From 321ff4c05a4f50f4ec188eb49ea3ac9b38f4df74 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 21 Mar 2008 15:02:18 +0000 Subject: added mod_security-class, and a placeholder for mod_extract_forwarded_for --- files/mod_security/custom_rules/blacklist2.conf | 583 ++++++++++++++++++++++++ 1 file changed, 583 insertions(+) create mode 100644 files/mod_security/custom_rules/blacklist2.conf (limited to 'files/mod_security/custom_rules/blacklist2.conf') diff --git a/files/mod_security/custom_rules/blacklist2.conf b/files/mod_security/custom_rules/blacklist2.conf new file mode 100644 index 0000000..e44e462 --- /dev/null +++ b/files/mod_security/custom_rules/blacklist2.conf @@ -0,0 +1,583 @@ +# http://www.gotroot.com/mod_security+rules +# Gotroot.com ModSecurity rules +# Blacklist of rootkit sites, owned machines and other bad players for modsec 2.x +# +# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/blacklist2.conf +# +# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) +# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. +# Redistribution is strictly prohibited in any form, including whole or in part. +# +# modsecurity is a trademark of Thinking Stone, Ltd. +# +# Version: N-20061022-01 +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +# THE POSSIBILITY OF SUCH DAMAGE. + + +SecRule REQUEST_URI|ARGS "\.frauenfinanzzentrum\.at" +SecRule REQUEST_URI|ARGS "von-der-igelhoehe\.de" +SecRule REQUEST_URI|ARGS "danger-soft\.com" +SecRule REQUEST_URI|ARGS "(\.|/)altunerhost\.com" +SecRule REQUEST_URI|ARGS "\.netfast\.org" +SecRule REQUEST_URI|ARGS "\.redcrew\.de" +SecRule REQUEST_URI|ARGS "(\.|/)elektroteh\.com/" +SecRule REQUEST_URI|ARGS "(\.|/)see-my-ip\.info/" +SecRule REQUEST_URI|ARGS "kanalia\.bimber\.pl" +SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" +SecRule REQUEST_URI "https?:.*(\.|/)myspace\.si/" +SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar" +SecRule REQUEST_URI|ARGS "(\.|/)wileyc\.edu/" +SecRule REQUEST_URI|ARGS "(\.|/)eks-darmstadt\.de" +SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" +SecRule REQUEST_URI|ARGS "\.albacrew\.us/" +SecRule REQUEST_URI|ARGS "\.tebel-gmbh\.de/" +SecRule REQUEST_URI|ARGS "(/|\.)defensacivil\.gov\.ec/" +SecRule REQUEST_URI|ARGS "(/|\.)wwop\.org" +SecRule REQUEST_URI|ARGS "\.kalin\.ru/" +SecRule REQUEST_URI|ARGS "destructive\.by\.ru/" +SecRule REQUEST_URI|ARGS "gulfchamber\.org/" +SecRule REQUEST_URI|ARGS "tckct\.co\.uk" +SecRule REQUEST_URI|ARGS "crimsonaddict\.com/" +SecRule REQUEST_URI|ARGS "(\.|/)webstorch\.com" +SecRule REQUEST_URI|ARGS "/213\.133\.108\.122/" +SecRule REQUEST_URI|ARGS "freewebtown\.com/" +SecRule REQUEST_URI|ARGS "(\.|/)tinypath\.com/" +SecRule REQUEST_URI|ARGS "rve\.cjb\.hu/" +SecRule REQUEST_URI|ARGS "69\.25\.64\.78" +SecRule REQUEST_URI|ARGS "(\.|/)xgamers\.com\.tw/" +SecRule REQUEST_URI|ARGS "(\.|/)balikesir\.edu\.tr/" +SecRule REQUEST_URI|ARGS "(\.|/)ocprojects\.com/" +SecRule REQUEST_URI|ARGS "(\.|/)casadejoaodebarro\.com\.br/" +SecRule REQUEST_URI|ARGS "\.extremus\.info/" +SecRule REQUEST_URI|ARGS "\.parit\.org/" +SecRule REQUEST_URI|ARGS "\.awardspace\.com" +SecRule REQUEST_URI|ARGS "(/|\.)haztek-software\.com" +SecRule REQUEST_URI|ARGS "(/|\.)geocities\.com/nirkan2k3/" +SecRule REQUEST_URI|ARGS "(/|\.)libracomm\.co\.uk/" +SecRule REQUEST_URI|ARGS "(/|\.)kloeckner-web\.de" +SecRule REQUEST_URI|ARGS "(/|\.)mirckurdu\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)apk\.pt/" +SecRule REQUEST_URI|ARGS "(/|\.)asksevda\.net" +SecRule REQUEST_URI|ARGS "(/|\.)kacaktc\.com" +SecRule REQUEST_URI|ARGS "(/|\.)3-bius\.com" +SecRule REQUEST_URI|ARGS "(/|\.)injek-gw\.com" +SecRule REQUEST_URI|ARGS "(/|\.)brtdata\.com\.br/" +SecRule REQUEST_URI|ARGS "(/|\.)uaivip\.com\.br/" +SecRule REQUEST_URI|ARGS "(/|\.)boardtr\.com/" +SecRule REQUEST_URI|ARGS "(/|\.)radiouniversity\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)velvet\.jp/" +SecRule REQUEST_URI|ARGS "(/|\.)loved\.com/" +SecRule REQUEST_URI|ARGS "(/|\.)kit\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)warezworld\.cx/" +SecRule REQUEST_URI|ARGS "(/|\.)void\.ru/" +SecRule REQUEST_URI|ARGS "(/|\.)itabaiana\.se\.gov\.br" +SecRule REQUEST_URI|ARGS "(/|\.)ajadp\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)perian-a\.biz" +SecRule REQUEST_URI|ARGS "(/|\.)rootshell\.be" +SecRule REQUEST_URI|ARGS "(/|\.)tododescargas\.com\.ve/" +SecRule REQUEST_URI|ARGS "(/|\.)caucasus\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)iespana\.es/" +SecRule REQUEST_URI|ARGS "(/|\.)the-tronix\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)classi-find\.net/" +SecRule REQUEST_URI|ARGS "(/|\.)albanet\.biz\.tc/" +SecRule REQUEST_URI|ARGS "(/|\.)wendyscountrycloset\.biz/" +SecRule REQUEST_URI|ARGS "(/|\.)meiemees\.pri\.ee" +SecRule REQUEST_URI|ARGS "(/|\.)geirinn\.is" +SecRule REQUEST_URI|ARGS "(/|\.)skullbocks\.org/" +SecRule REQUEST_URI|ARGS "(/|\.)byethost9\.com/" +SecRule REQUEST_URI|ARGS "(/|\.)hackermail2010\.ifrance\.com" +SecRule REQUEST_URI|ARGS "(/|\.)ifrance\.com/hackermail2010" +SecRule REQUEST_URI|ARGS "(/|\.)paul\.net\.pl/" +SecRule REQUEST_URI|ARGS "(/|\.)interfree\.it/" +SecRule REQUEST_URI|ARGS "\.albados\.com" +SecRule REQUEST_URI|ARGS "\.perqafohu\.com" +SecRule REQUEST_URI|ARGS "\.cside21\.com/" +SecRule REQUEST_URI|ARGS "200\.24\.117\.125" +SecRule REQUEST_URI|ARGS "elitemorgan\.com/" +SecRule REQUEST_URI|ARGS "\acesso\.t35\.com" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/jefferyladun/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/junhendra/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/xpl_gibson/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/kelvinkappa1/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/damon_shaft/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/gettoprince4u/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/brennanventures/" +SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/solohackerlinks/" +SecRule REQUEST_URI|ARGS "(\.|/)albahost\.host\.sk/" +SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar/" +SecRule REQUEST_URI|ARGS "\.manhattanservice\.com" +SecRule REQUEST_URI|ARGS "\.kurddomain\.net" +SecRule REQUEST_URI|ARGS "elmorgan\.com\.ar" +SecRule REQUEST_URI|ARGS "61\.1\.197\.244" +SecRule REQUEST_URI|ARGS "home\.arcor\.de" +SecRule REQUEST_URI|ARGS "\.turx\.nl" +SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/albacr3w/" +SecRule REQUEST_URI|ARGS "\.ifrance\.com" +SecRule REQUEST_URI|ARGS "pivadesign\.com\.br" +SecRule REQUEST_URI|ARGS "\.pc-phasechange\.it" +SecRule REQUEST_URI|ARGS "ciberia\.ya\.com" +SecRule REQUEST_URI|ARGS "\.starhack\.org" +SecRule REQUEST_URI|ARGS "sweet-serenity\.org" +SecRule REQUEST_URI|ARGS "\.uol\.com\.br" +SecRule REQUEST_URI|ARGS "aviozone\.com" +SecRule REQUEST_URI|ARGS "mptechno\.cz" +SecRule REQUEST_URI|ARGS "\.piranho\.de" +SecRule REQUEST_URI|ARGS "\.lilspage\.de" +SecRule REQUEST_URI|ARGS "209\.136\.48\.69" +SecRule REQUEST_URI|ARGS "216\.12\.103\.29" +SecRule REQUEST_URI|ARGS "209\.232\.227\.224" +SecRule