/
etc
/
apache2
/
conf.d
/
modsec2
/
File Upload :
llllll
Current File: //etc/apache2/conf.d/modsec2/10_asl_rules.conf
# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Created by Prometheus Global (http://www.prometheus-group.com) # Copyright 2005-2013 by Prometheus Global, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" SecDefaultAction "log,deny,auditlog,phase:2,status:403" #Enforce proper requests per HTTP RFC SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "chain,deny,status:403,t:none,t:lowercase,capture,phase:2,rev:2,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Invalid HTTP Request Line in violation of RFC (if you do not wish to follow HTTP RFCs, disable this rule)',id:'330700',severity:'4',logdata:'%{TX.0}'" #Java 1.6 doesnt seem to follow the RFC correctly SecRule REQUEST_HEADERS:User-Agent "^java/1\.6" #Block compressed encoding SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \ "capture,phase:1,t:none,deny,status:501,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it must be blocked.',id:'340362',rev:1,severity:'3',logdata:'%{TX.0}'" #check methods SecRule REQUEST_METHOD "@pm TRACE TRACK CONNECT" \ "phase:1,id:'333793',t:none,pass,nolog,skip:1" SecAction phase:1,id:334358,t:none,pass,nolog,skipAfter:END_METHOD_CHECKS # Rule 340002: deny TRACE method SecRule REQUEST_METHOD "@pm TRACE TRACK" \ "phase:1,deny,status:403,t:none,id:340002,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: TRACE/TRACK method denied'" # Rule 340361: deny CONNECT method SecRule REQUEST_METHOD "CONNECT" \ "deny,status:403,t:none,capture,phase:1,id:340361,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied',logdata:'%{TX.0}'" SecMarker END_METHOD_CHECKS #protocol violation SecRule REQUEST_METHOD "POST" "deny,status:403,t:none,chain,rev:2,id:'390616',rev:2,phase:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Check for the expect header w/ HTTP/1.1 protocol # SecRule REQUEST_HEADERS:Expect "100-continue" \ "deny,status:403,t:none,chain,phase:2,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Expect Header Not Allowed for HTTP 1.0. This is an HTTP 1.1 feature.',severity:'5',id:'390706',rev:1" SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" # Check the pragma Header for the Cache-Control Header #SecRule &REQUEST_HEADERS:Pragma "@eq 1" \ #"deny,status:403,chain,phase:2,t:none,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'390705',rev:1" #SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain" #SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" # Rule 340012: #Proxy Protection with our added MATCHED_VAR enhancement SecRule REQUEST_URI_RAW "^\w+:/" \ "chain,phase:2,t:none,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Proxy access attempt',severity:'2',id:'340012',rev:3,logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@rx ://%{SERVER_NAME}/" #Apache Range DOS attack protection rules SecRule REQUEST_HEADERS:Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:2,t:none,deny,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Range: Invalid Last Byte Value. This may be a DOS attack',logdata:'%{matched_var}',severity:'5',id:343012" SecRule TX:2 "!@ge %{tx.1}" SecRule REQUEST_FILENAME "\.pdf$" phase:2,id:334359,pass,t:none,t:lowercase,nolog,skipAfter:END_RANGE_DOS SecRule REQUEST_HEADERS:Range "^bytes=(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\," \ "phase:2,capture,rev:2,t:none,t:lowercase,deny,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Range: Too many fields, this may be a DOS attack',logdata:'%{matched_var}',severity:'5',id:343013" SecMarker END_RANGE_DOS #Webdav doesnt always include Content-Length SecRule REQUEST_METHOD "^(?:CHECKOUT|PUT)" \ phase:2,id:364359,pass,t:none,nolog,ctl:forceRequestBodyVariable=On,skipAfter:END_TYPE_CHECK_1 #Request Body must define Content-Type per RFC, so application knows how to parse #Prevents impedence mismatch attacks SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "chain,phase:2,rev:5,t:none,deny,status:403,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Request Containing Content, but Missing Content-Type header',id:'392301',severity:'5'" SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,ctl:forceRequestBodyVariable=On" SecMarker END_TYPE_CHECK_1 #DOS protection #SecRule REQUEST_URI_RAW "a cat is fine too" \ #"phase:2,t:none,t:lowercase,deny,status:403,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Apache DOS attempt',severity:'2',id:'330555',rev:1,logdata:'%{TX.0}'" # This one has limited utility as a fixed rule, this probably needs to be generated by the customer # Restrict the maximum number of arguments in a request SecRule &ARGS "@gt 1000" \ "chain,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Too many arguments in request (max set to 1000, increase as necessary for your system)',id:'390707',severity:'4',rev:6" SecRule REQUEST_FILENAME "!((?:/(?:imaclean|massdelete)/)|^/cgi-bin/dada/mail\.cgi$|^/index\.php/mageworx/customoptions_options|^/za/)" SecRule &REQUEST_COOKIES_NAMES "@gt 1000" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Too many cookies in request (max set to 1000, increase as necessary for your system)',id:'330707',severity:'4',rev:2" #block nulls and invalid characters SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:templateCode|!ARGS:areas|!ARGS:/password/|!ARGS:FoxyData|!ARGS:sent_mail_folder \ "@validateByteRange 1-255" \ "deny,status:403,phase:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Invalid character in request or headers',rev:10,id:'390613',severity:'2',t:none,t:urlDecodeUni" SecRule ARGS|ARGS_NAMES|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:email|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/description/|!ARGS:/txt/|!ARGS:/text/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:sent_mail_folder "@validateByteRange 1-255" \ "deny,status:403,phase:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Invalid character in ARGS',rev:10,id:'390614',severity:'2',t:none,t:urlDecodeUni" #SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ # "chain,phase:2,t:none,status:400,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible URL Encoding Attack Attempt',rev:3,id:'390615',severity:'4'" #SecRule REQUEST_URI "@validateUrlEncoding" #conflicting connections SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" \ "deny,status:403,capture,phase:2,t:none,log,auditlog,status:400,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Multiple/Conflicting Connection Header Data Found.',id:'390702',severity:'5',rev:3,logdata:'%{TX.0}'" #Check for digits in content length header SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,status:403,capture,phase:2,t:none,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Content-Length HTTP header is not numeric', severity:'2',rev:1,id:'390618',logdata:'%{TX.0}'" #SecRule REQUEST_HEADERS|REQUEST_FILENAME|ARGS_NAMES|XML:/*|REQUEST_BODY "@pm http/0.9 http/1.0 http/1.1 meta html content-type content-length" \ # "phase:2,t:none,t:lowercase,pass,nolog,skip:1" #SecAction phase:2,pass,nolog,skipAfter:END_SPLIT_CHECKS #HTTP smuggling attack SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "deny,status:403,capture,phase:2,t:none,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: HTTP Smuggling Attack.',id:'390619',rev:1,severity:'1',logdata:'%{TX.0}'" #Response splitting attacks SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/*|REQUEST_URI "(?:\bhttp\/(?:0\.9|1\.[01])|< ?(?:html|meta)\b)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: HTTP Response Splitting Attack',id:'390712',logdata:'%{TX.0}',severity:'1',rev:4" #SecMarker END_SPLIT_CHECKS # Rule 340000: Enforce proper HTTP requests # GET /robots.txt HTTP/1.0 # modsecurity does not seem to handle this correctly, its treating spaces # as delimiters and assumes the first space indicates the protocol field start. #SecRule REQUEST_PROTOCOL "!(?:^|\n|\r)http/(0\.9|1\.[01])$" \ # "t:none,t:lowercase,t:compressWhitespace,id:340000,rev:8,severity:1,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad HTTP Protocol <%{TX.0}>'" #Vpatching add on #Prevent Impedence mismatches on ARG names #SecRule ARGS_NAMES "!^[\^\$0-9a-zA-Z\#_-\.@\{\}\[\]\(\)]+$" \ #SecRule REQUEST_URI "\.php" \ #"capture,t:none,t:lowercase,phase:2,log,deny,id:390720,rev:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Impedence Mismatch attack on PHP appliction using space to start argument name',logdata:'%{TX.0}',severity:'2'" #SecRule ARGS_NAMES "^ " #"t:none,capture,phase:2,log,deny,id:390720,rev:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Impedence Mismatch attack by using space in argument name',logdata:'%{TX.0}',severity:'2'" #"capture,t:none,t:urlDecodeUni,phase:2,log,deny,id:390720,rev:1,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Impedence Mismatch attack on ARGUMENT NAME by using invalid character in argument name',logdata:'%{TX.0}',severity:'2'" ###############FILE PROTECTION RULES#################### #Rule 340007: generic recursion signatures SecRule ARGS|!ARGS:elm1|!ARGS:/EditorZone/|!ARGS:file_private_path|!ARGS:code|!ARGS:/^resp/|!ARGS:rpath|!ARGS:backpath|!ARGS:data|!ARGS:/body/|!ARGS:editor1|!ARGS:/sidebar/|!ARGS:/template/|!ARGS:/desc/|!ARGS:resolution|!ARGS:/problem/|!ARGS:/solution/|!ARGS:/^style_options/|!ARGS:/CACHE_PATH/|!ARGS:connector|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \ "phase:2,deny,status:403,chain,t:none,capture,id:340007,rev:42,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(/products/index\.php\?gallery=|connector=\.\./\.\./connectors|/admin/(?:structure/views/|[a-z]+/(?:edit|add))|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./.*(?:pics|uploads|images)|/site-(?:builder|content)/|/node/(?:[0-9]+/(?:edit|add)|add/))" SecRule REQUEST_URI_RAW|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|REQUEST_FILENAME|!ARGS:templatecode|!ARGS:area "@pm ../.. ... /etc /proc /var/tmp /usr /opt /sbin /bin /dev /tmp /kern /root /boot /sys /windows /winnt inetpub localstart.asp boot.ini ~root ~ftp ~bin ~nobody ~named ~guest ~logs ~sshd ~admin ~mysql ~postgres ~oracle ////////" \ "id:334399,rev:2,phase:2,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,pass,nolog,skip:1" SecAction phase:2,id:334361,t:none,pass,nolog,skipAfter:END_FILE_PROTECTION_1 # Rule 340072: apache directory disclosure attempt #SecRule REQUEST_URI "////////" \ # "t:none,t:urlDecodeUni,id:340072,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Directory disclosure'" # Rule 340098: Bogus .... request #SecRule REQUEST_URI "\.\.\.\./" \ # "id:340098,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bogus ..../ request'" #Facebook does this odd HEAD or GET ../.. image queries from these net spaces #66.220.144.0 - 66.220.159.255 #66.220.144.0/20 ##173.252.64.0 - 173.252.127.255 SecRule REQUEST_METHOD "^(?:HEAD|GET)$" \ phase:2,id:335361,rev:2,t:none,chain,pass,nolog,skipAfter:END_FACEBOOK SecRule REMOTE_ADDR "@ipmatch 66.220.144.0/20,173.252.64.0/18" #SecRule REMOTE_ADDR "^(?:66\.220\.1(?:4[4-9]|5[0-9])\.|173\.252\.(?:[6-9][0-9]|1[0-2][0-7])\.)" # Rule 340006: generic recursion signatures SecRule REQUEST_FILENAME|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|ARGS|!ARGS:elm1|!ARGS:/EditorZone/|!ARGS:file_private_path|!ARGS:code|!ARGS:/^wpm_o_plugin/|!ARGS:/^jform/|!ARGS:/^resp/|!ARGS:rpath|!ARGS:data|!ARGS:/template/|!ARGS:/content/|!ARGS:/sidebar/|!ARGS:editor1|!ARGS:resolution|!ARGS:/^style_options/|!ARGS:manager_image_path|!ARGS:prefix|!ARGS:suffix|!ARGS:/CACHE_PATH/|!ARGS:connector|!ARGS:/comment/|!ARGS:/desc/|!ARGS:videoplayer|!ARGS:css_data|!ARGS:/txt/|!ARGS:/body/|!ARGS:wysiwyg_input|!ARGS:backPath|!ARGS:/text/|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:trk "\.\./\.\./" \ "deny,status:403,t:none,t:urlDecodeUni,t:cmdline,capture,id:340006,rev:57,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied in URI/ARGS', chain,logdata:'%{TX.0}'" SecRule REQUEST_URI "!(alt_mod_frameset.php|checkout_shipping.php|^/components/com_zoom/etc/|/admin\.swf\?nick=|/editor/filemanager/browser/default/browser\.html\?(type=image&)?connector=\.\./\.\./connectors|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./.*(?:pics|uploads|images)|/admin/(?:structure/views/|[a-z]+/(?:edit|add))|^/site-(?:builder|content)/|/node/(?:[0-9]+/(?:edit|add)|add/)|^/([a-z0-9]+/)?site-(?:builder|content/))" SecMarker END_FACEBOOK #potentially malicious recursion #../../../../.. SecRule REQUEST_URI_RAW|REQUEST_FILENAME|ARGS|!ARGS:/text/|!ARGS:/txt/|!ARGS:/body/|!ARGS:/message/|!ARGS:data|!ARGS:/content/|!ARGS:/resolution/|!ARGS:/post/|!ARGS:/comment/|!ARGS:/desc/|!ARGS:/subject/|!ARGS:/content/|!ARGS:/keywords/|!ARGS:/note/|!ARGS:/title/ "\.\./\.\./\.\./\.\./\.\." \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,id:347008,rev:13,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious deep path recursion denied'" SecRule REQUEST_URI "!(?:/site-builder/|/node/(?:[0-9]+/(?:edit|add)|add/))" "t:none,t:lowercase" # Rule 340008: generic bogus path sigs SecRule REQUEST_URI_RAW|REQUEST_FILENAME|REQUEST_HEADERS|ARGS|!ARGS:/^currentValue/|!ARGS:/message/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/summary/|!ARGS:resolution|!ARGS:prefix|!ARGS:/post/|!ARGS:/comment/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/content/|!ARGS:/keywords/|!ARGS:/note/|!ARGS:/title/|!ARGS:/msg/|!ARGS:suffix "/\.{3,}/" \ "chain,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,t:replaceNulls,id:340008,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bogus Path denied'" SecRule REQUEST_URI "!(^/node/(?:[0-9]+/(?:edit|add)|add)/)" "t:none,t:lowercase" # Rule 340009: generic recursion signatures SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:/^SystemProperties/|!ARGS:/bin_path/|!ARGS:/IMConfig/|!ARGS:imagemagick_path|!ARGS:/referer/|!ARGS:/referrer/|!ARGS:response|!ARGS:data|!ARGS:cte_cmd|!ARGS:/content/|!ARGS:/sidebar/|!ARGS:/^p_process/|!ARGS:prefix|!ARGS:suffix|!ARGS:resolution|!ARGS:/^w2Pcfg/|!ARGS:returnto|!ARGS:/url/|!ARGS:/redirect/|!ARGS:name|!ARGS:/redirect/|!ARGS:/path_to_file_cmd/|!ARGS:timezone|!ARGS:ZM_EXTRA_DEBUG_LOG|!ARGS:/ZM_PATH/|!ARGS:/device/|!ARGS:/sendmail/|!ARGS:/txt/|!ARGS:/summary/|!ARGS:/text/|!ARGS:/^config/|!ARGS:/^dPcfg/|!ARGS:g2_prefix|!ARGS:g2_form[path]|!ARGS:/keyword/|!ARGS:field_id_29|!ARGS:/highlight/|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/data/|!ARGS:/txt/|!ARGS:csum|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/desc/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:/body/ "(?:(\.\.|^| )/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,capture,id:340009,rev:61,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS', chain,logdata:'%{TX.0}',multimatch" SecRule REQUEST_URI "!