# http://www.gotroot.com/mod_security+rules # Gotroot.com ModSecurity rules # Blacklist of rootkit sites, owned machines and other bad players for modsec 2.x # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/blacklist2.conf # # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # modsecurity is a trademark of Thinking Stone, Ltd. # # Version: N-20061022-01 # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. SecRule REQUEST_URI|ARGS "\.frauenfinanzzentrum\.at" SecRule REQUEST_URI|ARGS "von-der-igelhoehe\.de" SecRule REQUEST_URI|ARGS "danger-soft\.com" SecRule REQUEST_URI|ARGS "(\.|/)altunerhost\.com" SecRule REQUEST_URI|ARGS "\.netfast\.org" SecRule REQUEST_URI|ARGS "\.redcrew\.de" SecRule REQUEST_URI|ARGS "(\.|/)elektroteh\.com/" SecRule REQUEST_URI|ARGS "(\.|/)see-my-ip\.info/" SecRule REQUEST_URI|ARGS "kanalia\.bimber\.pl" SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" SecRule REQUEST_URI "https?:.*(\.|/)myspace\.si/" SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar" SecRule REQUEST_URI|ARGS "(\.|/)wileyc\.edu/" SecRule REQUEST_URI|ARGS "(\.|/)eks-darmstadt\.de" SecRule REQUEST_URI|ARGS "(\.|/)flinttalk\.com" SecRule REQUEST_URI|ARGS "\.albacrew\.us/" SecRule REQUEST_URI|ARGS "\.tebel-gmbh\.de/" SecRule REQUEST_URI|ARGS "(/|\.)defensacivil\.gov\.ec/" SecRule REQUEST_URI|ARGS "(/|\.)wwop\.org" SecRule REQUEST_URI|ARGS "\.kalin\.ru/" SecRule REQUEST_URI|ARGS "destructive\.by\.ru/" SecRule REQUEST_URI|ARGS "gulfchamber\.org/" SecRule REQUEST_URI|ARGS "tckct\.co\.uk" SecRule REQUEST_URI|ARGS "crimsonaddict\.com/" SecRule REQUEST_URI|ARGS "(\.|/)webstorch\.com" SecRule REQUEST_URI|ARGS "/213\.133\.108\.122/" SecRule REQUEST_URI|ARGS "freewebtown\.com/" SecRule REQUEST_URI|ARGS "(\.|/)tinypath\.com/" SecRule REQUEST_URI|ARGS "rve\.cjb\.hu/" SecRule REQUEST_URI|ARGS "69\.25\.64\.78" SecRule REQUEST_URI|ARGS "(\.|/)xgamers\.com\.tw/" SecRule REQUEST_URI|ARGS "(\.|/)balikesir\.edu\.tr/" SecRule REQUEST_URI|ARGS "(\.|/)ocprojects\.com/" SecRule REQUEST_URI|ARGS "(\.|/)casadejoaodebarro\.com\.br/" SecRule REQUEST_URI|ARGS "\.extremus\.info/" SecRule REQUEST_URI|ARGS "\.parit\.org/" SecRule REQUEST_URI|ARGS "\.awardspace\.com" SecRule REQUEST_URI|ARGS "(/|\.)haztek-software\.com" SecRule REQUEST_URI|ARGS "(/|\.)geocities\.com/nirkan2k3/" SecRule REQUEST_URI|ARGS "(/|\.)libracomm\.co\.uk/" SecRule REQUEST_URI|ARGS "(/|\.)kloeckner-web\.de" SecRule REQUEST_URI|ARGS "(/|\.)mirckurdu\.net/" SecRule REQUEST_URI|ARGS "(/|\.)apk\.pt/" SecRule REQUEST_URI|ARGS "(/|\.)asksevda\.net" SecRule REQUEST_URI|ARGS "(/|\.)kacaktc\.com" SecRule REQUEST_URI|ARGS "(/|\.)3-bius\.com" SecRule REQUEST_URI|ARGS "(/|\.)injek-gw\.com" SecRule REQUEST_URI|ARGS "(/|\.)brtdata\.com\.br/" SecRule REQUEST_URI|ARGS "(/|\.)uaivip\.com\.br/" SecRule REQUEST_URI|ARGS "(/|\.)boardtr\.com/" SecRule REQUEST_URI|ARGS "(/|\.)radiouniversity\.net/" SecRule REQUEST_URI|ARGS "(/|\.)velvet\.jp/" SecRule REQUEST_URI|ARGS "(/|\.)loved\.com/" SecRule REQUEST_URI|ARGS "(/|\.)kit\.net/" SecRule REQUEST_URI|ARGS "(/|\.)warezworld\.cx/" SecRule REQUEST_URI|ARGS "(/|\.)void\.ru/" SecRule REQUEST_URI|ARGS "(/|\.)itabaiana\.se\.gov\.br" SecRule REQUEST_URI|ARGS "(/|\.)ajadp\.net/" SecRule REQUEST_URI|ARGS "(/|\.)perian-a\.biz" SecRule REQUEST_URI|ARGS "(/|\.)rootshell\.be" SecRule REQUEST_URI|ARGS "(/|\.)tododescargas\.com\.ve/" SecRule REQUEST_URI|ARGS "(/|\.)caucasus\.net/" SecRule REQUEST_URI|ARGS "(/|\.)iespana\.es/" SecRule REQUEST_URI|ARGS "(/|\.)the-tronix\.net/" SecRule REQUEST_URI|ARGS "(/|\.)classi-find\.net/" SecRule REQUEST_URI|ARGS "(/|\.)albanet\.biz\.tc/" SecRule REQUEST_URI|ARGS "(/|\.)wendyscountrycloset\.biz/" SecRule REQUEST_URI|ARGS "(/|\.)meiemees\.pri\.ee" SecRule REQUEST_URI|ARGS "(/|\.)geirinn\.is" SecRule REQUEST_URI|ARGS "(/|\.)skullbocks\.org/" SecRule REQUEST_URI|ARGS "(/|\.)byethost9\.com/" SecRule REQUEST_URI|ARGS "(/|\.)hackermail2010\.ifrance\.com" SecRule REQUEST_URI|ARGS "(/|\.)ifrance\.com/hackermail2010" SecRule REQUEST_URI|ARGS "(/|\.)paul\.net\.pl/" SecRule REQUEST_URI|ARGS "(/|\.)interfree\.it/" SecRule REQUEST_URI|ARGS "\.albados\.com" SecRule REQUEST_URI|ARGS "\.perqafohu\.com" SecRule REQUEST_URI|ARGS "\.cside21\.com/" SecRule REQUEST_URI|ARGS "200\.24\.117\.125" SecRule REQUEST_URI|ARGS "elitemorgan\.com/" SecRule REQUEST_URI|ARGS "\acesso\.t35\.com" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/jefferyladun/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/junhendra/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/xpl_gibson/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/kelvinkappa1/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/damon_shaft/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/gettoprince4u/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/brennanventures/" SecRule REQUEST_URI|ARGS "(\.|/)geocities\.com/solohackerlinks/" SecRule REQUEST_URI|ARGS "(\.|/)albahost\.host\.sk/" SecRule REQUEST_URI|ARGS "uarg\.unpa\.edu\.ar/" SecRule REQUEST_URI|ARGS "\.manhattanservice\.com" SecRule REQUEST_URI|ARGS "\.kurddomain\.net" SecRule REQUEST_URI|ARGS "elmorgan\.com\.ar" SecRule REQUEST_URI|ARGS "61\.1\.197\.244" SecRule REQUEST_URI|ARGS "home\.arcor\.de" SecRule REQUEST_URI|ARGS "\.turx\.nl" SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/albacr3w/" SecRule REQUEST_URI|ARGS "\.ifrance\.com" SecRule REQUEST_URI|ARGS "pivadesign\.com\.br" SecRule REQUEST_URI|ARGS "\.pc-phasechange\.it" SecRule REQUEST_URI|ARGS "ciberia\.ya\.com" SecRule REQUEST_URI|ARGS "\.starhack\.org" SecRule REQUEST_URI|ARGS "sweet-serenity\.org" SecRule REQUEST_URI|ARGS "\.uol\.com\.br" SecRule REQUEST_URI|ARGS "aviozone\.com" SecRule REQUEST_URI|ARGS "mptechno\.cz" SecRule REQUEST_URI|ARGS "\.piranho\.de" SecRule REQUEST_URI|ARGS "\.lilspage\.de" SecRule REQUEST_URI|ARGS "209\.136\.48\.69" SecRule REQUEST_URI|ARGS "216\.12\.103\.29" SecRule REQUEST_URI|ARGS "209\.232\.227\.224" SecRule REQUEST_URI|ARGS "200\.72\.130\.29" SecRule REQUEST_URI|ARGS "209\.123\.16\.34" SecRule REQUEST_URI|ARGS "\.mitchellwhite\.com" SecRule REQUEST_URI|ARGS "full-comandos\.com" SecRule REQUEST_URI|ARGS "members\.lycos\.co\.uk/tiara" SecRule REQUEST_URI|ARGS "sharonfamilyandtravel\.com" SecRule REQUEST_URI|ARGS "72\.18\.195\.161" SecRule REQUEST_URI|ARGS "geocities\.com/hitam_putih_dalnet/" SecRule REQUEST_URI|ARGS "cyberspiderwebdesign\.com" SecRule REQUEST_URI|ARGS "\.softcarein\.com" SecRule REQUEST_URI|ARGS "\.netmisphere2\.com" SecRule REQUEST_URI|ARGS "juniorenkammer\.be" SecRule REQUEST_URI|ARGS "\.itunisie\.com" SecRule REQUEST_URI|ARGS "mitchellgeo\.com" SecRule REQUEST_URI|ARGS "hackexpert\.net" SecRule