REQUEST_URI|ARGS "200\.72\.130\.29" +SecRule REQUEST_URI|ARGS "209\.123\.16\.34" +SecRule REQUEST_URI|ARGS "\.mitchellwhite\.com" +SecRule REQUEST_URI|ARGS "full-comandos\.com" +SecRule REQUEST_URI|ARGS "members\.lycos\.co\.uk/tiara" +SecRule REQUEST_URI|ARGS "sharonfamilyandtravel\.com" +SecRule REQUEST_URI|ARGS "72\.18\.195\.161" +SecRule REQUEST_URI|ARGS "geocities\.com/hitam_putih_dalnet/" +SecRule REQUEST_URI|ARGS "cyberspiderwebdesign\.com" +SecRule REQUEST_URI|ARGS "\.softcarein\.com" +SecRule REQUEST_URI|ARGS "\.netmisphere2\.com" +SecRule REQUEST_URI|ARGS "juniorenkammer\.be" +SecRule REQUEST_URI|ARGS "\.itunisie\.com" +SecRule REQUEST_URI|ARGS "mitchellgeo\.com" +SecRule REQUEST_URI|ARGS "hackexpert\.net" +SecRule REQUEST_URI|ARGS "agi-zagi\.co\.kr" +SecRule REQUEST_URI|ARGS "\.f1-kingpin\.de" +SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.free\.fr" +SecRule REQUEST_URI|ARGS "www\.designerwear\.co\.uk" +SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.i8\.com" +SecRule REQUEST_URI|ARGS "danzarte\.cl" +SecRule REQUEST_URI|ARGS "\.ripway\.com" +SecRule REQUEST_URI|ARGS "81\.174\.26\.111" +SecRule REQUEST_URI|ARGS "128\.173\.40\.113" +SecRule REQUEST_URI|ARGS "\.lycos\.co\.uk/metlak/" +SecRule REQUEST_URI|ARGS "\.xcop\.biz/" +SecRule REQUEST_URI|ARGS "sca\.postech\.ac\.kr" +SecRule REQUEST_URI|ARGS "www\.aauto\.no" +SecRule REQUEST_URI|ARGS "dsoulzin\.net" +SecRule REQUEST_URI|ARGS "\.altervista\.org" +SecRule REQUEST_URI|ARGS "\.yatas\.com" +SecRule REQUEST_URI|ARGS "bocor-team\.org" +SecRule REQUEST_URI|ARGS "s0l4r1sr0x\.com" +SecRule REQUEST_URI|ARGS "209\.16\.85\.15" +SecRule REQUEST_URI|ARGS "217\.160\.242\.90" +SecRule REQUEST_URI|ARGS "81\.174\.26\.111" +SecRule REQUEST_URI|ARGS "216\.15\.209\.12" +SecRule REQUEST_URI|ARGS "216\.103\.82\.214" +SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/angienuka" +SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/saxalt/" +SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/hackersclup" +SecRule REQUEST_URI|ARGS "spykids\.info" +SecRule REQUEST_URI|ARGS "smellthecoffee\.com" +SecRule REQUEST_URI|ARGS "\.nana\.co\.il" +SecRule REQUEST_URI|ARGS "yavnek12\.co\.il" +SecRule REQUEST_URI|ARGS "billing\.veloxinternet\.com/" +SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es" +SecRule REQUEST_URI|ARGS "217\.114\.109\.11" +SecRule REQUEST_URI|ARGS "217\.160\.255\.44" +SecRule REQUEST_URI|ARGS "217\.160\.242\.90" +SecRule REQUEST_URI|ARGS "148\.81\.141\.12" +SecRule REQUEST_URI|ARGS "131\.155\.98\.128" +SecRule REQUEST_URI|ARGS "212\.114\.84\.18" +SecRule REQUEST_URI|ARGS "81\.174\.26\.111" +SecRule REQUEST_URI|ARGS "192\.112\.220\.37" +SecRule REQUEST_URI|ARGS "pc-clinic\.fr" +SecRule REQUEST_URI|ARGS "clientes\.netvisao\.pt" +SecRule REQUEST_URI|ARGS "\.sanicentrum\.be" +SecRule REQUEST_URI|ARGS "www\.brain\.net\.pk" +SecRule REQUEST_URI|ARGS "web\.un1xtech\.com" +SecRule REQUEST_URI|ARGS "\.schost\.com\.br/" +SecRule REQUEST_URI|ARGS "neto5a\.iitalia\.com" +SecRule REQUEST_URI|ARGS "mesahigh\.com" +SecRule REQUEST_URI|ARGS "216\.111\.31\.2" +SecRule REQUEST_URI|ARGS "24\.224\.174\.18" +SecRule REQUEST_URI|ARGS "\.mcarthur.