(alt_mod_frameset.php|checkout_shipping.php|^/components/com_zoom/etc/|/admin\.swf\?nick=|/editor/filemanager/browser/default/browser\.html\?(type=image&)?Connector=\.\./\.\./connectors|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./\.\./(?:uploads|images)|^/etc/[a-z0-9-_]+\.(css|html?|jpe?g|gif|png|te?xt)$|^/\?cx=|^/wizard/edit/html$|/mancgi/cronrun\?command|^/index\.php\?module=asl&event=)" "t:none,t:urlDecodeUni,t:lowercase" # Rule 340142: Special account protection SecRule REQUEST_URI "~(?:root|ftp|bin|admin|nobody|shutdown|named|guest|logs|sshd|mysql|postgres|mysql|oracle|tortix|atomic)/" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,t:normalisePath,id:340142,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Special account protection'" SecMarker END_FILE_PROTECTION_1 SecRule SERVER_PORT "@streq 30000" phase:2,id:323710,pass,t:none,nolog,skipAfter:END_ASL_3 #Protected file upload protection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:templatecode|!ARGS:areas "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl .history .bash_history" \ "phase:2,id:'333796',t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skip:1" SecAction phase:2,id:334362,t:none,pass,nolog,skipAfter:END_FILE_PROTECTION_2 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:resolution|!ARGS:tiny_vals|!ARGS:/description/|!ARGS:/content/|!ARGS:/title/|!ARGS:parent_name|!ARGS:/^config_setting/|!ARGS:name|!ARGS:v_zZ_ConfDir|!ARGS:/keyword/|!ARGS:/desc/|!ARGS:/summary/|!ARGS:csum|!ARGS:suffix|!ARGS:prefix|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/search/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/|!ARGS:/data/ "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|( |^|\.\.)/etc/|/\.(?:history|bash_history|sh_history)$)" \ "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:cmdLine,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to access protected file remotely',id:'390709',rev:25,logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_URI "!(^/file\?file=/etc/cccam\.cfg$|event=update_asl_config|^/etc/js/|^/index\.php\?module=asl&event=)" "t:none,t:urlDecodeUni,t:lowercase" SecMarker END_ASL_3 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/|/\.(?:history|bash_history|sh_history)$)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:cmdLine,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to access protected file remotely',id:'390719',rev:6,logdata:'%{TX.0}',severity:'2'" # SecMarker END_FILE_PROTECTION_2 ################ SQL injection rules ######################### #Always SQL injection cases w/ antievasion SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|flv|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt|wbk)$" phase:2,pass,id:'333797',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS SecRule REQUEST_URI "(^/node/add/|/admin/content/|/todo\?action=edit$)" \ phase:2,pass,id:'333798',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS SecRule ARGS:module "(^modulebuilder$)" \ phase:2,pass,id:'353799',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS SecRule ARGS|!ARGS:pagetext|!ARGS:/database/|!ARGS:/^vpinfo/|!ARGS:website|!ARGS:suffix|!ARGS:Body|!ARGS:wikitext|!ARGS:type|!ARGS:content|!ARGS:areas|!ARGS:templatecode|!ARGS:website|!ARGS:/insertstring/|!ARGS:signature|!ARGS:/description/|!ARGS:Db_submit|!ARGS:text|!ARGS:code|!ARGS:comment|!ARGS:/sql/|!ARGS:/message/|!ARGS:query|ARGS_NAMES|!ARGS_NAMES:table_name|!ARGS:/sql/|!ARGS:resolution|!ARGS_NAMES:/conf_varchar/|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES_NAMES:/utm/ "@pmFromFile sql.txt" \ "phase:2,deny,status:403,capture,id:340155,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,rev:23,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL Injection protection',logdata:'%{TX.0}'" #Always SQL injection cases w/ antievasion #SecRule ARGS|!ARGS:/installcode/|!ARGS:/sql/|!ARGS:s_manifest|!ARGS:/database/|!ARGS:content|!ARGS:newcontent|!ARGS:query|!ARGS:/description/|!ARGS:/text/|!ARGS:Db_submit|!ARGS:/table/|!ARGS:EXPORTTABLE|!ARGS:/message/|!ARGS:previous_field|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:X-PageView|!ARGS_NAMES:/varchar/|!ARGS_NAMES:cfg_xsp_password|!ARGS:/body/|!ARGS:runQuery|!ARGS:field_type[]|!ARGS:/^field_type/|!ARGS:/^fieldtype_/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/subject/ "@pmFromFile sql.txt" \ # "phase:2,deny,status:403,capture,id:340160,t:none,t:hexDecode,t:replaceComments,t:compressWhiteSpace,rev:30,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL Injection protection',logdata:'%{TX.0}',chain" #SecRule ARGS:module "!(^modulebuilder$)" "t:none,t:lowercase" #SecRule REQUEST_URI "/index\.php\?module=administration" #Always SQL injection cases w/ antievasion SecRule ARGS|!ARGS:pagetext|!ARGS:/database/|!ARGS:/installcode/|!ARGS:areas|!ARGS:templatecode|!ARGS:s_manifest|!ARGS:Db_submit|!ARGS:/database/|!ARGS:/sql/|!ARGS:query|ARGS_NAMES|!ARGS:/description/|!ARGS:/insertstring/|!ARGS_NAMES:/conf_varchar/|!ARGS_NAMES:table_name|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/sql/ "@pmFromFile sql.txt" \ "phase:2,deny,status:403,capture,id:380023,t:none,t:base64Decode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL Injection protection',logdata:'%{TX.0}'" #Always SQL injection cases w/ antievasion SecRule ARGS|!ARGS:pagetext|!ARGS:message|!ARGS:/database/|!ARGS:Db_submit|!ARGS:areas|!ARGS:templatecode|!ARGS:/description/|!ARGS:/sql/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:query|ARGS_NAMES|!ARGS_NAMES:table_name|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/ "@pmFromFile sql.txt" \ "phase:2,deny,status:403,capture,id:380024,t:none,t:hexDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL Injection protection',logdata:'%{TX.0}'" SecMarker END_SQL_CHECKS #################################### #First major set SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|REQUEST_HEADERS|ARGS|!ARGS:/database/|!ARGS:templatecode|!ARGS:/insertstring/|!ARGS:areas|XML:/* "@pm select having grant delete insert drop alter replace truncate update create rename describe table database dba index into from convert bulk column procedure update set union or = ' -- procedure declare exec passthru outfile =1 null =2 =3 <=> <> != eval system exec" \ "phase:2,id:'333799',t:none,t:urlDecodeUni,t:removeComments,pass,nolog,skip:1" SecAction phase:2,id:334363,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_1 #SQL stored procedure injection SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/|XML:/*|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/database/|!ARGS:comment|!ARGS:templatecode|!ARGS:areas|!ARGS:content|!ARGS:/sql/|!ARGS:query|!ARGS:/text/|!ARGS:/message/|!ARGS:/body/ "(?:procedure\s+analyse\s*\(|create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-|declare[^\w]+[@#]\s*\w+|exec\s*\(\s*@)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: MySQL and PostgreSQL stored procedure/function injections',id:380122,rev:4,logdata:'%{TX.0}',severity:'2'" #PHP shell code SQL injection SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/|XML:/*|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:areas|!ARGS:/database/|!ARGS:comment|!ARGS:/sql/|!ARGS:query|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:definition "(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:passthru|system|eval|preg_\w+|exec|shell_exec ?(?:\(|\: ?'?))|select.{1,100}?(?:php|perl).{1,100}?into outfile)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL injection with PHP/PERL payload',id:380025,rev:6,logdata:'%{TX.0}',severity:'2'" # Rule 340013: #Prevent SQL injection in cookies SecRule REQUEST_COOKIES|REQUEST_HEADERS:User-Agent|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/temp_widdit/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,100}?\bselect\b.[a-z0-9]|select (?:load_file|char\()|(?:insert|remark)test;)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,id:340013,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection in cookie or UA',logdata:'%{TX.0}'" # Rule 340015: #Prevent SQL injection in UA #SecRule REQUEST_HEADERS:User-Agent "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union select [a-z0-9])"\ # "t:replaceComments,t:compressWhiteSpace,id:340015,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection in User Agent header'" # SecRule REQUEST_URI "(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:downloads|submit_news)|/admin\.php\?module=ns\-addStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/editcode/)" "t:none,t:lowercase,pass,nolog,id:340015,skipAfter:END_RULE_340016" # Rule 340016: SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES:/utm/|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|ARGS|XML:/*|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/brief/|!ARGS:templatecode|!ARGS:area|!ARGS:/changelog/|!ARGS:permissions|!ARGS:/^p_posts/|!ARGS:data|!ARGS:contenido|!ARGS:content|!ARGS:/^info/|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:/txt/|!ARGS:inc|!ARGS:/^label_/|!ARGS:/teaser/|!ARGS:bio|!ARGS:/installcode/|!ARGS:UserData|!ARGS:code|!ARGS:/report/|!ARGS:/^gcaption/|!ARGS:/^p_process_chats/|!ARGS:/database/|!ARGS:/^para/|!ARGS:/comment/|!ARGS:/keywords/|!ARGS:cf85|!ARGS:/sql/|!ARGS:query|!ARGS:/desc/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:edited|!ARGS:content|!ARGS:Post|!ARGS:body|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|grant|delete|drop|alter|replace|truncate|create|rename|describe)[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,256}?select.{1,256}[a-z0-9].{1,256}(?:from|#|, ?[0-9a-z])|\bselect\b.{1,256}?(?:load_file|char\()|(?:insert|remark)test ?;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\(|update [a-z0-9]+set )" \ "phase:2,deny,status:403,capture,multimatch,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:replacecomments,t:compressWhiteSpace,id:340016,rev:32,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible SQL injection attempt detected',logdata:'%{TX.0}'" SecMarker END_RULE_340016 #bypass for these, no args SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:'333800',pass,t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS_2 # Rule 340017: SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES_NAMES:/utm/|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:ncontent|!ARGS:/body/|!ARGS:/installcode/|!ARGS:code|!ARGS:/content/|!ARGS:/database/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comment|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:contenido|!ARGS:/sql/|!ARGS:query|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:introtext|!ARGS:Post|!ARGS:itembigtext|!ARGS:/article/|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:/message/|!ARGS:content_en|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:data "(?:insert into values|select from [a-z|0-9]!( and)|bulk insert|union select|union all select|convert \(.{1,256}from|select (?:load_file|char\()|(?:insert|remark)test;)" \ "phase:2,deny,status:403,capture,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,chain,id:340017,rev:48,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection in ARGS',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:^/edit_page$|/node/[0-9]+/edit|^/forum/posting\.php|^/admins/wnedit\.php|modules\.php\?name=morums&file=posting&mode=|^/joomla/administrator/index2\.php|^/wiki/index\.php?.*action=submit|^/imp/compose\.php|^/horde/imp/compose\.php|/sql.php|/tbl_(?:change|s(?:ql|tructure))\.php|/admincp/template\.php\?do=(?:insert|update)template|admin/area/save-page\.php$|^/cgi-bin/cookmail\.exe$|^/catalog/secure_admin/categories\.php\?cpath=)" "t:none,t:lowercase" # Rule 340144: Generic SQL sigs SecRule REQUEST_URI "!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/|^/projects/csb/milestone$)" \ "phase:2,deny,status:403,capture,t:none,t:lowercase,id:340144,rev:35,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',chain,logdata:'%{TX.0}'" SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES_NAMES:/utm/|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:areas|!ARGS:body|!ARGS:/teaser/|!ARGS:/content/|!ARGS:wpSummary|!ARGS:ncontent|!ARGS:/installcode/|!ARGS:/database/|!ARGS:code|!ARGS:/report/|!ARGS:/database/|!ARGS:/text/|!ARGS:comment|!ARGS:/txt/|!ARGS:blogText|!ARGS:sendDescription|!ARGS:exec[text]|!ARGS:keywords|!ARGS:tiny_vals|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:/message/|!ARGS:contenido|!ARGS:/sql/|!ARGS:query|!ARGS:query_string|!ARGS:query|!ARGS:description|!ARGS:/^para/|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:/^info/|!ARGS:content|!ARGS:data|!ARGS:/^p_posts/ "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table) |delete[[:space:]] .{1,100}+ update [a-z0-9]+ set .{1,100}+=|union all select |\bunion\b.{1,100}?\bselect\b.*[a-z0-9]+ from |select (?:load_file|char ?\()|(?:insert|remark)test;)" "t:none,t:urlDecodeUni,t:lowercase,t:replaceComments,t:compressWhiteSpace" SecMarker END_SQL_CHECKS_2 # Rule 340145: Generic SQL sigs SecRule REQUEST_URI|ARGS|XML:/*|ARGS|!ARGS:product[name]|!ARGS:cookie|!ARGS:/^field\[6\]$/|!ARGS:UserData|!ARGS:serData|!ARGS:/^autoDS/|!ARGS:/^pages/|!ARGS:prefix|!ARGS:suffix|!ARGS:qa_answer|!ARGS:areas|!ARGS:templatecode|!ARGS:featured_ids|!ARGS:/teksti/|!ARGS:/^jform/|!ARGS:callforprice|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:condition|!ARGS:/^chronofield/|!ARGS:resolution|!ARGS:description|!ARGS:/^cforms/|!ARGS:special|!ARGS:/email|!ARGS:/body/|!ARGS:/installcode/|!ARGS:contenido|!ARGS:/sql/|!ARGS:query|!ARGS:/comment/|!ARGS:/content/|!ARGS:/descr/|!ARGS:newcontent|!ARGS:/text/|!ARGS:/txt/|!ARGS:khxc_incphp--filename|!ARGS:/file_content/|!ARGS:filecontent|!ARGS:/message/|!ARGS:defaultParamList|!ARGS:body|!ARGS:gbu0_proddetdisp--incdisp|!ARGS:gbu0_prodcatdisp--incdisp "(?:or.{1,100}1[[:space:]].{1,100}=[[:space:]]1|or [0-9] ?= ?[0-9]|admin'(?: --| #)|or (?:'|\")? ?(?:0|1|2|3|a|b) ?(?:'|\")? ?= ?(?:'|\")? ?(/:0|1|2|3|a|b) ?(?:'|\")?|having 1 ?= ?1 ?--|null is null ?--| \b(\d+) ?(?:=|<>|<=>|\!=) ?[0-3]\b)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:compressWhitespace,t:lowercase,capture,id:340145,rev:42,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible SQL injection probe',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:/index\.php/admin/catalog_category/save|(?:/admin/stats|/css/gallery-css)\.php\?1=1|/admin\.php\?tile=mail$|/catalog_category/save/key/|/\?op=admin_settings|^/\?openpage=|/^admin/extra)" "t:none,t:lowercase" # Rule 390572: Generic SQL sigs SecRule ARGS|XML:/*|ARGS:!serData|!ARGS:cookie|!ARGS:/^field\[6\]$/|!ARGS:/^autoDS/|!ARGS:pagetext|!ARGS:featured_ids|!ARGS:/^pages/|!ARGS:qa_answer|!ARGS:/teksti/|!ARGS:areas|!ARGS:templatecode|!ARGS:/^jform/|!ARGS:callforprice|!ARGS:condition|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:prefix|!ARGS:pagetext|!ARGS:suffix|!ARGS:special|!ARGS:description|!ARGS:resolution|!ARGS:/^chronofield/|!ARGS:memo|!ARGS:/^cforms/|!ARGS:/email|!ARGS:/body/|!ARGS:contenido|!ARGS:/sql/|!ARGS:query|!ARGS:/comment/|!ARGS:content|!ARGS:/descr/|!ARGS:newcontent|!ARGS:/text/|!ARGS:/txt/|!ARGS:/installcode/|!ARGS:/database/|!ARGS:khxc_incphp--filename|!ARGS:/file_content/|!ARGS:filecontent|!ARGS:/message/|!ARGS:defaultParamList|!ARGS:body|!ARGS:/^gbu0/ "(?:or.