REQUEST_URI|ARGS "agi-zagi\.co\.kr" SecRule REQUEST_URI|ARGS "\.f1-kingpin\.de" SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.free\.fr" SecRule REQUEST_URI|ARGS "www\.designerwear\.co\.uk" SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.i8\.com" SecRule REQUEST_URI|ARGS "danzarte\.cl" SecRule REQUEST_URI|ARGS "\.ripway\.com" SecRule REQUEST_URI|ARGS "81\.174\.26\.111" SecRule REQUEST_URI|ARGS "128\.173\.40\.113" SecRule REQUEST_URI|ARGS "\.lycos\.co\.uk/metlak/" SecRule REQUEST_URI|ARGS "\.xcop\.biz/" SecRule REQUEST_URI|ARGS "sca\.postech\.ac\.kr" SecRule REQUEST_URI|ARGS "www\.aauto\.no" SecRule REQUEST_URI|ARGS "dsoulzin\.net" SecRule REQUEST_URI|ARGS "\.altervista\.org" SecRule REQUEST_URI|ARGS "\.yatas\.com" SecRule REQUEST_URI|ARGS "bocor-team\.org" SecRule REQUEST_URI|ARGS "s0l4r1sr0x\.com" SecRule REQUEST_URI|ARGS "209\.16\.85\.15" SecRule REQUEST_URI|ARGS "217\.160\.242\.90" SecRule REQUEST_URI|ARGS "81\.174\.26\.111" SecRule REQUEST_URI|ARGS "216\.15\.209\.12" SecRule REQUEST_URI|ARGS "216\.103\.82\.214" SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/angienuka" SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es/saxalt/" SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/hackersclup" SecRule REQUEST_URI|ARGS "spykids\.info" SecRule REQUEST_URI|ARGS "smellthecoffee\.com" SecRule REQUEST_URI|ARGS "\.nana\.co\.il" SecRule REQUEST_URI|ARGS "yavnek12\.co\.il" SecRule REQUEST_URI|ARGS "billing\.veloxinternet\.com/" SecRule REQUEST_URI|ARGS "usuarios\.lycos\.es" SecRule REQUEST_URI|ARGS "217\.114\.109\.11" SecRule REQUEST_URI|ARGS "217\.160\.255\.44" SecRule REQUEST_URI|ARGS "217\.160\.242\.90" SecRule REQUEST_URI|ARGS "148\.81\.141\.12" SecRule REQUEST_URI|ARGS "131\.155\.98\.128" SecRule REQUEST_URI|ARGS "212\.114\.84\.18" SecRule REQUEST_URI|ARGS "81\.174\.26\.111" SecRule REQUEST_URI|ARGS "192\.112\.220\.37" SecRule REQUEST_URI|ARGS "pc-clinic\.fr" SecRule REQUEST_URI|ARGS "clientes\.netvisao\.pt" SecRule REQUEST_URI|ARGS "\.sanicentrum\.be" SecRule REQUEST_URI|ARGS "www\.brain\.net\.pk" SecRule REQUEST_URI|ARGS "web\.un1xtech\.com" SecRule REQUEST_URI|ARGS "\.schost\.com\.br/" SecRule REQUEST_URI|ARGS "neto5a\.iitalia\.com" SecRule REQUEST_URI|ARGS "mesahigh\.com" SecRule REQUEST_URI|ARGS "216\.111\.31\.2" SecRule REQUEST_URI|ARGS "24\.224\.174\.18" SecRule REQUEST_URI|ARGS "\.mcarthur.\org" SecRule REQUEST_URI|ARGS "\.v10\.com\.br/" SecRule REQUEST_URI|ARGS "agaman\.net" SecRule REQUEST_URI|ARGS "\.what-a-pair\.com" SecRule REQUEST_URI|ARGS "62\.101\.193\.244" SecRule REQUEST_URI|ARGS "\.tutoworld\.org" SecRule REQUEST_URI|ARGS "jupiterhost\.net/" SecRule REQUEST_URI|ARGS "\.iyscrew\.com" SecRule REQUEST_URI|ARGS "\.server4free\.de" SecRule REQUEST_URI|ARGS "\.tikla\.org" SecRule REQUEST_URI|ARGS "\.dps-ct\.com/" SecRule REQUEST_URI|ARGS "66\.235\.216\.137" SecRule REQUEST_URI|ARGS "labserver\.veter\.ucv\.ve" SecRule REQUEST_URI|ARGS "\.eformidler\.dk" SecRule REQUEST_URI|ARGS "febronio\.org" SecRule REQUEST_URI|ARGS "zavisnici\.com" SecRule REQUEST_URI|ARGS "\.2x4\.ru" SecRule REQUEST_URI|ARGS "\.k4boom\.biz" SecRule REQUEST_URI|ARGS "theperfecttitle\.com" SecRule REQUEST_URI|ARGS "\.yhrhosting\.com" SecRule REQUEST_URI|ARGS "\.nitrofx\.com" SecRule REQUEST_URI|ARGS "(/|\.)ownsalldomains\.org" SecRule REQUEST_URI|ARGS "(/|\.)ocktober\.com" SecRule REQUEST_URI|ARGS "\.s5\.com" SecRule REQUEST_URI|ARGS "\.systemcrew\.net" SecRule REQUEST_URI|ARGS "www\.tutoworld\.org" SecRule REQUEST_URI|ARGS "\.supereva\.it/" SecRule REQUEST_URI|ARGS "\.frsirt\.com" SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/anangkd" SecRule REQUEST_URI|ARGS "geocities\.com/anugerahnet" SecRule REQUEST_URI|ARGS "(www\.