\org" +SecRule REQUEST_URI|ARGS "\.v10\.com\.br/" +SecRule REQUEST_URI|ARGS "agaman\.net" +SecRule REQUEST_URI|ARGS "\.what-a-pair\.com" +SecRule REQUEST_URI|ARGS "62\.101\.193\.244" +SecRule REQUEST_URI|ARGS "\.tutoworld\.org" +SecRule REQUEST_URI|ARGS "jupiterhost\.net/" +SecRule REQUEST_URI|ARGS "\.iyscrew\.com" +SecRule REQUEST_URI|ARGS "\.server4free\.de" +SecRule REQUEST_URI|ARGS "\.tikla\.org" +SecRule REQUEST_URI|ARGS "\.dps-ct\.com/" +SecRule REQUEST_URI|ARGS "66\.235\.216\.137" +SecRule REQUEST_URI|ARGS "labserver\.veter\.ucv\.ve" +SecRule REQUEST_URI|ARGS "\.eformidler\.dk" +SecRule REQUEST_URI|ARGS "febronio\.org" +SecRule REQUEST_URI|ARGS "zavisnici\.com" +SecRule REQUEST_URI|ARGS "\.2x4\.ru" +SecRule REQUEST_URI|ARGS "\.k4boom\.biz" +SecRule REQUEST_URI|ARGS "theperfecttitle\.com" +SecRule REQUEST_URI|ARGS "\.yhrhosting\.com" +SecRule REQUEST_URI|ARGS "\.nitrofx\.com" +SecRule REQUEST_URI|ARGS "(/|\.)ownsalldomains\.org" +SecRule REQUEST_URI|ARGS "(/|\.)ocktober\.com" +SecRule REQUEST_URI|ARGS "\.s5\.com" +SecRule REQUEST_URI|ARGS "\.systemcrew\.net" +SecRule REQUEST_URI|ARGS "www\.tutoworld\.org" +SecRule REQUEST_URI|ARGS "\.supereva\.it/" +SecRule REQUEST_URI|ARGS "\.frsirt\.com" +SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/anangkd" +SecRule REQUEST_URI|ARGS "geocities\.com/anugerahnet" +SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/bacardi_marv" +SecRule REQUEST_URI|ARGS "\.geocities\.com/" +SecRule REQUEST_URI|ARGS "/geocities\.com/" +SecRule REQUEST_URI|ARGS "\.freshmaker\.us" +SecRule REQUEST_URI|ARGS "packetx\.org" +SecRule REQUEST_URI|ARGS "\.de-soc-mac\.de" +SecRule REQUEST_URI|ARGS "\.leohissa\.oi\.com\.br" +SecRule REQUEST_URI|ARGS "\.fig0\.com" +SecRule REQUEST_URI|ARGS "\.brasilhoster\.net" +SecRule REQUEST_URI|ARGS "\.riteweld\.com" +SecRule REQUEST_URI|ARGS "216\.111\.31\.2" +SecRule REQUEST_URI|ARGS "\.fineca\.net" +SecRule REQUEST_URI|ARGS "r00nin\.vila\.bol\.com\.br" +SecRule REQUEST_URI|ARGS "\.bol\.com\.br" +SecRule REQUEST_URI|ARGS "freewebbe\.supereva\.it" +SecRule REQUEST_URI|ARGS "asianfiles\.deluxepass\.com" +SecRule REQUEST_URI|ARGS "sei26\.tripod\.com" +SecRule REQUEST_URI|ARGS "gigachat\.net" +SecRule REQUEST_URI|ARGS "www\.sos-deces\.be" +SecRule REQUEST_URI|ARGS "\.sosha\.it/" +SecRule REQUEST_URI|ARGS "\.pbholland\.com" +SecRule REQUEST_URI|ARGS "\.newtontidy\.com" +SecRule REQUEST_URI|ARGS "\.barretttree\.com" +SecRule REQUEST_URI|ARGS "agaman\.net" +SecRule REQUEST_URI|ARGS "anti-clones\.com" +SecRule REQUEST_URI|ARGS "www\.members\.lycos\.nl/sesli" +SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/toolsandcmd/" +SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/" +SecRule REQUEST_URI|ARGS "chancom\.webpal\.info" +SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/h4x0r_club/" +SecRule REQUEST_URI|ARGS "\.argaio\.net" +SecRule REQUEST_URI|ARGS "baixinhoo\.hpgvip\.com\.br" +SecRule REQUEST_URI|ARGS "\.zeldalegacies\.com" +SecRule REQUEST_URI|ARGS "simbafriends\.com/" +SecRule REQUEST_URI|ARGS "webshells\.org" +SecRule REQUEST_URI|ARGS "groupiys\.net" +SecRule REQUEST_URI|ARGS "megahostbr\.com" +SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/slash_slink" +SecRule REQUEST_URI|ARGS "\.357is\.com" +SecRule REQUEST_URI|ARGS "northfox\.uw\.hu" +SecRule REQUEST_URI|ARGS "\.dynalith\.com" +SecRule REQUEST_URI|ARGS "\.xplmanager\.com" +SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/thoronnn/" +SecRule REQUEST_URI|ARGS "\.terra\.com\.br/" +SecRule REQUEST_URI|ARGS "f58\.aaacafe\.ne.