equivalent of -; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): -; cd /path/to/sessions; find -cmin +24 | xargs rm - -; PHP 4.2 and less have an undocumented feature/bug that allows you to -; to initialize a session variable in the global scope, albeit register_globals -; is disabled. PHP 4.3 and later will warn you, if this feature is used. -; You can disable the feature and the warning separately. At this time, -; the warning is only displayed, if bug_compat_42 is enabled. - -session.bug_compat_42 = 1 -session.bug_compat_warn = 1 - -; Check HTTP Referer to invalidate externally stored URLs containing ids. -; HTTP_REFERER has to contain this substring for the session to be -; considered as valid. -session.referer_check = - -; How many bytes to read from the file. -session.entropy_length = 0 - -; Specified here to create the session id. -session.entropy_file = - -;session.entropy_length = 16 - -;session.entropy_file = /dev/urandom - -; Set to {nocache,private,public,} to determine HTTP caching aspects -; or leave this empty to avoid sending anti-caching headers. -session.cache_limiter = nocache - -; Document expires after n minutes. -session.cache_expire = 180 - -; trans sid support is disabled by default. -; Use of trans sid may risk your users security. -; Use this option with caution. -; - User may send URL contains active session ID -; to other person via. email/irc/etc. -; - URL that contains active session ID may be stored -; in publically accessible computer. -; - User may access your site with the same session ID -; always using URL stored in browser's history or bookmarks. -session.use_trans_sid = 0 - -; Select a hash function -; 0: MD5 (128 bits) -; 1: SHA-1 (160 bits) -session.hash_function = 0 - -; Define how many bits are stored in each character when converting -; the binary hash data to something readable. -; -; 4 bits: 0-9, a-f -; 5 bits: 0-9, a-v -; 6 bits: 0-9, a-z, A-Z, "-", "," -session.hash_bits_per_character = 4 - -; The URL rewriter will look for URLs in a defined set of HTML tags. -; form/fieldset are special; if you include them here, the rewriter will -; add a hidden <input> field with the info which is otherwise appended -; to URLs. If you want XHTML conformity, remove the form entry. -; Note that all valid entries require a "=", even if no value follows. -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" - -[MSSQL] -; Allow or prevent persistent links. -mssql.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -mssql.max_persistent = -1 - -; Maximum number of links (persistent+non persistent). -1 means no limit. -mssql.max_links = -1 - -; Minimum error severity to display. -mssql.min_error_severity = 10 - -; Minimum message severity to display. -mssql.min_message_severity = 10 - -; Compatibility mode with old versions of PHP 3.0. -mssql.compatability_mode = Off - -; Connect timeout -;mssql.connect_timeout = 5 - -; Query timeout -;mssql.timeout = 60 - -; Valid range 0 - 2147483647. Default = 4096. -;mssql.textlimit = 4096 - -; Valid range 0 - 2147483647. Default = 4096. -;mssql.textsize = 4096 - -; Limits the number of records in each batch. 0 = all records in one batch. -;mssql.batchsize = 0 - -; Specify how datetime and datetim4 columns are returned -; On => Returns data converted to SQL server settings -; Off => Returns values as YYYY-MM-DD hh:mm:ss -;mssql.datetimeconvert = On - -; Use NT authentication when connecting to the server -mssql.secure_connection = Off - -; Specify max number of processes. -1 = library default -; msdlib defaults to 25 -; FreeTDS defaults to 4096 -;mssql.max_procs = -1 - -; Specify client character set. -; If empty or not set the client charset from freetds.comf is used -; This is only used when compiled with FreeTDS -;mssql.charset = "ISO-8859-1" - -[Assertion] -; Assert(expr); active by default. -;assert.active = On - -; Issue a PHP warning for each failed assertion. -;assert.warning = On - -; Don't bail out by default. -;assert.bail = Off - -; User-function to be called if an assertion fails. -;assert.callback = 0 - -; Eval the expression with current error_reporting(). Set to true if you want -; error_reporting(0) around the eval(). -;assert.quiet_eval = 0 - -[COM] -; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs -;com.typelib_file = -; allow Distributed-COM calls -;com.allow_dcom = true -; autoregister constants of a components typlib on com_load() -;com.autoregister_typelib = true -; register constants casesensitive -;com.autoregister_casesensitive = false -; show warnings on duplicate constant registrations -;com.autoregister_verbose = true - -[mbstring] -; language for internal character representation. -;mbstring.language = Japanese - -; internal/script encoding. -; Some encoding cannot work as internal encoding. -; (e.g. SJIS, BIG5, ISO-2022-*) -;mbstring.internal_encoding = EUC-JP - -; http input encoding. -;mbstring.http_input = auto - -; http output encoding. mb_output_handler must be -; registered as output buffer to function -;mbstring.http_output = SJIS - -; enable automatic encoding translation according to -; mbstring.internal_encoding setting. Input chars are -; converted to internal encoding by setting this to On. -; Note: Do _not_ use automatic encoding translation for -; portable libs/applications. -;mbstring.encoding_translation = Off - -; automatic encoding detection order. -; auto means -;mbstring.detect_order = auto - -; substitute_character used when character cannot be converted -; one from another -;mbstring.substitute_character = none; - -; overload(replace) single byte functions by mbstring functions. -; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), -; etc. Possible values are 0,1,2,4 or combination of them. -; For example, 7 for overload everything. -; 0: No overload -; 1: Overload mail() function -; 2: Overload str*() functions -; 4: Overload ereg*() functions -;mbstring.func_overload = 0 - -[FrontBase] -;fbsql.allow_persistent = On -;fbsql.autocommit = On -;fbsql.show_timestamp_decimals = Off -;fbsql.default_database = -;fbsql.default_database_password = -;fbsql.default_host = -;fbsql.default_password = -;fbsql.default_user = "_SYSTEM" -;fbsql.generate_warnings = Off -;fbsql.max_connections = 128 -;fbsql.max_links = 128 -;fbsql.max_persistent = -1 -;fbsql.max_results = 128 - -[gd] -; Tell the jpeg decode to libjpeg warnings and try to create -; a gd image. The warning will then be displayed as notices -; disabled by default -;gd.jpeg_ignore_warning = 0 - -[exif] -; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. -; With mbstring support this will automatically be converted into the encoding -; given by corresponding encode setting. When empty mbstring.internal_encoding -; is used. For the decode settings you can distinguish between motorola and -; intel byte order. A decode setting cannot be empty. -;exif.encode_unicode = ISO-8859-15 -;exif.decode_unicode_motorola = UCS-2BE -;exif.decode_unicode_intel = UCS-2LE -;exif.encode_jis = -;exif.decode_jis_motorola = JIS -;exif.decode_jis_intel = JIS - -[Tidy] -; The path to a default tidy configuration file to use when using tidy -;tidy.default_config = /usr/local/lib/php/default.tcfg - -; Should tidy clean and repair output automatically? -; WARNING: Do not use this option if you are generating non-html content -; such as dynamic images -tidy.clean_output = Off - -[soap] -; Enables or disables WSDL caching feature. -soap.wsdl_cache_enabled=1 -; Sets the directory name where SOAP extension will put cache files. -soap.wsdl_cache_dir="/tmp" -; (time to live) Sets the number of second while cached file will be used -; instead of original one. -soap.wsdl_cache_ttl=86400 - -; Local Variables: -; tab-width: 4 -; End: - -; MySQL extensions default connection charset settings -;mysql.connect_charset = utf8 -;mysqli.connect_charset = utf8 -;pdo_mysql.connect_charset = utf8 |