|/)geocities\.com/bacardi_marv" SecRule REQUEST_URI|ARGS "\.geocities\.com/" SecRule REQUEST_URI|ARGS "/geocities\.com/" SecRule REQUEST_URI|ARGS "\.freshmaker\.us" SecRule REQUEST_URI|ARGS "packetx\.org" SecRule REQUEST_URI|ARGS "\.de-soc-mac\.de" SecRule REQUEST_URI|ARGS "\.leohissa\.oi\.com\.br" SecRule REQUEST_URI|ARGS "\.fig0\.com" SecRule REQUEST_URI|ARGS "\.brasilhoster\.net" SecRule REQUEST_URI|ARGS "\.riteweld\.com" SecRule REQUEST_URI|ARGS "216\.111\.31\.2" SecRule REQUEST_URI|ARGS "\.fineca\.net" SecRule REQUEST_URI|ARGS "r00nin\.vila\.bol\.com\.br" SecRule REQUEST_URI|ARGS "\.bol\.com\.br" SecRule REQUEST_URI|ARGS "freewebbe\.supereva\.it" SecRule REQUEST_URI|ARGS "asianfiles\.deluxepass\.com" SecRule REQUEST_URI|ARGS "sei26\.tripod\.com" SecRule REQUEST_URI|ARGS "gigachat\.net" SecRule REQUEST_URI|ARGS "www\.sos-deces\.be" SecRule REQUEST_URI|ARGS "\.sosha\.it/" SecRule REQUEST_URI|ARGS "\.pbholland\.com" SecRule REQUEST_URI|ARGS "\.newtontidy\.com" SecRule REQUEST_URI|ARGS "\.barretttree\.com" SecRule REQUEST_URI|ARGS "agaman\.net" SecRule REQUEST_URI|ARGS "anti-clones\.com" SecRule REQUEST_URI|ARGS "www\.members\.lycos\.nl/sesli" SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/toolsandcmd/" SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/" SecRule REQUEST_URI|ARGS "chancom\.webpal\.info" SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/h4x0r_club/" SecRule REQUEST_URI|ARGS "\.argaio\.net" SecRule REQUEST_URI|ARGS "baixinhoo\.hpgvip\.com\.br" SecRule REQUEST_URI|ARGS "\.zeldalegacies\.com" SecRule REQUEST_URI|ARGS "simbafriends\.com/" SecRule REQUEST_URI|ARGS "webshells\.org" SecRule REQUEST_URI|ARGS "groupiys\.net" SecRule REQUEST_URI|ARGS "megahostbr\.com" SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/slash_slink" SecRule REQUEST_URI|ARGS "\.357is\.com" SecRule REQUEST_URI|ARGS "northfox\.uw\.hu" SecRule REQUEST_URI|ARGS "\.dynalith\.com" SecRule REQUEST_URI|ARGS "\.xplmanager\.com" SecRule REQUEST_URI|ARGS "\.members\.lycos\.co\.uk/thoronnn/" SecRule REQUEST_URI|ARGS "\.terra\.com\.br/" SecRule REQUEST_URI|ARGS "f58\.aaacafe\.ne.\jp/" SecRule REQUEST_URI|ARGS "www\.derf\.hpgvip\.ig\.com\.br/" SecRule REQUEST_URI|ARGS "rodrigo\.hcerto\.com/" SecRule REQUEST_URI|ARGS "\.terror\.as\.ro/" SecRule REQUEST_URI|ARGS "\.tntt\.org/meu/" SecRule REQUEST_URI|ARGS "\.syscore\.hpgvip\.com\.br/" SecRule REQUEST_URI|ARGS "\.hpgvip\.com\.br/" SecRule REQUEST_URI|ARGS "ijoo\.homelinux\.com/" SecRule REQUEST_URI|ARGS "\.derf\.hpgvip\.ig\.com\.br/" SecRule REQUEST_URI|ARGS "\.100free\.com/" SecRule REQUEST_URI|ARGS "\.lorenzo4ever\.de/" SecRule REQUEST_URI|ARGS "visualcoders\.net/" SecRule REQUEST_URI|ARGS "\.fendora\.net" SecRule REQUEST_URI|ARGS "gigashell\.org/" SecRule REQUEST_URI|ARGS "\.prir0x\.com/" SecRule REQUEST_URI|ARGS "geocities\.com/madb0ss/" SecRule REQUEST_URI|ARGS "geocities\.com/sapulinux/" SecRule REQUEST_URI|ARGS "geocities\.yahoo\.com\.br/dh4x0r/" SecRule REQUEST_URI|ARGS ".