\jp/" +SecRule REQUEST_URI|ARGS "www\.derf\.hpgvip\.ig\.com\.br/" +SecRule REQUEST_URI|ARGS "rodrigo\.hcerto\.com/" +SecRule REQUEST_URI|ARGS "\.terror\.as\.ro/" +SecRule REQUEST_URI|ARGS "\.tntt\.org/meu/" +SecRule REQUEST_URI|ARGS "\.syscore\.hpgvip\.com\.br/" +SecRule REQUEST_URI|ARGS "\.hpgvip\.com\.br/" +SecRule REQUEST_URI|ARGS "ijoo\.homelinux\.com/" +SecRule REQUEST_URI|ARGS "\.derf\.hpgvip\.ig\.com\.br/" +SecRule REQUEST_URI|ARGS "\.100free\.com/" +SecRule REQUEST_URI|ARGS "\.lorenzo4ever\.de/" +SecRule REQUEST_URI|ARGS "visualcoders\.net/" +SecRule REQUEST_URI|ARGS "\.fendora\.net" +SecRule REQUEST_URI|ARGS "gigashell\.org/" +SecRule REQUEST_URI|ARGS "\.prir0x\.com/" +SecRule REQUEST_URI|ARGS "geocities\.com/madb0ss/" +SecRule REQUEST_URI|ARGS "geocities\.com/sapulinux/" +SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/dh4x0r/" +SecRule REQUEST_URI|ARGS ".*\.verizon\.net\.do/carlos.*" +SecRule REQUEST_URI|ARGS "mi\.verizon\.net\.do/carlos.*" +SecRule REQUEST_URI|ARGS "\.stanlley\.ubbi\.com\.br/" +SecRule REQUEST_URI|ARGS "xthost\.info/" +SecRule REQUEST_URI|ARGS "yaoibr\.vila\.bol\.com\.br/" +SecRule REQUEST_URI|ARGS "geocities\.com/catalin1713/" +SecRule REQUEST_URI|ARGS "visualcoders\.net/spy\." +SecRule REQUEST_URI|ARGS "\.digitalmedia\.org\.mk" +SecRule REQUEST_URI|ARGS "pharoeste\.net" +SecRule REQUEST_URI|ARGS "userbr\.info" +SecRule REQUEST_URI|ARGS "\.foxcf\.hpgvip\.ig\.com\.br" +SecRule REQUEST_URI|ARGS "medicine\.bjmu\.edu\.cn" +SecRule REQUEST_URI|ARGS "\.blueconnection\.com\.br" +SecRule REQUEST_URI|ARGS "\.ph4nt4sm4\.hpgvip\.ig\.com\.br" +SecRule REQUEST_URI|ARGS "\.mvhosted\.com" +SecRule REQUEST_URI|ARGS "\.0catch\.com" +SecRule REQUEST_URI|ARGS "newton\.100free\.com" +SecRule REQUEST_URI|ARGS "\.forplay\.com\.br" +SecRule REQUEST_URI|ARGS "\.geocities\.com/my_lusy" +SecRule REQUEST_URI|ARGS "lol\.freecoolsite\.com" +SecRule REQUEST_URI|ARGS "winscp\.net" +SecRule REQUEST_URI|ARGS "\.karpit\.net" +SecRule REQUEST_URI|ARGS "www\.partyradio\.ca" +SecRule REQUEST_URI|ARGS "\.triple-hhh\.de" +SecRule REQUEST_URI|ARGS "\.gottablaze\.com" +SecRule REQUEST_URI|ARGS "xanutz\.3x\.ro" +SecRule REQUEST_URI|ARGS "geocities\.com/anak_indekost" +SecRule REQUEST_URI|ARGS "themis\.geocities\.yahoo\.com" +SecRule REQUEST_URI|ARGS "\.geocities\.com/my_sweet_cute/" +SecRule REQUEST_URI|ARGS "\.angelfire\.com/zine2/" +SecRule REQUEST_URI|ARGS "72\.20\.34\.[0-9]+" +SecRule REQUEST_URI|ARGS "animehost\.de" +SecRule REQUEST_URI|ARGS "home\.online\.no/~p-shahr" +SecRule REQUEST_URI|ARGS "indragostit\.net" +SecRule REQUEST_URI|ARGS "hdr\.atspace\.com" +SecRule REQUEST_URI|ARGS "\.thecurse\.pop\.com\.br" +SecRule REQUEST_URI|ARGS "www\.w3zone\.com" +SecRule REQUEST_URI|ARGS "freecoolsite\.com" +SecRule REQUEST_URI|ARGS "freewebs\.com" +SecRule REQUEST_URI|ARGS "\.geocities\.com/chnsekip" +SecRule REQUEST_URI|ARGS "webcindario\.com" +SecRule REQUEST_URI|ARGS "ripdisk\.ma\.cx" +SecRule REQUEST_URI|ARGS "sinanreklam\.net" +SecRule REQUEST_URI|ARGS "members\.cox\.net/xjasonx" +SecRule REQUEST_URI|ARGS "\.bh-net\.dk" +SecRule REQUEST_URI|ARGS "\.mediaserve\.net" +SecRule REQUEST_URI|ARGS "\.inchon\.ne\.kr" +SecRule REQUEST_URI|ARGS "\.noti-auto.\com\.ar" +SecRule REQUEST_URI|ARGS "go0gler\.com" +SecRule REQUEST_URI|ARGS "hackbox\.t35\.com" +SecRule REQUEST_URI|ARGS ".