{1,100}1[[:space:]].{,100}=[[:space:]]1|or 1=[0-9]|admin'(?: --| #)| or '1'='1--|having 1 ?= ?1 --|or\+1=[0-9]|null is null ?--|(?:and|or) ?(\d+) ?(?:=|<>|<=>|!=) ?[1-3]\b)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceComments,t:compressWhitespace,capture,id:390572,rev:22,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible SQL injection probe',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:/(?:catalog_category|featured)/save|(?:/admin/stats|/css/gallery-css)\.php\?1=1|/admin\.php\?tile=mail$|/\?op=admin_settings|^/\?openpage=|^/node/[0-9]+/(?:edit|webform/))" "t:none,t:lowercase" # Rule 340146: Meta character SQL injection SecRule REQUEST_URI "(?:insert[[:space:]]+into.+values|select (\*|[a-z0-9]+) from.+[a-z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|select (?:load_file|char\()|convert ?\(from|and.{1,256}char\(|(?:insert|remark)test ?;)" \ "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:lowercase,id:340146,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL metacharacter URI injection protection',logdata:'%{TX.0}'" SecRule ARGS:boattype "!(^select)" "t:none,t:lowercase" SecMarker END_SQL_INJECTION_RULE_1 ####################### Second Set # SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333801,pass,t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS_3 SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:contenido|!ARGS:/sql/|!ARGS:/database/|!ARGS:pagetext|!ARGS:query|REQUEST_HEADERS|!ARGS:/FCKeditor/|!ARGS:/narrative/|!ARGS:/insertstring/|!ARGS:templatecode|!ARGS:areas "@pm select outfile exec passthru preg_ eval union concat" \ "phase:2,id:333802,t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,t:compressWhiteSpace,multimatch,pass,nolog,skip:1" SecAction phase:2,id:333701,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_2 #PHP shell code SQL injection SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:/sql/|!ARGS:contenido|!ARGS:query|!ARGS:/message/|!ARGS:templatecode|!ARGS:areas|!ARGS:pagetext|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:areas "(?:(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:system|eval ?\(|shell_exec|passthru|preg_\w+|exec).{1,100}?into)|select.{1,100}?(?:php|perl).{1,100}?into outfile|union select all|concat ?\(user_)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,multimatch,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL injection with payload - base64 encoded',id:381025,rev:3,logdata:'%{TX.0}',severity:'2'" SecMarker END_SQL_INJECTION_RULE_2 SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:contenido|!ARGS:/sql/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:query|!ARGS:/message/|!ARGS:/narrative/|!ARGS:areas|!ARGS:templatecode "@pm select outfile exec passthru" \ "phase:2,id:333803,t:none,t:urlDecodeUni,t:hexDecode,t:removeComments,pass,nolog,skip:1" SecAction phase:2,id:334364,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_3 #PHP shell code SQL injection SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/insertstring/|!ARGS:contenido|!ARGS:/sql/|!ARGS:query|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:pagetext|!ARGS:/database/|!ARGS:areas "(?:(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:system|eval ?\(|shell_exec|preg_\w+|passthru|exec).{1,100}?into)|select.{1,100}?(?:php|perl).{1,100}?into outfile)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL injection with PHP/PERL payload - hex encoded',id:381026,rev:2,logdata:'%{TX.0}',severity:'2'" SecMarker END_SQL_INJECTION_RULE_3 #SQL inline command attack with more AE cases SecRule ARGS|XML:/*|!ARGS:areas|!ARGS:templatecode|!ARGS:/txt/|!ARGS:/text/|!ARGS:/teaser/|!ARGS:wpSummary|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:/insertstring/|!ARGS:areas|!ARGS:contenido|!ARGS:/sql/|!ARGS:content|!ARGS:file_content|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:text|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:/message/|!ARGS:content|!ARGS:/report/ "@pm char execute convert delete insert select drop create table declare null accesslevel user_name concat( union case xecresultset ;set @ cast" \ "phase:2,id:333804,t:none,t:base64Decode,t:hexDecode,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:replaceComments,t:compressWhiteSpace,multiMatch,pass,nolog,skip:1" SecAction phase:2,id:334365,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_4 SecRule ARGS|XML:/*|!ARGS:/replaceAll/|!ARGS:areas|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:data|!ARGS:resolution|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/prevObject/|!ARGS:json|!ARGS:/php/|!ARGS:wpSummary|!ARGS:/teaser/|!ARGS:fdata|!ARGS:file_content|!ARGS:/narrative/|!ARGS:data|!ARGS:/database/|!ARGS:/sql/|!ARGS:contenido|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:/txt/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:description|!ARGS:/message/|!ARGS:/content/|!ARGS:comment|!ARGS:p_action|!ARGS:/report/|!ARGS:/narrative/|!ARGS:/FCKeditor/ "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?\bdelete\b.{1,100}?;(?:insert|declare ?\@|varchar) ?|and .{1,100} \( ?select .{1,100} from |(?:drop|create)(\w+)table |(?:declare|convert) .{1,200} varchar\(|null ?, ?(?:null ?, ?(?:null|accesslevel|user_name)) ?,|concat\(|union select |union all select|\bcast\b .{1,50}\( as |xecresultset|' ?; ?declare\b @|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \ "chain,phase:2,deny,status:403,capture,id:340159,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:36,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (MM)',logdata:'%{TX.0}',multiMatch" SecRule REQUEST_URI "!(/install/index\.php|/admin/fetch_data_af\.php\?action=create_txt_file_from_af_table$|/admin/structure/feeds/edit|^/([a-z]+/)?wp-admin/(?:admin|options-general)\.php\?page=wpsc-settings)" "t:none,t:lowercase" SecMarker END_SQL_INJECTION_RULE_4 SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:areas|!ARGS:templatecode|!ARGS:/narrative/|!ARGS:wpSummary|!ARGS:/database/|!ARGS:/text/|!ARGS:pass|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:/sql/|!ARGS:query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "@pm cast xecresults declare" \ "phase:2,id:333805,t:none,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334366,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_5 #SQL Injection cases SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:code|!ARGS:wpSummary|!ARGS:areas|!ARGS:templatecode|!ARGS:comment|!ARGS:/database/|!ARGS:/text/|!ARGS:pass|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:/sql/|!ARGS:query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:/message/|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "(?:\bcast\b .{1.100} ?\(.{1,100} as |xecresultset|; ?declare\b ?\@)" \ "phase:2,deny,status:403,capture,id:340164,t:none,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL Injection Attack',logdata:'%{TX.0}'" SecMarker END_SQL_INJECTION_RULE_5 SecRule ARGS|REQUEST_URI|XML:/*|REQUEST_HEADERS|ARGS_NAMES|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:contenido|!ARGS:/report/|!ARGS:wpSummary|!ARGS:/teaser/|!ARGS:/txt/|!ARGS:/narrative/|!ARGS:/text/|!ARGS:areas|!ARGS:templatecode "@pm = char( varchar execute convert delete insert declare select drop create table convert( null accesslevel user_name concat( union cast xecresultset" \ "phase:2,id:333806,t:none,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1" SecAction phase:2,id:334367,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_6 #Always bad SQL injection case w/ antievasion #SecRule ARGS|!ARGS:/^fulltext/|!ARGS:message|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring]|!REQUEST_HEADERS:X-PageView "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ SecRule ARGS|!ARGS:Db_submit|!ARGS:/installcode/|!ARGS:/^fulltext/|!ARGS:contenido|!ARGS:/sql/|!ARGS:wpSummary|!ARGS:query|!ARGS:message|ARGS_NAMES|!ARGS:/narrative/|REQUEST_HEADERS|!ARGS:areas|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:comment|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring]|!REQUEST_HEADERS:X-PageView "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "phase:2,deny,status:403,capture,id:340156,capture,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:14,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection',logdata:'%{TX.0}',logdata:'%{TX.0}'" #SQL inline command attac? SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_COOKIES|XML:/*|ARGS|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/appendTo/|!ARGS:json|!ARGS:data|!ARGS:areas|!ARGS:templatecode|!ARGS:contenido|!ARGS:/txt/|!ARGS:/text/|!ARGS:/teaser/|!ARGS:wpSummary|!ARGS:/narrative/|!ARGS:/installcode/|!ARGS:/php/|!ARGS:content|!ARGS:file_content|!ARGS:faqs_answer|!ARGS:/^para/|!ARGS:keywords|!ARGS:code|!ARGS:/sql/|!ARGS:data|!ARGS:/database/|!ARGS:/description/|!ARGS:alternate1|!ARGS:comment|!ARGS:body|!ARGS:fulldescr|!ARGS:article_content|!ARGS:query|!ARGS:/text/|!ARGS:txt|!ARGS:action|!ARGS:Db_submit|!ARGS:saved_data|!ARGS:form[pagina_text]|!ARGS:/message/|!ARGS:steps|!ARGS:fck_body|!ARGS:p_action|!ARGS:newcontent|!ARGS:/report/|!ARGS:/narrative/|!ARGS:/FCKeditor/ "(?:(\w+)(?:user|and)(\w+)char ?\([0-9]+\)|(?:execute|convert) ?\(|; ?\bdelete\b.{1,100}?; ?(?:insert|declare @|varchar) ?|and .{1,100} \(select |(?:drop|create)(\w+)table |(?:declare|convert) .{1,100} varchar\(|null ?, ?null ?, ?(accesslevel|user_?name) ?,|concat\(|union select |union all select|xecresultset|' ?; ?declare\b ?@|; ?set @|select (?:load_file|char ?\()|(?:insert|remark)test;)" \ "phase:2,deny,status:403,capture,id:340157,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:36,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection',chain,logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:/install/index\.php|/index\.php\?mode=install&sub=create_table$|^/admin/test/examples/txtsqladmin/index\.php|^/store/images/|^/([a-z]+/)?wp-admin/(?:admin|options-general)\.php\?page=wpsc-settings)" "t:none,t:lowercase" #additional SQL injection checks on cookies SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/utm/ "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?\bdelete\b.{1,100}?; ?(?:insert|declare @|varchar) ?|and .{1,100} \(select |(?:drop|create)(\w+)table |(?:declare|convert) .{1,100} varchar\(|null ?, ?null ?, ?(?:accesslevel|user_?name) ?,|concat\(|union select |union all select|\bcast\b ?\(.{1,100} as |xecresultset|' ?; ?declare\b ?@|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \ "phase:2,deny,status:403,capture,id:340181,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection',logdata:'%{TX.0}'" SecMarker END_SQL_INJECTION_RULE_6 SecMarker END_SQL_CHECKS_3 ############ COMMAND INJECTION RULES ######################### SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|ARGS|!ARGS:title|!ARGS:templatecode|!ARGS:areas|!ARGS:/template/ "@pm cmd cd ls pwd perl echo uname curl kill sh cpp python chown rm ping rsync rdiff-backup scp wget links g++ chgrp chown passwd bash telnet wguest wsh rcmd ftp cmd32 nmap net nc \# \| \; \`" \ "phase:2,id:333807,rev:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1" SecAction phase:2,id:334368,t:none,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_1 # Rule 340014: #Prevent command injection through cookies SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|ARGS|!ARGS:areas|!ARGS:/template/|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "(?:; ?curl |(?:&|;) ?(?:cmd|command) ?= ?(?:chdir|mkdir|rm) |cd /(?:tmp|/var/tmp|/etc/|/proc|\.\.) |\|id ?\; ?echo*\||\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c)))" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:cmdline,t:replaceNulls,t:compressWhitespace,multimatch,chain,id:340014,rev:10,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: CMD injection',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:/count\.cgi|^/magento/index\.php/admin/dashboard/|^/images/stories/|^/content/pdf/media/print)" "t:none,t:lowercase" # Rule 340018: #Generic command line attack filter #SecRule REQUEST_URI "\|.*;.*;.*\|" \ # "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,chain,id:340018,rev:10,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic command line attack filter',logdata:'%{TX.0}'" #SecRule REQUEST_URI "!(?:/count\.cgi|^/magento/index\.php/admin/dashboard/|^/images/stories/|^/content/pdf/media/print)" "t:none,t:lowercase" # Rule 340029: script, perl, etc. code SecRule REQUEST_URI|ARGS|!ARGS:/template/|!ARGS:prefix|!ARGS:suffix|!ARGS:info|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/^p_process_chat/|!ARGS:snippet|!ARGS:phpcode|!ARGS:intro|!ARGS:/title/|!ARGS:/^data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:newcontent|!ARGS:content|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/ "; ?(?:cat|ls|perl|uname|pwd|cp|kill|echo|tclsh8?|cpp|python|chown|rm|kill|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|bash|telnet) " \ "phase:2,deny,status:403,capture,id:340029,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhitespace,t:lowercase,rev:18,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible command in REQUEST_URI or Argument',logdata:'%{TX.0}'" # Rule 340030: generic command line attack SecRule REQUEST_URI "\|*(?:id|echo|uname|pwd) ?\;" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340030,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Pipe command line probe'" SecRule REQUEST_URI "(?:id|echo|uname) ?; ?\|" SecMarker END_CMD_INJECTION_RULE_1 #SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x))$" phase:2,pass,t:none,t:lowercase,nolog,skipAfter:END_CMD_INJECTION_RULE_2 #Possible command injection attack #SecRule ARGS "`" \ #"phase:2,t:none,t:urlDecodeUni,t:base64Decode,t:htmlEntityDecode,multimatch,pass,nolog,skip:1" #SecAction phase:2,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_2 # #SecRule ARGS "` ?`.*\+ ?\".*` ?