*\.verizon\.net\.do/carlos.*" SecRule REQUEST_URI|ARGS "mi\.verizon\.net\.do/carlos.*" SecRule REQUEST_URI|ARGS "\.stanlley\.ubbi\.com\.br/" SecRule REQUEST_URI|ARGS "xthost\.info/" SecRule REQUEST_URI|ARGS "yaoibr\.vila\.bol\.com\.br/" SecRule REQUEST_URI|ARGS "geocities\.com/catalin1713/" SecRule REQUEST_URI|ARGS "visualcoders\.net/spy\." SecRule REQUEST_URI|ARGS "\.digitalmedia\.org\.mk" SecRule REQUEST_URI|ARGS "pharoeste\.net" SecRule REQUEST_URI|ARGS "userbr\.info" SecRule REQUEST_URI|ARGS "\.foxcf\.hpgvip\.ig\.com\.br" SecRule REQUEST_URI|ARGS "medicine\.bjmu\.edu\.cn" SecRule REQUEST_URI|ARGS "\.blueconnection\.com\.br" SecRule REQUEST_URI|ARGS "\.ph4nt4sm4\.hpgvip\.ig\.com\.br" SecRule REQUEST_URI|ARGS "\.mvhosted\.com" SecRule REQUEST_URI|ARGS "\.0catch\.com" SecRule REQUEST_URI|ARGS "newton\.100free\.com" SecRule REQUEST_URI|ARGS "\.forplay\.com\.br" SecRule REQUEST_URI|ARGS "\.geocities\.com/my_lusy" SecRule REQUEST_URI|ARGS "lol\.freecoolsite\.com" SecRule REQUEST_URI|ARGS "winscp\.net" SecRule REQUEST_URI|ARGS "\.karpit\.net" SecRule REQUEST_URI|ARGS "www\.partyradio\.ca" SecRule REQUEST_URI|ARGS "\.triple-hhh\.de" SecRule REQUEST_URI|ARGS "\.gottablaze\.com" SecRule REQUEST_URI|ARGS "xanutz\.3x\.ro" SecRule REQUEST_URI|ARGS "geocities\.com/anak_indekost" SecRule REQUEST_URI|ARGS "themis\.geocities\.yahoo\.com" SecRule REQUEST_URI|ARGS "\.geocities\.com/my_sweet_cute/" SecRule REQUEST_URI|ARGS "\.angelfire\.com/zine2/" SecRule REQUEST_URI|ARGS "72\.20\.34\.[0-9]+" SecRule REQUEST_URI|ARGS "animehost\.de" SecRule REQUEST_URI|ARGS "home\.online\.no/~p-shahr" SecRule REQUEST_URI|ARGS "indragostit\.net" SecRule REQUEST_URI|ARGS "hdr\.atspace\.com" SecRule REQUEST_URI|ARGS "\.thecurse\.pop\.com\.br" SecRule REQUEST_URI|ARGS "www\.w3zone\.com" SecRule REQUEST_URI|ARGS "freecoolsite\.com" SecRule REQUEST_URI|ARGS "freewebs\.com" SecRule REQUEST_URI|ARGS "\.geocities\.com/chnsekip" SecRule REQUEST_URI|ARGS "webcindario\.com" SecRule REQUEST_URI|ARGS "ripdisk\.ma\.cx" SecRule REQUEST_URI|ARGS "sinanreklam\.net" SecRule REQUEST_URI|ARGS "members\.cox\.net/xjasonx" SecRule REQUEST_URI|ARGS "\.bh-net\.dk" SecRule REQUEST_URI|ARGS "\.mediaserve\.net" SecRule REQUEST_URI|ARGS "\.inchon\.ne\.kr" SecRule REQUEST_URI|ARGS "\.noti-auto.\com\.ar" SecRule REQUEST_URI|ARGS "go0gler\.com" SecRule REQUEST_URI|ARGS "hackbox\.t35\.com" SecRule REQUEST_URI|ARGS ".*\.hpgvip\.ig\.com\.br" SecRule REQUEST_URI|ARGS "honestgame\.net" SecRule REQUEST_URI|ARGS "\.ecobook\.or\.kr" SecRule REQUEST_URI|ARGS "\.fasecolda\.com" SecRule REQUEST_URI|ARGS "212\.50\.30\.60" SecRule REQUEST_URI|ARGS "\.nbail\.com" SecRule REQUEST_URI|ARGS "\.kit\.net/" SecRule REQUEST_URI|ARGS "\.ubbi\.com\.br" SecRule REQUEST_URI|ARGS "\.k4boom\.biz/" SecRule REQUEST_URI|ARGS "00freehost\.com" #Sites that host remote shells, etc. SecRule REQUEST_URI|ARGS "security-protocols\.com" #Known sources that leak thru proxies SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 69\.50\.182\.154 SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 202\.81\.60\.58 SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.252\.91" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 211\.185\.59\.124 SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "209\.165\.131\.23" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.246\.22" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.89\.50\.28" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.208\.48" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "159\.148\.29\.158" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.188\.73" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "200\.168\.0\.246" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.90\.52" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.27\.2" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "195\.55\.222\.19" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.32\.81" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.150\.163\.82" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.237\.226\.70" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.96\.125\.38" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.97\.97\.168" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.98\.122\.111" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.8\.64\.21" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.191\.119\.122" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.33\.104\.158" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.171\.131" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.109\.180\.3" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.37\.184\.196" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "83\.57\.132\.206" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.13\.249" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "85\.129\.229\.111" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "86\.60\.16\.81" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "172\.168\.0\.1" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.4\.62" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.123\.250\.184" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "212\.116\.209\.234" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.127\.56\.24" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.36\.245\.100" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.78\.98" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.91\.33" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "unsecure-services" SecRule HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "205\.177\.122\.162" #bad proxies SecRule HTTP_FORWARDED "mangostino\.ut\.edu\.co" SecRule HTTP_FORWARDED ".*\.cnh\.com" SecRule HTTP_FORWARDED "phenix-prog-phr" SecRule HTTP_FORWARDED "alfred\.nssi\.telus\.com" SecRule HTTP_FORWARDED "wadsworth\.nssi\.telus\.com" SecRule HTTP_VIA "\.ownsalldomains\.org" SecRule HTTP_VIA "cache\.topflash\.co\.kr" SecRule HTTP_VIA "\.quasar\.net\.id:8080" SecRule HTTP_VIA "\.serverpronto\.com" SecRule HTTP_VIA "\.fetish-expert\.org" SecRule HTTP_VIA "proxy\.hwai\.edu\.tw" SecRule HTTP_VIA "interno-1-1\.edn\.org\.br" SecRule HTTP_VIA "\.pt-server1\.bt\.com" SecRule HTTP_VIA "1\.1 cache-test-dtv-kno" SecRule HTTP_VIA "kdnproxy\.kdn\.gov\.my" SecRule HTTP_VIA "\.wisdomchina\.com" SecRule HTTP_VIA "1\.1 PALACIOISA" SecRule HTTP_VIA "1\.1 cache7\:80 \(squid" SecRule HTTP_VIA "1\.1 www\.pt-server1\.bt\.com" SecRule HTTP_VIA "revProxy\.foredu\.com\.cn" SecRule HTTP_VIA "\.salmanetwork\.com" SecRule HTTP_VIA "\.warnet\.com" SecRule HTTP_VIA "moses\.frc\.org" SecRule HTTP_VIA "1\.0 SQCNT3" SecRule HTTP_VIA "phenix-prog-phr" SecRule HTTP_VIA "1\.0 TIETONG" SecRule HTTP_VIA "webshield\.beitberl\.ac\.il" SecRule HTTP_VIA "1\.1 www\.any\.com" SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecRule HTTP_VIA "poczta\.prochowa12\.waw\.pl" SecRule HTTP_VIA "1\.1 ICACHE1" SecRule HTTP_VIA "1\.1 New-Proxy2" SecRule HTTP_VIA "1\.1 SERVEUR2000" SecRule HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecRule HTTP_VIA "1\.1 PROXY, 1\.0 NC2100" SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecRule HTTP_VIA "1\.1 revproxy2" SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecRule HTTP_VIA "1\.1 CAE-SERVER" SecRule HTTP_VIA "1\.1 WORKGROU-OYOU4X" SecRule HTTP_VIA "1\.1 INKABANPINPROXY" SecRule HTTP_VIA "1\.1 DNS4" SecRule HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecRule HTTP_VIA "1\.1 DBSV1008" SecRule HTTP_VIA "1\.1 NEWISA" SecRule HTTP_VIA "1\.1 CPGATEWAY02" SecRule HTTP_VIA "1\.1 router\:3128 \(KEN\!\)" SecRule HTTP_VIA "1\.1 PROXYSRV\, 1\.0 supercache5" SecRule HTTP_VIA "1\.1 ATIPLS1" SecRule HTTP_VIA "1\.0 SMART\, 1\.0 LOIER2800\:" SecRule HTTP_VIA "1\.1 62\.93\.34\.160" SecRule HTTP_VIA "1\.1 fwall\.belcomct\.net" SecRule HTTP_VIA "1\.1 ZERT-EWDGNMVXUF" SecRule HTTP_VIA "1\.1 su\.tkp\.edu\.hk" #SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1.*" SecRule HTTP_VIA "HTTP/1\.1 proxy\[AC1E0247" SecRule HTTP_VIA "1\.1 compujuan\.com\.es" SecRule HTTP_VIA "1\.1 FEDERATION" #SecRule HTTP_VIA "1\.1 SERVER-ISA" SecRule HTTP_VIA "1\.1 EXACTWAPPROXY" SecRule HTTP_VIA "1\.1 GRNSERVER" SecRule HTTP_VIA "1\.1 www\.satem\.gob\.ve" SecRule HTTP_VIA "1\.1 nilcombi\.nilcom\.fr" SecRule HTTP_VIA "1\.1 cellulant\.lifeismobile\.com" SecRule HTTP_VIA "1\.1 SR2300-SE7501-H" SecRule HTTP_VIA "1\.1 www\.dmi\.es" #SecRule HTTP_VIA "1\.0 cache2\.jed" SecRule HTTP_VIA "1\.1 BRHCYBER" SecRule HTTP_VIA "1\.1 132\.110\.2\.12" SecRule HTTP_VIA "1\.1 .*\.pivotoffice\.com" SecRule HTTP_VIA "1\.1 .*\.mundo-r\.com" SecRule HTTP_VIA "1\.1 FAMILYCAREREHAB" SecRule HTTP_VIA "1\.1 INFORMASERVER" SecRule HTTP_VIA "1\.1 ITISA" #SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1" SecRule HTTP_VIA "1\.1 .*\.as5587\.net" SecRule HTTP_VIA "1\.1 Maua" SecRule HTTP_VIA "1\.1 JUNIOR" SecRule HTTP_VIA "1\.1 offsetinternet" SecRule HTTP_VIA ".*codevasf\.gov\.br" SecRule HTTP_VIA "1\.1 www\.aha\.at" SecRule HTTP_VIA "1\.1 ucavilapruebas\.es" SecRule HTTP_VIA "1\.1 .*\.insightfirst\.com" SecRule HTTP_VIA "1\.1 if3\.insightfirst\.com" SecRule HTTP_VIA "1\.1 SERV132" SecRule HTTP_VIA "1\.1 CacheFORCE" SecRule HTTP_VIA "1\.1 dgc-squid" #SecRule HTTP_VIA "1\.1 CS6200C" SecRule HTTP_VIA "1\.1 NTS-SERVER" SecRule HTTP_VIA "1\.1 AJF-JTC-ISA01" SecRule HTTP_VIA "1\.1 neptun\.ci\.uw\.edu\.pl" SecRule HTTP_VIA "1\.1 2-net\.ro" SecRule HTTP_VIA "1\.1 .*\.usscript\.com" SecRule HTTP_VIA "1\.1 SSIP_SERVER3" SecRule HTTP_VIA "1\.1 SYVKOV422GX" SecRule HTTP_VIA "1\.1 .