*\.hpgvip\.ig\.com\.br" +SecRule REQUEST_URI|ARGS "honestgame\.net" +SecRule REQUEST_URI|ARGS "\.ecobook\.or\.kr" +SecRule REQUEST_URI|ARGS "\.fasecolda\.com" +SecRule REQUEST_URI|ARGS "212\.50\.30\.60" +SecRule REQUEST_URI|ARGS "\.nbail\.com" +SecRule REQUEST_URI|ARGS "\.kit\.net/" +SecRule REQUEST_URI|ARGS "\.ubbi\.com\.br" +SecRule REQUEST_URI|ARGS "\.k4boom\.biz/" +SecRule REQUEST_URI|ARGS "00freehost\.com" + +#Sites that host remote shells, etc. +SecRule REQUEST_URI|ARGS "security-protocols\.com" + +#Known sources that leak thru proxies +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 69\.50\.182\.154 +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 202\.81\.60\.58 +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.252\.91" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 211\.185\.59\.124 +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "209\.165\.131\.23" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.246\.22" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.89\.50\.28" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.208\.48" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "159\.148\.29\.158" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.188\.73" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "200\.168\.0\.246" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.90\.52" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.27\.2" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "195\.55\.222\.19" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.32\.81" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.150\.163\.82" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.237\.226\.70" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.96\.125\.38" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.97\.97\.168" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.98\.122\.111" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.8\.64\.21" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.191\.119\.122" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.33\.104\.158" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.171\.131" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.109\.180\.3" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.37\.184\.196" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "83\.57\.132\.206" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.13\.249" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "85\.129\.229\.111" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "86\.60\.16\.81" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "172\.168\.0\.1" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.4\.62" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.123\.250\.184" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "212\.116\.209\.234" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.127\.56\.24" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.36\.245\.100" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.78\.98" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.91\.33" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "unsecure-services" +SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "205\.177\.122\.162" + + + +#bad proxies +SecRule HTTP_FORWARDED "mangostino\.ut\.edu\.co" +SecRule HTTP_FORWARDED ".*\.cnh\.com" +SecRule HTTP_FORWARDED "phenix-prog-phr" +SecRule HTTP_FORWARDED "alfred\.nssi\.telus\.com" +SecRule HTTP_FORWARDED "wadsworth\.nssi\.telus\.com" +SecRule HTTP_VIA "\.ownsalldomains\.org" +SecRule HTTP_VIA "cache\.topflash\.co\.kr" +SecRule HTTP_VIA "\.quasar\.net\.id:8080" +SecRule HTTP_VIA "\.serverpronto\.com" +SecRule HTTP_VIA "\.fetish-expert\.org" +SecRule HTTP_VIA "proxy\.hwai\.edu\.tw" +SecRule HTTP_VIA "interno-1-1\.edn\.org\.br" +SecRule HTTP_VIA "\.pt-server1\.bt\.com" +SecRule HTTP_VIA "1\.1 cache-test-dtv-kno" +SecRule HTTP_VIA "kdnproxy\.kdn\.gov\.my" +SecRule HTTP_VIA "\.wisdomchina\.com" +SecRule HTTP_VIA "1\.1 PALACIOISA" +SecRule HTTP_VIA "1\.1 cache7\:80 \(squid" +SecRule