`" \ # "capture,t:urlDecodeUni,t:base64Decode,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,multimatch,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Command Injection Attack',id:'380014',rev:1,severity:'2'" # #SecMarker END_CMD_INJECTION_RULE_2 #SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333949,pass,t:none,t:lowercase,nolog,skipAfter:END_CMD_INJECTION_RULE_3 # #SecRule ARGS|!ARGS:areas|!ARGS:/template/ "`" \ #"phase:2,id:333808,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skip:1" #SecAction phase:2,id:334369,t:none,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_3 # #SecRule ARGS "` ?`.*\+ ?\".*` ?`" \ # "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Command Injection Attack',id:'380015',rev:1,severity:'2'" #SecMarker END_CMD_INJECTION_RULE_3 ################# BAD FUNCTION RULES ######################### #types that do not have RFI at all SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m))|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cg(?:m|i)|svg|swf|og(?:m|v|x)|json|swf|jsf|pl|aspx?|cfml?|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333810,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_ALL # Rule 340082: SMTP redirects SecRule REQUEST_URI_RAW "^(?:(?:ht|f)tps?|connect):/.+:(25|465|587)" \ "phase:2,deny,status:403,t:none,t:lowercase,id:340082,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SMTP redirect over http attempt'" #RFI/injection rules SecRule ARGS|REQUEST_URI|!ARGS:templatecode|!ARGS:areas|!ARGS:/url/ "@pm http:// https:// ftp:// ftps:// ogg:// data:// php:// zlib:// gopher:// compress.zlib connect" \ "phase:2,id:333812,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,skip:1" SecAction phase:2,id:334370,t:none,pass,nolog,skipAfter:END_INJECTION_RULES_ALL #pdf, which may have an arg as part of an XSS attack but no other RFI methods SecRule REQUEST_FILENAME "\.pdf$" phase:2,id:333813,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES #Bad function rules # Rule 340019: #Generic PHP bad functions protection #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html SecRule ARGS "compress\.zlib ?:" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340019,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic PHP bad functions protection'" SecRule REQUEST_FILENAME "\.(?:xml|html?)$" phase:2,id:333811,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1 # Rule 340162: Generic PHP code injection protection in URI w/ anti-evasion SecRule REQUEST_URI "(?:\/(?:(?:wp-admin\/(page|post|widgets|link|options)|admin\/(?:edittemplate|webpage_update)|(?:signup|cpinquiry|profile))\.php|p(?:(?:hpbb\/install\/install\.ph|l\/download\?file=htt)p|roxy\/cb_proxy\.\?a=http:\/\/)|i(?:ndex\.php\/admin\/system_config\/save\/section\/payment\/|mp\/compose\.php)|tiki-(?:objectpermissions|editpage|view_cache)|jomsocial\/[a-z]+\/(?:edit|add))|^(?:\/(?:(?:[a-z0-9\-]+\/events\?(?:utm_|trk_)|node\/[0-9]+\/(?:edit|add)|[a-z]+\/unsubscribe)|(?:mysqldumper\/dump|xmlrpc)\.php$|go\.php\?u=affilorama&t=http:\/\/|\.services\/sitelogout)|/(?:b/ss/mxmacromedia|horde/services/go|node/add|cas/))|(?:(?:jw_allvideos_player|mod_mp3player)\?(?:file|playlist)=htt|ubbthreads\/admin\/dofeatures\.ph)p|ad-?server\/adjs|\?mode=addshout|^/administrator/index\.php\?option=com_rsform|^/index\.php/profile/register/registerprofile|^/[a-z]+/edit|^/(?:elements|admin/media)/save/)" phase:2,id:333814,rev:4,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1 #SecRule ARGS "!@pmFromFile trusted-domains.conf" chain SecRule ARGS|!ARGS:/^vfb-/|!ARGS:to|!ARGS:pu|!ARGS:sima|!ARGS:/movie/|!ARGS:dns|!ARGS:contact_info|!ARGS:source_code|!ARGS:/^ninja_forms/|!ARGS:listserv|!ARGS:p_zoho|!ARGS:sugarroot|!ARGS:cyswllt|!ARGS:/^attribute/|!ARGS:/^channel/|!ARGS:/^wdf_joodb/|!ARGS:/^replacer/|!ARGS:options[alter][path]|!ARGS:/css_frame/|!ARGS:ad_code|!ARGS:tickets|!ARGS:war|!ARGS:slug|!ARGS:/whereto/|!ARGS:_search|!ARGS:pack|!ARGS:origem|!ARGS:extra_info|!ARGS:str_sitio|!ARGS:post-id|!ARGS:xml|!ARGS:/from_add/|!ARGS:/metatags/|!ARGS:radio|!ARGS:shire|!ARGS:/^svc_id/|!ARGS:RelayState|!ARGS:txt|!ARGS:ds_source|!ARGS:/^si_contact_/|!ARGS:next|!ARGS:clip|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:pattern_select|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:junkWords|!ARGS:/foto/|!ARGS:/^attr_/|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:api|!ARGS:details|!ARGS:/^field/|!ARGS:profile_id|!ARGS:/^complete_action/|!ARGS:/^option_value/|!ARGS:/buzz/|!ARGS:cc_list_id|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:^/xcpr_/|!ARGS:back|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/search_code/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/live$/|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:service|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:/^input_/|!ARGS:embed_code|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:refsrc|!ARGS:hp|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:loc|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:/media/|!ARGS:parent_name|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/linkedin/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:importremote|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^akID/|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:/callback/|!ARGS:subject|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:search_string|!ARGS:direct|!ARGS:/thumb/|!ARGS:fflv|!ARGS:direct|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:wlp|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/export/|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:/click/|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:/body/|!ARGS:/^product_long_/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:/host/|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:/http/|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:/^bbcode_/|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:paypal_ipn|!ARGS:title|!ARGS:/frame/|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:redir|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:ret|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://(.*)$" \ "phase:2,deny,status:403,capture,id:340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:290,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{MATCHED_VAR}'" SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase" #SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" "t:none,t:urlDecodeUni,t:lowercase" #if its not encoded (which is why we dont use the transform), skip it as its already been reviewed in 340162 SecRule REQUEST_URI "=(?:ht|f)tps?://" phase:2,id:333815,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1 # Rule 340165: Generic PHP code injection protection in URI w/ anti-evasion for encoded cases where ARGS doesnt work SecRule REQUEST_URI "://%{SERVER_NAME}/" phase:2,id:333816,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1 SecRule REQUEST_URI "(?:(?:site|ur(?:l|i)\]?|searchText|loc|link|war|vid|next|snip?pet|feeds|name_ip|profile_id|details|subject|utmctr|go|resource|binary|bvpage|dns|back|media|page|hostname|location|img|picture|path|ref|\&u|src|destination|img_select|pattern_select|repository|return|target|service|targetservice|web|refer|referr?er|field-1|image|video|redirect|to)=https?://|/\?(?:return|redirect|redirect_to)=http|=https?://localhost/|^/site-content/|^/[a-z0-9\/\-]+/(?:new|edit)/[0-9]+/(?:confirm|edit)$|^/staff/index\.php\?_m=ticket)" phase:2,id:333817,rev:9,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1 SecRule REQUEST_URI "!(^/index.php\?cmd=hbchat)" \ "chain,phase:2,deny,status:403,capture,id:340165,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:279,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Uniencoded possible Remote File Injection attempt in URI (AE)',logdata:'%{MATCHED_VAR}'" SecRule REQUEST_URI "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" "t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecMarker END_INJECTION_RULES_1 #include injection attack ##include(http://bad) SecRule ARGS|!ARGS:filecontent|!ARGS:/gen_header/|!ARGS:/template/|!ARGS:/content/|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/message/ "include ?\(['\" ]?['\" ]?['\" ]? ?(?:ogg|gopher|data|php|zlib|(ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:340855,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Include Remote File Injection attempt in argument',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!(https?://%{SERVER_NAME}/)" # Rule 340031: remote file inclusion generic attack signature SecRule REQUEST_URI "\.(?:dat|gif|jpe?g|png|bmp|txt|vir|dot)\?" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340031,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote file inclusion'" SecRule REQUEST_URI|ARGS "(?:(?:pm_path|pagina|path|include_location|root|page|open)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)|(?:cmd|command|inc)=)" SecMarker END_INJECTION_RULES #PDF XSS attack SecRule REQUEST_HEADERS|XML:/*|!ARGS:/^products_description/|!ARGS:/introtext/|!ARGS:/^message/|!ARGS:fulldescr|!ARGS:/^data/ "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \ "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PDF XSS attack',id:'380012',rev:5,severity:'2',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecMarker END_INJECTION_RULES_ALL #File types that may have args, but can not be injected SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|swf|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|pl|cgi|doc|xls|od(?:t|s)|ppt|wbk|html?|xml)$" phase:2,id:333818,rev:2,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_MULTI #RFI/injection rules SecRule ARGS|REQUEST_URI|!ARGS:templatecode|!ARGS:areas "@pm http:// https:// ftp:// ftps:// ogg:// zlib:// gopher:// compress.zlib" \ "phase:2,id:333819,t:none,t:replaceNulls,t:compressWhitespace,t:urlDecodeUni,t:base64Decode,t:hexDecode,multimatch,pass,nolog,skip:1" SecAction phase:2,id:334371,t:none,pass,nolog,skipAfter:END_INJECTION_RULES_MULTI # Rule 340163: Generic PHP code injection protection in URI w/ anti-evasion and multimatch SecRule REQUEST_URI "(?:\/(?:(?:wp-admin\/(page|post|widgets|link|options)|admin\/(?:edittemplate|webpage_update)|(?:signup|cpinquiry|profile))\.php|p(?:(?:hpbb\/install\/install\.ph|l\/download\?file=htt)p|roxy\/cb_proxy\.\?a=http:\/\/)|i(?:ndex\.php\/admin\/system_config\/save\/section\/payment\/|mp\/compose\.php)|tiki-(?:objectpermissions|editpage|view_cache)|jomsocial\/[a-z]+\/(?:edit|add))|^(?:\/(?:(?:[a-z0-9\-]+\/events\?(?:utm_|trk_)|node\/[0-9]+\/(?:edit|add)|[a-z]+\/unsubscribe)|(?:mysqldumper\/dump|xmlrpc)\.php$|go\.php\?u=affilorama&t=http:\/\/|\.services\/sitelogout)|/(?:b/ss/mxmacromedia|horde/services/go|node/add|cas/))|(?:(?:jw_allvideos_player|mod_mp3player)\?(?:file|playlist)=htt|ubbthreads\/admin\/dofeatures\.ph)p|ad-?server\/adjs|\?mode=addshout|^/administrator/index\.php\?option=com_rsform|^/index\.php/profile/register/registerprofile|^/[a-z]+/edit|^/(?:admin/media|elements)/save/|^/index\.php\?loginerror=incorrectpassword$)" phase:2,id:333702,rev:4,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_MULTI SecRule REQUEST_URI|ARGS|!ARGS:/^vfb-/|!ARGS:to|!ARGS:pu|!ARGS:/^meta/|!ARGS:sima|!ARGS:/movie/|!ARGS:dns|!ARGS:source_code|!ARGS:/^ninja_forms/|!ARGS:listserv|!ARGS:p_zoho|!ARGS:sugarroot|!ARGS:cyswllt|!ARGS:/^attribute/|!ARGS:/^channel/|!ARGS:/^wdf_joodb/|!ARGS:/^replacer/|!ARGS:options[alter][path]|!ARGS:/css_frame/|!ARGS:ad_code|!ARGS:tickets|!ARGS:war|!ARGS:slug|!ARGS:/whereto/|!ARGS:_search|!ARGS:pack|!ARGS:extra_info|!ARGS:origem|!ARGS:str_sitio|!ARGS:post-id|!ARGS:/from_add/|!ARGS:/metatags/|!ARGS:xml|!ARGS:radio|!ARGS:shire|!ARGS:/^svc_id/|!ARGS:/live$/|!ARGS:RelayState|!ARGS:ds_source|!ARGS:contact_info|!ARGS:/^si_contact_/|!ARGS:next|!ARGS:clip|!ARGS:txt|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:pattern_select|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:/foto/|!ARGS:junkWords|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:/photo/|!ARGS:/media/|!ARGS:/icon/|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:parent_name|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:importremote|!ARGS:/callback/|!ARGS:/sponsors/|!ARGS:/^akID/|!ARGS:service|!ARGS:want2Read|!ARGS:search_string|!ARGS:/thumb/|!ARGS:subject|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:/search_code/|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:payment_home|!ARGS:/title/|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:/host/|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:/pingback/|!ARGS:/http/|!ARGS:email_forward|!ARGS:bannercode|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:/^bbcode_/|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:short_story|!ARGS:/^css/|!ARGS:introduction|!ARGS:register_at|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redir/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:msgpreview|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://(.*)$" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:lowercase,multimatch,id:340163,rev:290,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{MATCHED_VAR}',chain" SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase" #SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecMarker END_INJECTION_RULES_MULTI #Remote command protection rules SecRule REQUEST_URI|ARGS|!ARGS:/msg/|!ARGS:/sql/|!ARGS:/body/|!ARGS:/message/|!ARGS:/text/|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:/email/|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/descr/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/txt/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:/jform/|!ARGS:areas|!ARGS:templatecode|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "@pm cd perl killall python rpm yum apt-get emerge lynx links mkdir elinks cmd pwd wget lwp- id uname cvs svn rcp scp ssh rsh sftp netstat netcat rexec smdclient ftp curl telnet cc g++ whoami kill rm rsync nasm" \ "phase:2,id:334820,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1" # SecAction phase:2,id:354372,t:none,pass,nolog,skipAfter:END_CMD2_ATTACKS # Rule 340023: Generic remote comand attack signature SecRule REQUEST_URI|ARGS|!ARGS:/msg/|!ARGS:post|!ARGS:/sql/|!ARGS:/body/|!ARGS:/search/|!ARGS:/message/|!ARGS:/text/|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:/email/|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/descr/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/txt/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:/jform/|!ARGS:areas|!ARGS:templatecode|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "(?:\b(?:cd|perl|killall|traceroute|python|r(?:pm|sync)|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(?:download|request|mirror|rget)|id|uname|cvs|svn|(?:s|r)(?:cp|sh)|n(?:et(?:stat|cat)|asm)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|whoami)\b |\brm\b \-[a-z] |\bcat\b /)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,multimatch,capture,id:340023,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible remote command execution',logdata:'%{TX.0}'" SecMarker END_CMD2_ATTACKS ############ PHP URL ATTACKS #################### # #PHP applications SecRule REQUEST_FILENAME "\.php" \ "phase:2,id:333820,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334372,t:none,pass,nolog,skipAfter:END_PHP_GENERIC_ATTACKS # Rule 340117: General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) SecRule REQUEST_URI|ARGS|!ARGS:templatecode|!ARGS:areas "\[url ?