*\.arbuzowa\.net" SecRule HTTP_VIA "1\.1 www\.kevsclub\.com" SecRule HTTP_VIA "1\.0 KALIMBA" SecRule HTTP_VIA "1\.0 NETOUT-SERVER" SecRule HTTP_VIA "1\.0 NTMARVWALL01" SecRule HTTP_VIA "1\.0 PROXYSES2" SecRule HTTP_VIA "1\.0 ptcdb\.edu\.ps" SecRule HTTP_VIA "1\.0 px1nr \(NetCache NetApp/5\.6\.1D25\)" SecRule HTTP_VIA "1\.0 px8so \(NetCache NetApp/5\.6\.1D25\)" SecRule HTTP_VIA "1\.0 SERV132, 1\.0 netcache1 \(NetCache NetApp/6\.0\.1\)" SecRule HTTP_VIA "1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\), TEKIYA03, 1\.0 TEKIYA02 \(NetCache NetApp/5\.6\.2\)" #SecRule HTTP_VIA "1\.1 10\.0\.1\.20" #SecRule HTTP_VIA "1\.1 127\.0\.0\.1" SecRule HTTP_VIA "1\.1 146\.83\.216\.207" SecRule HTTP_VIA "1\.1 202\.88\.250\.211" SecRule HTTP_VIA "1\.1 213\.155\.209\.204" SecRule HTTP_VIA "1\.1 accel10\.click21\.com\.br" SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecRule HTTP_VIA "1\.1 athos\.chem\.demokritos\.gr" SecRule HTTP_VIA "1\.1 ATIPLS1" SecRule HTTP_VIA "1\.1 BBSM52" #SecRule HTTP_VIA "1\.1 bnb-cache1 \(NetCache NetApp.*\), 1\.1 rba-cache1" SecRule HTTP_VIA "1\.1 cacheB\.ipko\.net" SecRule HTTP_VIA "1\.1 CAE-SERVER" SecRule HTTP_VIA "1\.1 CATHODE" #SecRule HTTP_VIA "1\.1 cha-cache1 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 CSB-NC2 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 cuchimilco\.huaral\.org" SecRule HTTP_VIA "1\.1 DBSV1008" SecRule HTTP_VIA "1\.1 dns2\.araxa\.com\.br" SecRule HTTP_VIA "1\.1 EMERSON, 1\.0 C6100 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 EPPD_SERVER" SecRule HTTP_VIA "1\.1 fox-server1\.foxschool\.lan" SecRule HTTP_VIA "1\.1 http-istcf1" SecRule HTTP_VIA "1\.1 JUNIOR" #SecRule HTTP_VIA "1\.1 lnac2 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 LTSP03\.glenwood\.k12\.mo\.us" #SecRule HTTP_VIA "1\.1 MAILSERVER" SecRule HTTP_VIA "1\.1 natty\.intranet" #SecRule HTTP_VIA "1\.1 netcache1-ctn \(NetCache NetApp.*" #SecRule HTTP_VIA "1\.1 netcache1 \(NetCache NetApp.*" #SecRule HTTP_VIA "1\.1 NetCache3 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 NetCache-CLNS-STACK-1 \(NetCache NetApp.*" #SecRule HTTP_VIA "1\.1 nme-nxg-pr1\.tpg\.com\.au" SecRule HTTP_VIA "1\.1 no-dns\.as5587\.net" SecRule HTTP_VIA "1\.1 ns07\.contentex\.net" SecRule HTTP_VIA "1\.1 NYNETSRV01" SecRule HTTP_VIA "1\.1 OTXXSERV" SecRule HTTP_VIA "1\.1 proxy\.marshall\.k12\.wi\.us" SecRule HTTP_VIA "1\.1 SERV132, 1\.0 netcache1 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 SERVER-ISA" SecRule HTTP_VIA "1\.1 SERVEUR-CYBER" SecRule HTTP_VIA "1\.1 slave02\.terrarica\.net" SecRule HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecRule HTTP_VIA "1\.1 spacebears" SecRule HTTP_VIA "1\.1 squid2-sydny\.eftel\.com" SecRule HTTP_VIA "1\.1 SSIP_SERVER3" SecRule HTTP_VIA "1\.1 SYVKOV422GX" SecRule HTTP_VIA "1\.1 trixie" SecRule HTTP_VIA "1\.1 wc-02 \(NetCache NetApp.*" SecRule HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecRule HTTP_VIA "1\.1 www\.arbuzowa\.net" SecRule HTTP_VIA "1\.1 www\.gkcabunoc\.com" SecRule HTTP_VIA "1\.1 addyon\.webair\.com" SecRule HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecRule HTTP_VIA "1\.1 proxy\.pcdl\.gov\.br" SecRule HTTP_VIA "1\.1 ichigo\.icsmail\.net" SecRule HTTP_VIA "1\.1 80\.177\.18\.74" SecRule HTTP_VIA "1\.1 raptor[0-9][a-z]\.watchdog\.net\.nz" SecRule HTTP_VIA "1\.0 proxy[0-9]\..*\.maxnet\.net\.nz" SecRule HTTP_VIA "1\.0 proxy[0-9]\.akl[0-9]\.maxnet\.net\.nz" SecRule HTTP_VIA "1\.1 POMGFIREWALL" SecRule HTTP_VIA "1\.1 alfred\.nssi\.telus\.com" SecRule HTTP_VIA "1\.1 .*\.acdi-cida\.gc\.ca" SecRule HTTP_VIA "CIDA13\.acdi-cida\.gc\.ca" #generic sig for a bad site SecRule REQUEST_URI "(http|https|ftp).*\.exs\.cx/.*/nc4hk\.swf"