HTTP_VIA "1\.1 www\.pt-server1\.bt\.com" +SecRule HTTP_VIA "revProxy\.foredu\.com\.cn" +SecRule HTTP_VIA "\.salmanetwork\.com" +SecRule HTTP_VIA "\.warnet\.com" +SecRule HTTP_VIA "moses\.frc\.org" +SecRule HTTP_VIA "1\.0 SQCNT3" +SecRule HTTP_VIA "phenix-prog-phr" +SecRule HTTP_VIA "1\.0 TIETONG" +SecRule HTTP_VIA "webshield\.beitberl\.ac\.il" +SecRule HTTP_VIA "1\.1 www\.any\.com" +SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" +SecRule HTTP_VIA "poczta\.prochowa12\.waw\.pl" +SecRule HTTP_VIA "1\.1 ICACHE1" +SecRule HTTP_VIA "1\.1 New-Proxy2" +SecRule HTTP_VIA "1\.1 SERVEUR2000" +SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" +SecRule HTTP_VIA "1\.1 PROXY, 1\.0 NC2100" +SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" +SecRule HTTP_VIA "1\.1 revproxy2" +SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" +SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" +SecRule HTTP_VIA "1\.1 CAE-SERVER" +SecRule HTTP_VIA "1\.1 WORKGROU-OYOU4X" +SecRule HTTP_VIA "1\.1 INKABANPINPROXY" +SecRule HTTP_VIA "1\.1 DNS4" +SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" +SecRule HTTP_VIA "1\.1 DBSV1008" +SecRule HTTP_VIA "1\.1 NEWISA" +SecRule HTTP_VIA "1\.1 CPGATEWAY02" +SecRule HTTP_VIA "1\.1 router\:3128 \(KEN\!\)" +SecRule HTTP_VIA "1\.1 PROXYSRV\, 1\.0 supercache5" +SecRule HTTP_VIA "1\.1 ATIPLS1" +SecRule HTTP_VIA "1\.0 SMART\, 1\.0 LOIER2800\:" +SecRule HTTP_VIA "1\.1 62\.93\.34\.160" +SecRule HTTP_VIA "1\.1 fwall\.belcomct\.net" +SecRule HTTP_VIA "1\.1 ZERT-EWDGNMVXUF" +SecRule HTTP_VIA "1\.1 su\.tkp\.edu\.hk" +#SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1.*" +SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1E0247" +SecRule HTTP_VIA "1\.1 compujuan\.com\.es" +SecRule HTTP_VIA "1\.1 FEDERATION" +#SecRule HTTP_VIA "1\.1 SERVER-ISA" +SecRule HTTP_VIA "1\.1 EXACTWAPPROXY" +SecRule HTTP_VIA "1\.1 GRNSERVER" +SecRule HTTP_VIA "1\.1 www\.satem\.gob\.ve" +SecRule HTTP_VIA "1\.1 nilcombi\.nilcom\.fr" +SecRule HTTP_VIA "1\.1 cellulant\.lifeismobile\.com" +SecRule HTTP_VIA "1\.1 SR2300-SE7501-H" +SecRule HTTP_VIA "1\.1 www\.dmi\.es" +#SecRule HTTP_VIA "1\.0 cache2\.jed" +SecRule HTTP_VIA "1\.1 BRHCYBER" +SecRule HTTP_VIA "1\.1 132\.110\.2\.12" +SecRule HTTP_VIA "1\.1 .*\.pivotoffice\.com" +SecRule HTTP_VIA "1\.1 .*\.mundo-r\.com" +SecRule HTTP_VIA "1\.1 FAMILYCAREREHAB" +SecRule HTTP_VIA "1\.1 INFORMASERVER" +SecRule HTTP_VIA "1\.1 ITISA" +#SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1" +SecRule HTTP_VIA "1\.1 .*\.as5587\.net" +SecRule HTTP_VIA "1\.1 Maua" +SecRule HTTP_VIA "1\.1 JUNIOR" +SecRule HTTP_VIA "1\.1 offsetinternet" +SecRule HTTP_VIA ".*codevasf\.gov\.br" +SecRule HTTP_VIA "1\.1 www\.aha\.at" +SecRule HTTP_VIA "1\.1 ucavilapruebas\.es" +SecRule HTTP_VIA "1\.1 .*\.insightfirst\.com" +SecRule HTTP_VIA "1\.1 if3\.insightfirst\.com" +SecRule HTTP_VIA "1\.1 SERV132" +SecRule HTTP_VIA "1\.1 CacheFORCE" +SecRule HTTP_VIA "1\.1 dgc-squid" +#SecRule HTTP_VIA "1\.1 CS6200C" +SecRule HTTP_VIA "1\.1 NTS-SERVER" +SecRule HTTP_VIA "1\.1 AJF-JTC-ISA01" +SecRule HTTP_VIA "1\.1 neptun\.ci\.uw\.edu\.pl" +SecRule HTTP_VIA "1\.1 2-net\.ro" +SecRule HTTP_VIA "1\.1 .*\.usscript\.com" +SecRule HTTP_VIA "1\.1 SSIP_SERVER3" +SecRule HTTP_VIA "1\.1 SYVKOV422GX" +SecRule HTTP_VIA "1\.1 .