= ?(?:script|javascript|applet|about|chrome|activex):/.*\].*\[ ?/ ?url ?\]" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340117,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: General [url] php forum protections'" # Rule 340039: generic php attack sigs SecRule REQUEST_FILENAME "!(/mod_cmd/index\.php)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340039,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP command injection attempt'" SecRule REQUEST_URI "(?:&(?:cmd|command)=(?:id|uname) |cmd\?(?:cmd|command)=|(?:spy|cmd|cmd_out|sh)\.(?:gif|jpg|png|bmp|txt)\?&(?:cmd|command)=|\.php\?&(?:cmd|command)=)" # Rule 340137: Generic PHP avatar upload exploits #SecRule REQUEST_BODY "content-disposition\: form-data\; name=\"avatar\"\;" \ # "phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,phase:2,id:340137,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHPBB avatar exploit',chain" #SecRule REQUEST_BODY "\<\? ?php" chain #SecRule REQUEST_BODY "\? ?>" # Rule 340021: PHP Injection Attack generic signature SecRule REQUEST_URI|ARGS|!ARGS:templatecode|!ARGS:areas|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/problem/ "(?:\?(?:(?:local|include|pear|squizlib)_path|action|content|dir|name|menu|pm_path|pathtoroot|cat|pagina|path|include_location|root|page|gorumdir|site|topside|pun_root|open|seite)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:cmd|command)=(?:cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |uname|cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z]))" \ "phase:2,deny,status:403,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace,t:normalisePath,id:340021,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Injection Attack 1'" #SecRule REQUEST_URI "!(/lightboxjs\.php\?path=http:/)" "t:none,t:lowercase" # Rule 340022: PHP Injection Attack generic signature #SecRule REQUEST_URI "\.php\?(?:(?:(?:local|include|pear|squizlib)_path|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|.*(?:cmd|command)=(?:cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |id|uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z]))" \ # "capture,chain,id:340022,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Injection Attack 2',logdata:'%{TX.0}'" #SecRule REQUEST_URI "!(/lightboxjs\.php\?path=http://)" SecMarker END_PHP_GENERIC_ATTACKS ############## BAD FILE NAMES ######################### #ZenPhoto uses weird extensions when its using mod_rewite #zp_user_auth SecRule REQUEST_URI "@pm .gif.txt .gif.dat .jpeg.txt .jpeg.dat .jpg.txt .jpg.dat .png.txt .png.dat .bmp.txt .bmp.dat .php.jpg .jpg.pht .gif.pht .png.pht .php.jpeg .php.flv .php.gif .php.mp3 .php.mp4 .php.mpg .php.mpeg .php.png .php.bmp .php.tif .php.txt .php.dat .php.avi .php.wmv .php.mp3" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,id:340035,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bogus file extensions'" SecRule REQUEST_FILENAME "@pm .jpg.php .gif.php .png.php" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,id:341137,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially Bogus PHP file'" #SecMarker END_BAD_FILE_NAMES ############# GENERIC COMMAND ATTACK SIGS ############## #SecRule REQUEST_URI "@pm perl ; ' | nc telnet sh exec ogg gopher http ftp lynx wget links curl ogg:// gopher:// cp @ rsync ftp cvs svn traceroute" \ # "phase:2,pass,nolog,skip:1" #SecAction phase:2,pass,nolog,skipAfter:END_CMD_INJECTION_2 # # Rule 340037: generic attack sig #SecRule REQUEST_URI "(?:cd |\;|php |echo |perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |id|uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/bin/(xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail))" \ # "id:340037,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic command injection'" # Rule 3400XX: Generic argument protection rule against bad meta characters #SecRule "ARGS" "!^[a-z0-9.&/?@_%=:;, -]+$" # Rule 340059: traceroute command attempt #SecRule REQUEST_URI "traceroute" \ # "chain,id:340059,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Command attempt (traceroute)'" #SecRule REQUEST_URI " (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" # Rule 340083: very experimental generic remote download sig # These are VERY experiemental, please report false positives/negatives, etc. # foo IP or FQDN, or foo http/https/ftp://whatever #SecRule REQUEST_URI "(?:(?:perl|t?ftp|links|elinks|lynx|ncftp|(?:s|r)(?:cp|sh)|wget|lwp-(?:download|request|mirror|rget)|curl|cvs|svn).* (?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|traceroute (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" \ # "id:340083,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Command attempt'" # Rule 340084: Command inline detection #SecRule REQUEST_URI "(?: |\;|/|\'|,|\&|\=|\.)(?:(?:s|r)(?:sh|cp)) *(?:.*\@.*|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" \ # "chain,id:340084,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Command injection attempt'" #SecRule REQUEST_URI "!(?:/scp/tickets\.php|/cgi-bin/stats\.cgi)" # Rule 340085: very experimental connect command sig #SecRule REQUEST_URI "(?:(?:(?: |\;|/|\'|,|\&|\=|\.)(?:perl|nc|telnet|(?:r|s)sh|rexec) .*(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[a-z|0-9]\.[a-z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|\;perl [a-z|0-9]+;|(?:lynx|curl|wget|links) -dump |links (?:-(?:dump-(?:charset|width)|source)|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))|(?: |\;|/|\'|,|\&|\=|\.)(?:(?:s|r)(?:sh|cp)) *(?:.*\@.*|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(?:(?:perl|t?ftp|links|elinks|lynx|ncftp|(?:s|r)(?:cp|sh)|wget|lwp-(?:download|request|mirror|rget)|curl|cvs|svn).* (?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|traceroute (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+))" \ # "capture,id:340085,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Command injection attempt',logdata:'%{TX.0}'" #SecMarker END_CMD_INJECTION_2 ########### SCANNER SIGS ####################### SecRule REQUEST_URI "@pm nessus w00tw00t hacked" \ "phase:2,id:333823,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334374,t:none,pass,nolog,skipAfter:END_SCANNER_SIGS # Rule 340069: nessus 1.X 404 probe SecRule REQUEST_URI "(?:nessus(?:_is_probing_you_|test)|^/w00tw00t\.at\.)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340069,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Web vulnerability scanner'" # Rule 340150: Dfind signature # w00tw00t.at.ISC.SANS.DFind # not likely to catch this, as it usually happens via an invalid # HTTP/1.1 request without a hostname, which apache will reject therefore other rules # WEB_ERROR_LOG will catch this #SecRule REQUEST_URI "w00tw00t" \ # "phase:1,deny,status:403,t:none,t:lowercase,id:340150,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: DFind scanner attempt'" # Rule 340141: wormsign #SecRule REQUEST_URI "hacked ?by ?member ?of" \ # "id:340141,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: worm'" SecMarker END_SCANNER_SIGS ################ PHP DEFENSES ######################## # #SecRule ARGS:PHPSESSID ";www" \ # "phase:2,pass,nolog,skip:1" #SecAction phase:2,pass,nolog,skipAfter:END_PHP_PROT_1 # SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk|(?:ht|x)ml)$" phase:2,id:333824,pass,t:none,t:lowercase,nolog,skipAfter:END_PHP_PROT_1 # Rule 340076: PHP defenses SecRule ARGS:PHPSESSID "(?:!^[0-9a-z]*$|!^[0-9a-z]*;www)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340076,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Session attack'" # Rule 340079: PHP defenses SecRule REQUEST_COOKIES:sessionid "![0-9a-z]*$" \ "phase:2,deny,status:403,t:none,t:lowercase,id:340079,rev:10,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP policy violation'" SecMarker END_PHP_PROT_1 ############# APACHE PROTECTIONS ##################### SecRule REQUEST_URI "@pm server-info/ server-status/ cwd= jsp desudesudesu" \ "id:333825,t:none,t:urlDecodeUni,phase:2,pass,nolog,skip:1" SecAction phase:2,id:334375,t:none,pass,nolog,skipAfter:END_APACHE_PROT # Rule 340114: Apache /server-info accessible SecRule REQUEST_URI "^server-(?:info|status)/?$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340114,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Apache admin service access attempt'" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none" # Rule 340116: generic Common HTTP vulnerability SecRule REQUEST_URI "(?:/\?cwd=/|a cat is fine too\.)" \ "phase:2,deny,status:403,t:none,t:lowercase,t:compresswhitespace,id:340116,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Common HTTP vulnerability'" # Rule 340097: Tomcat view source attempt SecRule REQUEST_URI "\x252ejsp" \ "phase:2,deny,status:403,t:none,t:lowercase,id:340097,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Tomcat view source attempt'" SecMarker END_APACHE_PROT ################PHP CODE INJECTION ATTACKS ################### SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333826,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_4 SecRule REQUEST_FILENAME "\.(?:pl|asp|f?cgi|do|exe|s?html)$" phase:2,id:333828,pass,t:none,t:lowercase,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_NOT_PERL SecRule REQUEST_URI|REQUEST_BODY|ARGS|REQUEST_HEADERS|ARGS_NAMES|XML:/*|!ARGS:templatecode|!ARGS:areas "@pm chr system passthru include php_uname preg_ mysql_query exec eval phpinfo decode_base64 base64_decode base64_url_decode rot13" \ "phase:2,id:334827,t:none,t:base64Decode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,skip:1" SecAction phase:2,id:334376,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_B64 SecRule ARGS|!ARGS:templatecode|!ARGS:areas|!ARGS:/news/|!ARGS:rsargs|!ARGS:/note/|!ARGS:announcement|!ARGS:/content/|!ARGS:/wysiwyg/|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|include|eval|system|base64_decode|decode_base64|base64_url_decode|str_rot13)\b ?(?:\(|\:))" \ "phase:2,deny,status:403,chain,t:none,t:base64Decode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:340195,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Base64 Encoded PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(/wp-login\.php\?vaultpress=true|/site-content/|^/admin/editform)" "t:none,t:lowercase" SecMarker END_PHP_CODE_INJECTION_ATTACKS_B64 #non B64 rules SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|ARGS_NAMES|XML:/*|!ARGS:templatecode|!ARGS:areas "@pm php chr fopen fwrite globals system passthru include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 <? mfunc mclude dynamic-cached-content" \ "phase:2,id:333827,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:334377,t:none,t:urlDecodeUni,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_1 SecRule ARGS|ARGS:templatecode|!ARGS:rsargs|!ARGS:areas|!ARGS:/note/|!ARGS:announcement|!ARGS:/content/|!ARGS:/wysiwyg/|!ARGS:pages|!ARGS:html|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:server_validation|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|system|base64_decode|decode_base64|rot13|base64_url_decode|include)\b ?(?:\(|\:) ?')" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:340095,rev:40,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(/wp-login\.php\?vaultpress=true|/site-content/|^/admin/editform)" "t:none,t:lowercase" # Rule 340077: PHP defenses SecRule ARGS|!ARGS:operate|!ARGS:search_keywords|!ARGS:templatecode|!ARGS:areas "^(?:globals(?:$|\[)|php:/)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:removeWhiteSpace,t:lowercase,id:340077,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP policy violation'" SecMarker END_PHP_CODE_INJECTION_ATTACKS_NOT_PERL # Rule 340096: PHP policy violation SecRule ARGS_NAMES "^php:/" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,capture,id:340096,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP policy violation',logdata:'%{TX.0}'" # Rule 340027: Genenric PHP body attack #SecRule REQUEST_BODY "(?:chr|fwrite|fopen|system|echr|passthru|php_uname|include|popen|proc_open|shell_exec|mysql_query|exec|eval|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_replace) ?\( ?'?" \ # "t:none,t:urlDecodeUni,t:lowercase,capture,chain,id:340027,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic php body attack attempt',logdata:'%{TX.0}'" #SecRule REQUEST_BODY "(?:(?:cd|mkdir)[[:space:]]+(?:/|[a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z])" # Rule 340128: Slightly tighter version of the above SecRule REQUEST_URI|ARGS|XML:/*|!ARGS:templatecode|!ARGS:areas "(?:< ?[?%] ?|\[ ?php|m(?:func|clude)|dynamic-cached-content)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,capture,chain,id:340128,rev:21,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote PHP command exection',logdata:'%{TX.0}'" SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:templatecode|!ARGS:areas|!ARGS:file|!ARGS:/script/|!ARGS:description|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:solution|!ARGS:problem|!ARGS:view|!ARGS:/^body/|!ARGS:payment_extrainfo|!ARGS:server_validation|!ARGS:solution|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:resolution|!ARGS:message|!ARGS:/template/|!ARGS:msg|!ARGS:/php/|!ARGS:gen_header|!ARGS:/layout/|!ARGS:post|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/|!ARGS:footerfile|!ARGS:/descr/|!ARGS:titleMetatags|!ARGS:/content/|!ARGS:/^eip_/|!ARGS:/jform/ "(?:(?:chr|fwrite|fopen|system|echr|passthru|include|php_uname|popen|proc_open|shell_exec|mysql_query|eval|str_rot13|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_\w+|base64_decode|base64_url_decode|decode_base64) ?(?:\(|\: ?'?)|system\( ?getenv ?\( ?http_php|(?:fputs|fread) ?\(|chr ?\(.{1,255}\).chr ?\(.{1,255}\).chr\()" "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,chain" SecRule REQUEST_URI "!(?:/admin/structure|^/node/(?:add|[0-9]+)/(?:page|edit)|^/administrator/index\.php\?option=com_hikashop$)" "t:none,t:lowercase" # Rule 340129: Generic PHP attack sig #SecRule REQUEST_BODY|REQUEST_URI "system\( ?getenv ?\( ?http_php ?\) ?\)" \ # "id:340129,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic PHP attack sig'" # Rule 340131: Generic PHP payload command injection and upload vulnerabilities #SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:suffix|!ARGS:prefix "(?:< ?[?%] ?|\[ ?php)" \ # "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340131,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic PHP payload command injection and upload vulnerabilities',chain" #SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:suffix|!ARGS:prefix "(?:(?:fputs|fread) ?\(.*\)\;|fsockopen ?\( ?gethostbyname|chr ?\(.*\).chr ?\(.*\).chr\(|f(?:close|gets) ?\(|(?:system|passthru|exec|eval|rot13) ?\()" # Rule 340133: HTTP header PHP code injection attacks SecRule REQUEST_HEADERS:Client-Ip|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "(?:< ?[?%] ?|\[ ?php|m(?:func|clude)|dynamic-cached-content)" \ "phase:2,deny,status:403,,t:none,t:urlDecodeUni,t:lowercase,id:340133,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: HTTP header PHP code injection attack'" # Rule 340011: #slightly tighter rules with narrower focus SecRule REQUEST_HEADERS|!REQUEST_HEADERS:REFERER|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/ "(?:chr|fwrite|rot13|fopen|system|passthru|php_uname|popen|proc_open|shell_exec|exec|eval|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_\w+) \(" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,capture,id:340011,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic PHP exploit pattern denied',logdata:'%{TX.0}'" # Rule 340005: Code injection via Headers #SecRule REQUEST_HEADERS|!REQUEST_HEADERS:REFERER "(?:chr|fwrite|fopen|system|passthru|include|php_uname|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo) ?\(.*\) ?\;" \ # "capture,id:340005,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Code Injection in Content-Length header',logdata:'%{TX.0}'" # Rule 340010: #Generic PHP exploit signatures #SecRule REQUEST_BODY|REQUEST_URI "<\? ?php.*(?:chr|fwrite|fopen|system|echr|passthru|include|php_uname|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo) ?\(.*\)\;" \ # "id:340010,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic PHP exploit pattern denied'" SecMarker END_PHP_CODE_INJECTION_ATTACKS_1 SecRule ARGS_NAMES|ARGS|XML:/*|!ARGS:areas|!ARGS:templatecode "@pm ftp_ fget fput gets scanf write open read gzencode gzdecode gzinflate gzwrite compress read session_start scandir readfile readgzfile readdir move_uploaded_file proc_ call_user_function $_post $_get $_sessio str_rot13 mfunc mclude dynamic-cached-content" \ "phase:2,id:333829,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,pass,nolog,skip:1" SecAction phase:2,id:334378,t:none,pass,nolog,skipAfter:END_PHP_INJECTION_SPECIAL #PHP injection SecRule ARGS_NAMES|ARGS|!ARGS:areas|!ARGS:templatecode|XML:/*|!ARGS:filecontent|!ARGS:/forbidden/|!ARGS:/descripcion/|!ARGS:/text/|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/message/|!ARGS:/msg/|!ARGS:content|!ARGS:file|!ARGS:/jform/|!ARGS:ticket[body]|!ARGS:parent_name|!ARGS:/data/|!ARGS:/keyword/|!ARGS:search|!ARGS:/metadata/|!ARGS:/snippet/ "\b(f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|(?:g|b)z(?:(?:encod|writ)e|compress|open|read)|scandir|read(?:(?:(?:g|b)z)?file|dir)|gzinflate|move_uploaded_file|str_rot13|(?:proc_|bz)open|call_user_func|$_(?:(?:pos|ge)t|session))\b ?\(" \ "phase:2,deny,status:403,rev:15,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Injection Attack',id:'390715',logdata:'%{TX.0}',severity:'2'" SecMarker END_PHP_INJECTION_SPECIAL #code injection attempt SecRule ARGS|REQUEST_URI|XML:/*|!ARGS:areas|!ARGS:templatecode "(?:< ?[?%] ?|\[ ?php|m(?:func|clude)|dynamic-cached-content)" \ "id:333830,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334379,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_2 SecRule ARGS|REQUEST_URI|XML:/*|!ARGS:pages|!ARGS:areas|!ARGS:templatecode|!ARGS:/script/|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:/^snippet/|!ARGS:server_validation|!ARGS:/template/|!ARGS:message|!ARGS:content|!ARGS:msg|!ARGS:/content/|!ARGS:description|!ARGS:solution|!ARGS:problem|!ARGS:resolution|!ARGS:query|!ARGS:/^body/|!ARGS:/php/|!ARGS:suffix|!ARGS:prefix|!ARGS:summary|!ARGS:footerfile|!ARGS:/header/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/descr/|!ARGS:message "(?:include ?\( ?(?:\"|\')? ?http|(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gze?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|php_uname|preg_\w+|execute)\s*(?:\"|\(|@|\: ?'?))" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious PHP code injection attempt',id:380018,rev:22,logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_URI "!(\?(?:q=node\/[0-9]+\/edit$|p=admin_cms&))" "t:none,t:lowercase" SecMarker END_PHP_CODE_INJECTION_ATTACKS_2 #code injection attempt base64encoded # :-) SecRule REQUEST_BODY|ARGS|REQUEST_URI|XML:/*|!ARGS:areas|!ARGS:templatecode "(?:< ?[?%] ?|\[ ?php|m(?:func|clude)|dynamic-cached-content)" \ "id:333831,phase:2,t:none,t:base64Decode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334380,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_3 SecRule REQUEST_BODY|ARGS|REQUEST_URI|XML:/*|!ARGS:areas|!ARGS:templatecode|!ARGS:pages|!ARGS:p_upload_value|!ARGS:server_validation|!ARGS:/script/ "(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gze?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|include|php_uname|preg_\w+|execute)\s*(?:\"|\(|@|\: ?'?)" \ "phase:2,deny,status:403,t:none,t:base64Decode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious PHP code injection attempt - base64 encoded',id:380019,rev:7,logdata:'%{TX.0}',severity:'2'" SecMarker END_PHP_CODE_INJECTION_ATTACKS_3 #code injection attempt hexencoded SecRule ARGS|REQUEST_URI_RAW|XML:/*|!ARGS:areas|!ARGS:templatecode "(?:< ?[?%] ?|\[ ?php|m(?:func|clude)|dynamic-cached-content)" \ "id:333832,phase:2,t:none,t:urlDecodeUni,t:hexDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334381,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_4 SecRule ARGS|!ARGS:/text/|!ARGS:/txt/|!ARGS:/^snippet/|!ARGS:/template/|!ARGS:message|!ARGS:server_validation|!ARGS:pages|!ARGS:content|!ARGS:msg|!ARGS:/content/|!ARGS:description|!ARGS:solution|!ARGS:problem|!ARGS:prefix|!ARGS:suffix|!ARGS:resolution|!ARGS:file|!ARGS:/php/|!ARGS:suffix|!ARGS:prefix|!ARGS:summary|!ARGS:footerfile|!ARGS:/template/|!ARGS:/header/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/descr/|!ARGS:message|!ARGS:p_upload_value|REQUEST_URI_RAW|XML:/* "(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompres|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|include|php_uname|preg_\w+|execute)\s*(?:\"|\(|@|\: ?'?)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious PHP code injection attempt - hex encoded',id:380020,rev:10,logdata:'%{TX.0}',severity:'2'" SecMarker END_PHP_CODE_INJECTION_ATTACKS_4 #code injection attempt base64encoded impedence match #SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_5" # #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:< ?[?%] ?|\[ ?php)" \ # "phase:2,t:none,t:urlDecodeUni,t:decodeBase64Ext,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1" # SecAction phase:2,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_5 #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzencode|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|set|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|include|php_uname|preg_\w+|execute)\s*[\"\(@]" \ #"t:none,t:urlDecodeUni,t:decodeBase64Ext,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious PHP code injection attempt - base64 encoded',id:380018,rev:6,logdata:'%{TX.0}',severity:'2'" #SecMarker END_PHP_CODE_INJECTION_ATTACKS_5 #################### XML RPC ATTACKS #################### SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" id:333833,phase:2,pass,t:none,t:lowercase,nolog,skipAfter:END_XML_RPC_ATTACKS #SecRule REQUEST_HEADERS:Content-Type "^(?:text|application)/xml" \ # "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" #SecRule REQBODY_PROCESSOR "!^XML$" "phase:2,pass,nolog,skipAfter:END_XML_RPC_ATTACKS" SecRule XML:/* "@pm select grant delete drop do alter replace truncate update create rename describe table database index view union load_file inserttest remarktest convert execute insert varchar drop table declare char exit uname define fgets move_uploaded_file readfile ftp_put ftp_fget gzd?en?code gzinflate ftp_nb_put bzopen readdir gzread fopen ftp_nb_f(put|get) ftp_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress curl_multi_exec curl_exec eval base64_decode base64_url_decode decode_base64 str_rot13 uname file_get_contents include parse_ini_file shell_exec mysql_query popen ini_ safe_mode phpinfo preg_ system exec passthru file_get_contents '))" \ "id:333834,rev:2,phase:2,t:none,pass,nolog,skip:1" SecAction phase:2,id:334382,t:none,pass,nolog,skipAfter:END_XML_RPC_ATTACKS # Rule 340118: Experimental XML-RPC generic attack sigs # ','')); SecRule XML:/* "(?:',''\)\)\;|< ?param ?> ?< ?name ?>.*\'\)\;)" \ "log,auditlog,deny,status:403,t:none,t:lowercase,t:compressWhiteSpace,id:340118,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XML-RPC attack'" SecRule XML:/* "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.{1,100};(?:insert|declare @|varchar)|(?:and .{1,100} \(select |(?:drop|create)(\w+)table|declare .{1,100} varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select |\bcast\b ?\({1,100} as|xecresultset|' ?; ?declare @|; ?set @)" \ "deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390636,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XMLRPC SQL injection attack'" # Rule 340121: Specific XML-RPC attacks on xmlrpc.php SecRule XML:/* "(?:(?:(?:echo|uname) ?(?:\'|\")|; ?exit ?;)|(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|php_uname|preg_\w+|execute) ?(?:\(|@|\: ?'?)|; ?(?:wget|curl|fetch|lwp-(?:download|request|mirror|rget)|ncftp|ftp) ?(?:h|f)ttps?:/)" \ "deny,status:403,log,auditlog,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340121,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XML-RPC attacks on xmlrpc.php'" # Rule 340122: XML-RPC SQL injection generic signature SecRule XML:/* "(?:(?:select|grant|delete|drop|alter|replace|truncate|create|rename|describe)[[:space:]]+[a-z|0-9|\*|,]+[[:space:]](?:from|into|table|database|index|view)|union select |union all select|select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\(|update [a-z0-9]+ set)" \ "deny,status:403,log,auditlog,capture,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340122,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XML-RPC SQL injection ',logdata:'%{TX.0}'" SecRule XML:/* "(?: ?eval\ ?\(|file_get_contents\ ?\(|\) ?;? exit ?;)" \ "log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390635,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XMLRPC encoded command injection attack'" SecMarker END_XML_RPC_ATTACKS SecRule XML:/* "@pm select grant delete drop do alter replace truncate update create rename describe table database index view union load_file inserttest remarktest convert execute insert varchar drop table declare char exit uname define fgets move_uploaded_file readfile ftp_put ftp_fget gzd?en?code gzinflate ftp_nb_put bzopen readdir gzread fopen ftp_nb_f(put|get) ftp_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress curl_multi_exec curl_exec eval base64_decode base64_url_decode decode_base64 str_rot13 uname file_get_contents include parse_ini_file shell_exec mysql_query popen ini_ safe_mode phpinfo preg_ system exec passthru file_get_contents " \ "id:333948,phase:2,t:none,t:base64Decode,pass,nolog,skip:1" SecAction phase:2,id:334383,t:none,pass,nolog,skipAfter:END_XML_RPC_ATTACKS_B64 SecRule XML:/* "(?: ?eval\ ?\(|file_get_contents\ ?\(|\) ?;? exit ?;)" \ "log,deny,status:403,auditlog,t:none,t:base64Decode,t:compressWhiteSpace,t:lowercase,id:393635,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XMLRPC base64 encoded command injection attack'" # Rule 340122: XML-RPC SQL injection generic signature SecRule XML:/* "(?:(?:select|grant|delete|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*|,]+[[:space:]](?:from|into|table|database|index|view)|union select |union all select|select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\()" \ "deny,status:403,log,auditlog,capture,t:none,t:base64Decode,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340123,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XML-RPC base64 encoded SQL injection ',logdata:'%{TX.0}'" # Rule 340120: XML-RPC generic attack sigs SecRule XML:/* "(?:(?:(?:echo|uname) ?(?:\'|\")|; ?exit ?;)|(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|php_uname|preg_\w+|execute) ?(?:\(|@|\: ?'?)|; ?(?:wget|curl|fetch|lwp-(?:download|request|mirror|rget)|ncftp|ftp) ?(?:h|f)ttps?:/)" \ "deny,status:403,log,auditlog,t:none,t:base64Decode,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340120,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XML-RPC attack'" SecRule XML:/* "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.{1,100};(?:insert|declare @|varchar)|(?:and .{1,100} \(select |(?:drop|create)(\w+)table|declare .{1,100} varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select | \bcast\b\ ?\(.{1,100} as |xecresultset|' ?; ?declare\b @|; ?set @)" \ "deny,status:403,log,auditlog,t:none,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:393636,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XMLRPC base64 encoded SQL injection attack'" SecMarker END_XML_RPC_ATTACKS_B64 ################ WORM SIGS ########################### # # Rule 340134: wormsign SecRule REQUEST_HEADERS "xxxxxx+\: \+\+\+\+\+\+\+\+\+\+\+\+\+" \ "log,auditlog,deny,status:403,t:none,t:lowercase,id:340134,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Worm signature'" SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" id:333835,phase:2,pass,t:none,t:lowercase,nolog,skipAfter:END_WORM_SIGS #SecRule REQUEST_URI|ARGS|XML:/* "@pm thmc _ghc/rst_ " \ # "id:333836,t:none,t:urlDecodeUni,phase:2,pass,nolog,skip:1" # SecAction phase:2,id:334384,t:none,pass,nolog,skipAfter:END_WORM_SIGS # Rule 340135: THMC worm #SecRule REQUEST_URI|ARGS|XML:/* "(?:thmc\.\$dbhost\.thmc\.\$dbname\.thmc\.\$dbuser\.thmc\.\$dbpasswd\.thmc|echo _ghc/rst_)" \ # "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340135,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: THMC or PHPBB worm'" #SecMarker END_WORM_SIGS ################# IMAGE FILE CHECKS ###################### SecRule REQUEST_HEADERS:Content-Type "image/" \ "id:333837,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:replaceNulls,t:lowercase,pass,nolog,skip:1" SecAction phase:2,id:334385,t:none,pass,nolog,skipAfter:END_IMAGE_CHECKS # Rule 340138: Fake image file shell attacvk SecRule REQUEST_BODY "(?:(?:chr|system|passthru|eval|exec) ?\(|< ?