*\.arbuzowa\.net" +SecRule HTTP_VIA "1\.1 www\.kevsclub\.com" +SecRule HTTP_VIA "1\.0 KALIMBA" +SecRule HTTP_VIA "1\.0 NETOUT-SERVER" +SecRule HTTP_VIA "1\.0 NTMARVWALL01" +SecRule HTTP_VIA "1\.0 PROXYSES2" +SecRule HTTP_VIA "1\.0 ptcdb\.edu\.ps" +SecRule HTTP_VIA "1\.0 px1nr \(NetCache NetApp/5\.6\.1D25\)" +SecRule HTTP_VIA "1\.0 px8so \(NetCache NetApp/5\.6\.1D25\)" +SecRule HTTP_VIA "1\.0 SERV132, 1\.0 netcache1 \(NetCache NetApp/6\.0\.1\)" +SecRule HTTP_VIA "1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\), TEKIYA03, 1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\)" +#SecRule HTTP_VIA "1\.1 10\.0\.1\.20" +#SecRule HTTP_VIA "1\.1 127\.0\.0\.1" +SecRule HTTP_VIA "1\.1 146\.83\.216\.207" +SecRule HTTP_VIA "1\.1 202\.88\.250\.211" +SecRule HTTP_VIA "1\.1 213\.155\.209\.204" +SecRule HTTP_VIA "1\.1 accel10\.click21\.com\.br" +SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" +SecRule HTTP_VIA "1\.1 athos\.chem\.demokritos\.gr" +SecRule HTTP_VIA "1\.1 ATIPLS1" +SecRule HTTP_VIA "1\.1 BBSM52" +#SecRule HTTP_VIA "1\.1 bnb-cache1 \(NetCache NetApp.*\), 1\.1 rba-cache1" +SecRule HTTP_VIA "1\.1 cacheB\.ipko\.net" +SecRule HTTP_VIA "1\.1 CAE-SERVER" +SecRule HTTP_VIA "1\.1 CATHODE" +#SecRule HTTP_VIA "1\.1 cha-cache1 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 CSB-NC2 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 cuchimilco\.huaral\.org" +SecRule HTTP_VIA "1\.1 DBSV1008" +SecRule HTTP_VIA "1\.1 dns2\.araxa\.com\.br" +SecRule HTTP_VIA "1\.1 EMERSON, 1\.0 C6100 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 EPPD_SERVER" +SecRule HTTP_VIA "1\.1 fox-server1\.foxschool\.lan" +SecRule HTTP_VIA "1\.1 http-istcf1" +SecRule HTTP_VIA "1\.1 JUNIOR" +#SecRule HTTP_VIA "1\.1 lnac2 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 LTSP03\.glenwood\.k12\.mo\.us" +#SecRule HTTP_VIA "1\.1 MAILSERVER" +SecRule HTTP_VIA "1\.1 natty\.intranet" +#SecRule HTTP_VIA "1\.1 netcache1-ctn \(NetCache NetApp.*" +#SecRule HTTP_VIA "1\.1 netcache1 \(NetCache NetApp.*" +#SecRule HTTP_VIA "1\.1 NetCache3 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1 \(NetCache NetApp.*" +#SecRule HTTP_VIA "1\.1 nme-nxg-pr1\.tpg\.com\.au" +SecRule HTTP_VIA "1\.1 no-dns\.as5587\.net" +SecRule HTTP_VIA "1\.1 ns07\.contentex\.net" +SecRule HTTP_VIA "1\.1 NYNETSRV01" +SecRule HTTP_VIA "1\.1 OTXXSERV" +SecRule HTTP_VIA "1\.1 proxy\.marshall\.k12\.wi\.us" +SecRule HTTP_VIA "1\.1 SERV132, 1\.0 netcache1 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 SERVER-ISA" +SecRule HTTP_VIA "1\.1 SERVEUR-CYBER" +SecRule HTTP_VIA "1\.1 slave02\.terrarica\.net" +SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" +SecRule HTTP_VIA "1\.1 spacebears" +SecRule HTTP_VIA "1\.1 squid2-sydny\.eftel\.com" +SecRule HTTP_VIA "1\.1 SSIP_SERVER3" +SecRule HTTP_VIA "1\.1 SYVKOV422GX" +SecRule HTTP_VIA "1\.1 trixie" +SecRule HTTP_VIA "1\.1 wc-02 \(NetCache NetApp.*" +SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" +SecRule HTTP_VIA "1\.1 www\.arbuzowa\.net" +SecRule HTTP_VIA "1\.1 www\.gkcabunoc\.com" +SecRule HTTP_VIA "1\.1 addyon\.webair\.com" +SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" +SecRule HTTP_VIA "1\.1 proxy\.pcdl\.gov\.br" +SecRule HTTP_VIA "1\.1 ichigo\.icsmail\.net" +SecRule HTTP_VIA "1\.1 80\.177\.18\.74" +SecRule HTTP_VIA "1\.1 raptor[0-9][a-z]\.watchdog\.net\.nz" +SecRule HTTP_VIA "1\.0 proxy[0-9]\..*\.maxnet\.net\.nz" +SecRule HTTP_VIA "1\.0 proxy[0-9]\.akl[0-9]\.maxnet\.net\.nz" +SecRule HTTP_VIA "1\.1 POMGFIREWALL" +SecRule HTTP_VIA "1\.1 alfred\.nssi\.telus\.com" +SecRule HTTP_VIA "1\.1 .*\.acdi-cida\.gc\.ca" +SecRule HTTP_VIA "CIDA13\.acdi-cida\.gc\.ca" + +#generic sig for a bad site +SecRule REQUEST_URI "(http|https|ftp).*\.exs\.cx/.*/nc4hk\.swf" + -- cgit v1.2.3