\? php)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340138,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake image file shell attack'" # Rule 340140: bogus graphics file SecRule REQUEST_HEADERS:Content-Disposition "\.(?:php|txt|asp|pl|exe)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340140,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bogus graphics file'" #SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)" \ SecMarker END_IMAGE_CHECKS ##############XSS RULES################################ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|QUERY_STRING|!ARGS:areas|!ARGS:templatecode "@pm script expression html onmouse onselect onsubmit onfocus onabort onblur onchange ondragdrop onfocus onkey ?= img src onload onerror import asfunction: background-image: fromcharcode frame input lowsrc mocha onblur onchange onclick ondragdrop onkeydown onkeypress onkeyup resize select unload shell: settimeout addimport @import url window.location < > env about applet activex chrome getparentfolder getspecialfolder href object eval" \ "id:333838,phase:2,t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:jsDecode,t:compressWhiteSpace,pass,nolog,skip:1" SecAction phase:2,id:334386,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS # Rule 340099: cross site scripting attempt IMG onerror or onload SecRule REQUEST_URI|REQUEST_HEADERS "\< ?img.*/\bonerror\b[\s]*=" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340099,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt'" # Rule 340102: cross site scripting attempt STYLE + JSCRIPT SecRule REQUEST_URI|REQUEST_HEADERS "type\s*=\s*[\'\"]text\/(?:j|vb|x-vb|ecma|java|x-java)script" \ "chain,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340102,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt'" SecRule REQUEST_URI "!(/(?:scripts|staff)/index\.php\?(?:action|_m)=)" # Rule 340106: cross site scripting attempt STYLE + EXPRESSION SecRule REQUEST_URI|REQUEST_HEADERS "(?:style[\s]*=[\s]*[^>]expression[\s]*\(|[\s]*expression[\s]*\([^}]}[\s]*<\/style>)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:jsDecode,t:lowercase,id:340106,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt STYLE + EXPRESSION'" # Rule 340109: cross site scripting attempt using XML SecRule REQUEST_URI|REQUEST_HEADERS "<!\[cdata\[<\]\]> ?script" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340109,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt using XML'" # Rule 340110: cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI|REQUEST_HEADERS "(?:eval[\s]*\([\s]*[^\.]\.innerhtml[\s]*\)|window\.execscript[\s]*\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:jsDecode,t:compressWhiteSpace,t:lowercase,id:340110,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt executing hidden Javascript'" # Rule 340112: cross site scripting attempt to execute Javascript code SecRule REQUEST_URI|REQUEST_HEADERS "(?:(?:(?:url|src|href|lowsrc)[\s]*=)|(?:url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340112,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting attempt to execute Javascript code'" # Rule 340003: XSS insertion into headers SecRule REQUEST_HEADERS "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)|\bon(?:abort|blur|change|click|submit|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b ?=|>( |\+)?<( |\+)?img( |\+)?src( |\+)?=( |\+)?(ht|f)tps?:/)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhitespace,t:lowercase,chain,id:340003,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS attack in request headers'" SecRule REQUEST_URI "!(modules/tinytinymce/tinymce/jscripts/tiny_mce/utils/validate\.js$)" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:Referer "!(clientscript/yui/connection/javascript\:false$)" "t:none,t:lowercase" # Rule 340211: stealth VBscript injection SecRule REQUEST_URI|ARGS "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,t:lowercase,chain,id:340211,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting stealth attempt to access shell',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e)|node\/[0-9]+\/(?:webform\/components\/|edit))|/(?:node/add/|admin/page/edit))" "t:none,t:lowercase" #Rule 341211 #Jsencoded window eval SecRule REQUEST_URI|ARGS "window ?\[ ?\' ?eval" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:lowercase,id:341211,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: potentially untrusted encoded javascript detected',logdata:'%{TX.0}'" # Rule 340210: cross site scripting stealth attempt to access shell SecRule REQUEST_URI|ARGS "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,t:lowercase,chain,id:340210,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting stealth attempt to access shell',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e))|/(?:node/add/|admin/page/edit)|node\/[0-9]+\/(?:webform\/components\/|edit|add))" "t:none,t:lowercase" SecRule SERVER_PORT "^844[3-5]$" \ "id:333839,phase:2,t:none,pass,nolog,skipAfter:END_PLESK1" # Rule 340113 341211: cross site scripting stealth attempt to execute Javascript code SecRule ARGS|!ARGS:areas|!ARGS:templatecode|!ARGS:/^jform/|!ARGS:/content/|!ARGS:/tpl/|!ARGS:/header/|!ARGS:/rawcode/|!ARGS:/footer/|!ARGS:livezillacode|!ARGS:/script/|!ARGS:p_posts_va|!ARGS:description_short_1|!ARGS:senddescription|!ARGS:widget_code|!ARGS:/fckeditor/|!ARGS:emailmessage|!ARGS:wrap|!ARGS:/template/|!ARGS:cid "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,t:lowercase,capture,chain,id:340113,rev:29,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting stealth attempt to inject javascript ',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e))|/(?:node/add/|admin/page/edit)|\?tab=admin|/admin_2s/|^/ndxz-?studio/|node\/[0-9]+\/(?:webform\/components\/|edit|add)|/mail/composemessage|/filemanager/filemanager\.php|/html/scripts/index\.php\?ukey)" "t:none,t:lowercase" SecMarker END_PLESK1 # Rule 340020: #XSS in referrer and UA headers SecRule REQUEST_HEADERS:REFERER|REQUEST_HEADERS:User-Agent "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parent|special)folder|< ?iframe |\.innerhtml|\<input|lowsrc|mocha\:|\bon(?:abort|blur|change|click|submit|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up)|resize|select|unload)\b ?=|settimeout|shell\:|\b(?:vb|java|j|live)script(?: ?>|\")|>(?: |\+)?<(?: |\+)?img(?: |\+)?src(?: |\+)?=(?: |\+)?(?:ht|f)tps?:/)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,id:340020,rev:34,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS in referrer and UA headers',chain,logdata:'%{TX.0}'" SecRule REQUEST_HEADERS:REFERER "!(^http://%{SERVER_NAME}/|pagead[0-9]\.googlesyndication\.com/pagead/|/gills\.swf?txt=<a href= ?asfunction:_root\.launchurl|vbscript.*convert.*&hl=.*client=|convert.*vbscript.*search|\?_rw=http|/tinymce/jscripts/|/pageear_[a-z]\.swf|/search\?hl=.*q=.*(?:vb|java)script)" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:REFERER|REQUEST_URI "!(/plugins/editors/tinymce/jscripts/|/modules/tinymce/tinymce/jscripts|/phpinfo_iframe\.php|/tinymce/jscripts/|swf/pageear_[a-z]\.swf\?|!(/vbscript/|power script))" "t:none,t:lowercase" #special case for drupal for 340147 above SecRule REQUEST_URI "node/[0-9]+/webform/components/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:320474,rev:13,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:areas|!ARGS:templatecode|!ARGS:optional_head|!ARGS:file|!ARGS:notice|!ARGS:/formcode/|!ARGS:/tracking/|!ARGS:/jscode/|!ARGS:video1|!ARGS:paragrafo|!ARGS:value[value]|!ARGS:sidebar|!ARGS:/statement/|!ARGS:text1|!ARGS:offertext|!ARGS:livezillacode|!ARGS:/embed/|!ARGS:/header/|!ARGS:/desc/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:match_report|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:diz|!ARGS:/custom_code/|!ARGS:project_company|!ARGS:antwoord|!ARGS:project_company|!ARGS:value|!ARGS:/^fck/|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "((?:<|/) ?(?:(?:java|vb)?script|about|applet|activex|chrome)|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" #XSS generic filter and suspicious web code detector SecRule REQUEST_URI "!(?:/(?:admin/(?:(?:build(?:/translate|language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:(/~[a-z0-9]+)?/\?q=node/[0-9]+/edit|\?(?:s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/support/agent/|^/content/item/edit/|^/index\.php/admin/system_config/)" \ "id:333840,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1,rev:5" SecAction phase:2,id:334387,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skipAfter:END_XSS_ATTACKS_D1 # Rule 340147: Generic XSS filter SecRule ARGS|ARGS_NAMES|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:UserData|!ARGS:areas|!ARGS:templatecode|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:variable_data|!ARGS:/^instance/|!ARGS:/customfield/|!ARGS:notice|!ARGS:/formcode/|!ARGS:/ajax/|!ARGS:all|!ARGS:allowedTags|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/keycaptcha_code/|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/adsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:tracking_code|!ARGS:whats-new|!ARGS:analyticscode|!ARGS:top_news|!ARGS:data[config]|!ARGS:fulltext|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:/embed/|!ARGS:/desc/|!ARGS:/script/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:match_report|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhitespace,t:lowercase,capture,id:340147,rev:133,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" # Rule 340149: XSS injection SecRule ARGS|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:payment_extrainfo|!ARGS:UserData|!ARGS:clone|!ARGS:areas|!ARGS:templatecode|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/prevObject/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^data\[News\]/|!ARGS:d|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:/^instance/|!ARGS:/customfield/|!ARGS:val333|!ARGS:notice|!ARGS:/formcode/|!ARGS:val333|!ARGS:all|!ARGS:allowedTags|!ARGS:/tracking/|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/keycaptcha_code/|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/gadsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:ide_text|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:sidebar|!ARGS:text1|!ARGS:analyticscode|!ARGS:top_news|!ARGS:data[config]|!ARGS:fulltext|!ARGS:tracking_code|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:/desc/|!ARGS:/footer/|!ARGS:/embed/|!ARGS:/script/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:match_report|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/form/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/header/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?i?frame ?src ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=.|shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:340149,rev:151,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_BODY "^< ?\??( |\+)?xml" \ phase:2,id:333704,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_XSS_ATTACKS_D1 #suspicious code SecRule REQUEST_URI "!(?:/admin/(?:[a-z]+/save|publish|\?op=editlink|content/update)|/secure/roundcube/|/backend\.php/property/save|/edit/|/home/add|/\?act=edit|/site-content/|/project/update/|/index\.php\?option=com_?(?:easyblog|resource&controller=article|comprofiler&task=my_profile|aclassif)|/index\.php/datafeedmanager/adminhtml_datafeedmanager/save|/index\.php\?mode=(?:new|edit)story|^/filemanager/filemanager\.php|^/user_info/edit_profile/|/admin/editor/|^/user\.php\?op=edituser&htmltext=|^/admin/structure/|option=com_rsform&task=forms\.edit|^/ndxz-?studio/\?a=|^/support/agent|^/elements/save|^/settings/in_place_save/|^/ndxz2/|^/([a-z]+/)?index\.php/admin/s(?:ystem_config|ubject)/)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,capture,id:350147,rev:140,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially Untrusted Web Content Detected',chain,logdata:'%{TX.0}'" SecRule ARGS|ARGS_NAMES|!ARGS:/^ADVERT_/|!ARGS:tracklist|!ARGS:/promo/|!ARGS:/offer/|!ARGS:komentar|!ARGS:/fullnews/|!ARGS:vraag|!ARGS:/^textarea-video/|!ARGS:/_layout_/|!ARGS:/^FieldValue/|!ARGS:areacomum|!ARGS:lomake|!ARGS:vastaus|!ARGS:/^values/|!ARGS:target|!ARGS:areaprivativa|!ARGS:areas|!ARGS:qti_data|!ARGS:templatecode|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/^help_/|!ARGS:quote|!ARGS:notice|!ARGS:userdata|!ARGS:source|!ARGS:/^book/|!ARGS:/leftcol/|!ARGS:mes|!ARGS:sisalto|!ARGS:reg_rules|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:json|!ARGS:wpreason|!ARGS:extended|!ARGS:/Kirjoitukset/|!ARGS:item_list|!ARGS:/x_line_item/|!ARGS:/^var_value/|!ARGS:valori|!ARGS:/rightcol/|!ARGS:/^instance/|!ARGS:/pimage/|!ARGS:/allowedTags/|!ARGS:/^zcck/|!ARGS:/includes/|!ARGS:/^button/|!ARGS:/accommodation/|!ARGS:/restaurant/|!ARGS:/^breves/|!ARGS:/testimonial/|!ARGS:feature|!ARGS:headstone|!ARGS:/formcode/|!ARGS:/log/|!ARGS:/metatags/|!ARGS:/^customfield/|!ARGS:/^fields/|!ARGS:/embed/|!ARGS:val333|!ARGS:/banner/|!ARGS:/synopsis/|!ARGS:cb_talks|!ARGS:log|!ARGS:/^bt_|!ARGS:/next/|!ARGS:changedept|!ARGS:receipt_address|!ARGS:narrative|!ARGS:/results/|!ARGS:/teaser/|!ARGS:EnTrar|!ARGS:cv|!ARGS:dati|!ARGS:/experience/|!ARGS:/plan/|!ARGS:/itinerary/|!ARGS:do|!ARGS:/para/|!ARGS:do|!ARGS:perex|!ARGS:/highlight/|!ARGS:/bio/|!ARGS:/short/|!ARGS:advanced|!ARGS:/contact/|!ARGS:/google_analytics/|!ARGS:review|!ARGS:rules|!ARGS:meta|!ARGS:/observacao/|!ARGS:/caption/|!ARGS:feed_product|!ARGS:/bbclosed/|!ARGS:logoutRequest|!ARGS:video1|!ARGS:/js_payload/|!ARGS:/abstract/|!ARGS:pc_main|!ARGS:/^property/|!ARGS:/notice/|!ARGS:/config/|!ARGS:/welcome/|!ARGS:des|!ARGS:pwd|!ARGS:structure|!ARGS:/tweet/|!ARGS:/table/|!ARGS:tag|!ARGS:ad_code|!ARGS:romancode|!ARGS:model|!ARGS:thecode|!ARGS:rqst|!ARGS:/^input_/|!ARGS:dhltrack|!ARGS:reflection|!ARGS:media|!ARGS:blurb|!ARGS:Thankyou|!ARGS:/OSDCS/|!ARGS:continue|!ARGS:do|!ARGS:waarde|!ARGS:img_alt|!ARGS:notes|!ARGS:intro|!ARGS:drugs|!ARGS:/writing/|!ARGS:terms|!ARGS:/announ/|!ARGS:highlights|!ARGS:/^eeta-/|!ARGS:profile|!ARGS:ARGS:prod_detalle|!ARGS:/^News/|!ARGS:request|!ARGS:copy|!ARGS:/MapField/|!ARGS:/email/|!ARGS:main|!ARGS:/admin/|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:validatepromo|!ARGS:payment_sel|!ARGS:/title/|!ARGS:/submit/|!ARGS:contenu|!ARGS:/xjxargs/|!ARGS:block|!ARGS:btnCheckout|!ARGS:nav|!ARGS:/instructions/|!ARGS:/info/|!ARGS:recompose|!ARGS:compose|!ARGS:/^bname/|!ARGS:groupWelcomeScreen|!ARGS:langbericht|!ARGS:next|!ARGS:xsym_sym_brief|!ARGS:creategallery|!ARGS:/^field_/|!ARGS:/^copyright/|!ARGS:lease|!ARGS:livezillacode|!ARGS:sighting|!ARGS:cleaning|!ARGS:/^gui/|!ARGS:/Import_Cell/|!ARGS:/reply/|!ARGS:/^bbcode/|!ARGS:subhead|!ARGS:subject|!ARGS:_cc|!ARGS:resume|!ARGS:addtoclass|!ARGS:/intro/|!ARGS:/answer/|!ARGS:registration_prices|!ARGS:registration_discounts|!ARGS:venue|!ARGS:/opportunit/|!ARGS:agenda|!ARGS:workshop|!ARGS:/^mainman/|!ARGS:features|!ARGS:/problem/|!ARGS:/signature/|!ARGS:/question/|!ARGS:/field_download/|!ARGS:entry|!ARGS:/form/|!ARGS:/desc/|!ARGS:/qualification/|!ARGS:/detail/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/script/|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:/report/|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:/^site_/|!ARGS:/translation/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:/embed/|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:/^_qf_/|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:/solution/|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:> ?< ?(?:img ?src|a ?href) ?= ?(?:ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?(?:>|<)|< ?/?i?frame|\%env|^\"\>)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain" SecRule MATCHED_VARS|!MATCHED_VARS:REQUEST_URI "!@rx ((?:submit(?:\+| )?(request)?(?:\+| )?>+|<<(?:\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)?(?:\+| )?>+)$|^< ?\??(?: |\+)?xml|^<samlp|^>> ?$)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecMarker END_XSS_ATTACKS_D1 #XSS in referrer SecRule REQUEST_HEADERS:REFERER "(?:= ?\' ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|< ?(?:script|about|applet|activex|chrome)|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|\.fromcharcode|get(?:parentfolder|specialfolder)|< ?iframe ?|\.innerhtml|<input|\b(?:java|vb|live|j|e(?:cma|exec))script\b ?>|lowsrc ?=|mocha\:|<{1,200}.\bon(?:abort|blur|change|click|dragdrop|focus|keydown|move|resize|select|submit|unload|key(?:press|up)|load|mouse(?:down|move|out|over|up))\b|settimeout|shell:|< ?img ?src ?=( |\+)?(ht|f)tps?:/)" \ "phase:2,deny,status:403,capture,id:340158,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:18,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS in referrer',chain,logdata:'%{TX.0}'" SecRule REQUEST_HEADERS:REFERER|REQUEST_URI "!(?:/plugins/editors/tinymce/jscripts/|/modules/tinymce/tinymce/jscripts|/phpinfo_iframe\.php|^pagead[0-9]\.googlesyndication\.com/pagead/|&loc='https?://)" #special exclusion for drupal webforms SecRule REQUEST_URI "node/[0-9]+/webform/components/" \ "phase:2,deny,status:403,capture,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:320476,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:/desc/|!ARGS:areas|!ARGS:templatecode|!ARGS:value[value]|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:quote-form|!ARGS:value|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/header/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|select|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b|shell\:|window\.location|asfunction:_root\.launch|\%env)" #Rule 340152: IE XSS attack #SecRule REQUEST_URI_RAW|REQUEST_BODY "(?:< ?object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=|< ?applet[ /+\t].*?code[ /+\t]*=|< ?base[ /+\t].*?href[ /+\t]*=|)" "phase:2,t:none,t:lowercase,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack (IE variant)',id:340152,rev:23" SecMarker END_XSS_ATTACKS SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_BODY|ARGS|QUERY_STRING|!ARGS:areas|!ARGS:templatecode "@pm script expression html onmouse img src onload onerror import asfunction: background-image: fromcharcode frame input lowsrc mocha onblur onselect onchange onclick ondragdrop onkeydown onkeypress onkeyup resize select unload shell: settimeout addimport @import url window.location < > env about applet activex chrome getparentfolder getspecialfolder href object" \ "id:333841,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhitespace,multimatch,pass,nolog,skip:1" SecAction phase:2,id:334388,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS_2 #special exclusion for drupal webforms SecRule REQUEST_URI "^/node/[0-9]+/webform/components/" \ "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:320475,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:areas|!ARGS:templatecode|ARGS_NAMES|!ARGS:/desc/|!ARGS:value|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:/^value/|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|(?:alert|document\.write) ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?>|< ?/?i?frame|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,multiMatch" # Rule 340148: XSS injection with multimatch checks #XSS generic filter and suspicious web code detector SecRule REQUEST_URI "!(?:/(?:admin/(?:(?:build(?:/translate|/language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:\/\?(?:q=node\/[0-9]+\/edit|(s|v))|\?(s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/index.php/admin/system_config/)" \ "id:333842,rev:2,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:334389,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS_D2 # Rule 340148: XSS injection with multimatch checks SecRule ARGS|ARGS_NAMES|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:UserData|!ARGS:areas|!ARGS:templatecode|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:variable_data|!ARGS:/customfield/|!ARGS:val333|!ARGS:notice|!ARGS:/formcode/|!ARGS:/ajax/|!ARGS:all|!ARGS:allowedTags|!ARGS:/tracking/|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/keycaptcha_code/|!ARGS:/gadsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:sidebar|!ARGS:analyticscode|!ARGS:top_news|!ARGS:tracking_code|!ARGS:data[config]|!ARGS:fulltext|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:whats-new|!ARGS:/embed/|!ARGS:/desc/|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/footer/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:/script/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:/^field_/|!ARGS:match_report|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:/^instance/|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?script|< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|(?:alert|document\.write) ?\(|(?:<|< ?/) ?(?:(?:java|vb)script|applet|activex|chrome)|< ?/?i?frame|\% ?env)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,multiMatch,id:340148,rev:146,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_BODY "^< ?\??( |\+)?xml" \ phase:2,id:333706,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_XSS_ATTACKS_D2 # Rule 350148: potentially malicious web code with multimatch checks SecRule REQUEST_URI "!(?:/admin/(?:[a-z]+/save|publish|\?op=editlink|content/update)|/secure/roundcube/|/edit/|/backend\.php/property/save|/home/add|/\?act=edit|/site-content/|/project/update/|/index\.php\?option=com_(?:easyblog|resource&controller=article|comprofiler&task=my_profile|aclassif)|/index.php/datafeedmanager/adminhtml_datafeedmanager/save|/index\.php\?mode=(?:new|edit)story|^/filemanager/filemanager\.php|^/user_info/edit_profile/|/admin/editor/|^/user.php\?op=edituser&htmltext=|^/admin/structure/|option=com_rsform&task=forms\.edit|^/ndxz-?studio/\?a=|^/support/agent|^/elements/save|^/settings/in_place_save/|^/ndxz2/|^/([a-z]+/)?index\.php/admin/s(?:ystem_config|ubject)/)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:350148,rev:140,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially Untrusted Web Content Detected ',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:/fullnews/|!ARGS:/^textarea-video/|!ARGS:komentar|!ARGS:/_layout_/|!ARGS:/^FieldValue/|!ARGS:/includes/|!ARGS:areacomum|!ARGS:lomake|!ARGS:vastaus|!ARGS:/^values/|!ARGS:target|!ARGS:vraag|!ARGS:areaprivativa|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:quote|!ARGS:/^help_/|!ARGS:/^ADVERT_/|!ARGS:userdata|!ARGS:source|!ARGS:sisalto|!ARGS:reg_rules|!ARGS:areas|!ARGS:code_area_text|!ARGS:templatecode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:mes|!ARGS:json|!ARGS:wpreason|!ARGS:extended|!ARGS:/Kirjoitukset/|!ARGS:/x_line_item/|!ARGS:item_list|!ARGS:/^var_value/|!ARGS:valori|!ARGS:/pimage/|!ARGS:/^instance/|!ARGS:/allowedTags/|!ARGS:/^button/|!ARGS:/^zcck/|!ARGS:/accommodation/|!ARGS:/^breves/|!ARGS:/restaurant/|!ARGS:/testimonial/|!ARGS:headstone|!ARGS:/^book/|!ARGS:/log/|!ARGS:/metatags/|!ARGS:/^customfield/|!ARGS:/embed/|!ARGS:/leftcol/|!ARGS:/rightcol/|!ARGS:feature|!ARGS:/banner/|!ARGS:cb_talks|!ARGS:/synopsis/|!ARGS:/^fields/|!ARGS:notice|!ARGS:/formcode/|!ARGS:val333|!ARGS:receipt_address|!ARGS:changedept|!ARGS:/teaser/|!ARGS:EnTrar|!ARGS:cv|!ARGS:dati|!ARGS:/qualification/|!ARGS:/results/|!ARGS:/experience/|!ARGS:/plan/|!ARGS:/detail/|!ARGS:/itinerary/|!ARGS:log|!ARGS:do|!ARGS:narrative|!ARGS:/promo/|!ARGS:/offer/|ARGS_NAMES|!ARGS:do|!ARGS:/^bt_|!ARGS:/short/|!ARGS:perex|!ARGS:/contact/|!ARGS:advanced|!ARGS:/google_analytics/|!ARGS:/bio/|!ARGS:rules|!ARGS:meta|!ARGS:/next/|!ARGS:ad_code|!ARGS:review|!ARGS:feed_product|!ARGS:/bbclosed/|!ARGS:/observacao/|!ARGS:/caption/|!ARGS:logoutRequest|!ARGS:/js_payload/|!ARGS:video1|!ARGS:/abstract/|!ARGS:/para/|!ARGS:/highlight/|!ARGS:/config/|!ARGS:/welcome/|!ARGS:des|!ARGS:/notice/|!ARGS:structure|!ARGS:/table/|!ARGS:tag|!ARGS:romancode|!ARGS:model|!ARGS:pwd|!ARGS:thecode|!ARGS:/tweet/|!ARGS:do|!ARGS:/^input_/|!ARGS:dhltrack|!ARGS:reflection|!ARGS:media|!ARGS:rqst|!ARGS:blurb|!ARGS:/OSDCS/|!ARGS:Thankyou|!ARGS:img_alt|!ARGS:waarde|!ARGS:/statement/|!ARGS:continue|!ARGS:intro|!ARGS:/writing/|!ARGS:drugs|!ARGS:text1|!ARGS:terms|!ARGS:/announ/|!ARGS:/^eeta-/|!ARGS:/^News/|!ARGS:main|!ARGS:notes|!ARGS:validatepromo|!ARGS:prod_detalle|!ARGS:payment_sel|!ARGS:request|!ARGS:copy|!ARGS:/MapField/|!ARGS:/email/|!ARGS:/admin/|!ARGS:profile|!ARGS:contenu|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:pc_main|!ARGS:/instructions/|!ARGS:/submit/|!ARGS:/title/|!ARGS:/xjxargs/|!ARGS:/info/|!ARGS:nav|!ARGS:recompose|!ARGS:compose|!ARGS:/^bname/|!ARGS:/^property/|!ARGS:groupWelcomeScreen|!ARGS:block|!ARGS:xsym_sym_brief|!ARGS:langbericht|!ARGS:btnCheckout|!ARGS:/^field_/|!ARGS:lease|!ARGS:/^copyright/|!ARGS:creategallery|!ARGS:cleaning|!ARGS:/reply/|!ARGS:/^gui/|!ARGS:sighting|!ARGS:/Import_Cell/|!ARGS:livezillacode|!ARGS:/^bbcode/|!ARGS:subject|!ARGS:_cc|!ARGS:resume|!ARGS:next|!ARGS:addtoclass|!ARGS:/intro/|!ARGS:registration_discounts|!ARGS:/opportunit/|!ARGS:registration_prices|!ARGS:workshop|!ARGS:venue|!ARGS:/^mainman/|!ARGS:features|!ARGS:/problem/|!ARGS:subhead|!ARGS:agenda|!ARGS:/signature/|!ARGS:/question/|!ARGS:/answer/|!ARGS:/field_download/|!ARGS:entry|!ARGS:/form/|!ARGS:/footer/|!ARGS:/desc/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:/script/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:/report/|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:/^_qf_/|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:/^site_/|!ARGS:/translation/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:/embed/|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:/solution/|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/|(?:alert|document\.write) ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?(?:<|>)|\" ?[a-z]+ ?<|> ?\"? ?>|< ?/?i?frame|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,multiMatch,chain" SecRule MATCHED_VARS|!MATCHED_VARS:REQUEST_URI "!@rx ((?:submit(?:\+| )?(request)?(?:\+| )?>+|<<(?:\+| )remove|(?:sign ?in|log ?(?:in|out)|next|add|envoyer|modifier|select|continue|weiter|account|results)?(?:\+| )?>+)$|^< ?\??(?: |\+)?xml|^<samlp|^>> ?$)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" #SecRule MATCHED_VARS "!((submit(\+| )?(request)?(\+| )?>>$|<<(\+| )remove|(sign ?in|login|next|add|continue|weiter|account|results)?(\+| )?>>)$|^< ?\??( |\+)?xml|^<samlp)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecMarker END_XSS_ATTACKS_D2 SecMarker END_XSS_ATTACKS_2 # Rule 380000: phpbb Session Cookie #SecRule REQUEST_COOKIES:sessionid|REQUEST_URI|ARGS|REQUEST_BODY "phpbb2mysql_data=a\x3A2\xaa\x7bs\x3A11\x3A\x22autologinid\x22\x3bb\x3A1\x3bs\x3A6\x3A\x22userid\x22\x3bs\x3A1\x3A\x222\x22\x3b\x7d" \ # "id:380000,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP session cookie attack'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:areas|!ARGS:templatecode "@pm 3A 3D 3C 3E 6F 4F x72 x52 x27"\ "id:333843,phase:2,t:none,pass,nolog,skip:1" SecAction phase:2,id:334390,t:none,pass,nolog,skipAfter:END_MISC_CHECKS # Rule 380002: schema overflow attempt SecRule REQUEST_URI|ARGS|!ARGS:areas|!ARGS:templatecode "\|3A\|///^[^\/]{14,}?\x3A\/\/" \ "phase:2,deny,status:403,t:none,id:380002,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP session cookie attack'" # Rule 380006: XSS generic sig SecRule REQUEST_URI|ARGS|!ARGS:slider|!ARGS:areas|!ARGS:templatecode|!ARGS:payment-details-data|!ARGS:/message/|!ARGS:/^widget-text/|!ARGS:message|!ARGS:text|!ARGS:filecontent|!ARGS:/descripcion/ "/(\x3D|=)[^\n]*(\x3C|<)[^\n]+(\x3E|>)" \ "phase:2,deny,status:403,chain,t:none,id:380006,rev:10,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS Generic attack'" SecRule REQUEST_URI "!(/admin/artwork/index/upload_file)" # Rule 380007: generic SQL injection sigs using PCRE SecRule REQUEST_URI "!(/immagini/)" \ "phase:2,deny,status:403,chain,t:none,t:lowercase,id:380007,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL Inject Generic signature'" SecRule REQUEST_URI|ARGS|!ARGS:areas|!ARGS:templatecode "/\w*(\x27|\’)(\x6f|o|\x4f)(\x72|r|\x52).*!(\.(jpe?g|png|bmp|gif|mpe?g|avi|flv|wmv|ico)$)" \ SecMarker END_MISC_CHECKS ################### SSI injection ############################# # SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:areas|!ARGS:/template/ "@pm echo exec printenv include cmd"\ "id:333844,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,skip:1" SecAction phase:2,id:334391,t:none,pass,nolog,skipAfter:END_SSI_ATTACKS SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:areas|!ARGS:templatecode|!ARGS:/description/|!ARGS:/text/|!ARGS:/message/|!ARGS:/msg/|!ARGS:content "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SSI injection Attack',id:'380016',rev:3,logdata:'%{TX.0}',severity:'2'" #SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ # "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,status:501,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SSI injection Attack',id:'380017',logdata:'%{TX.0}',severity:'2'" # SecMarker END_SSI_ATTACKS ################### PERL injection ############################# ## #SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333845,pass,t:none,t:lowercase,nolog,skipAfter:END_PERL_INJECTION_3 # #SecRule ARGS|REQUEST_URI|XML:/* "@pm .pl |( =* ))"\ # "id:333846,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1" # SecAction phase:2,id:334392,t:none,pass,nolog,skipAfter:END_PERL_INJECTION_1 # #SecRule ARGS|REQUEST_URI_RAW|XML:/*|!ARGS:/jform/ "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" \ #"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Perl echo shellcode injection',id:380021,rev:2,logdata:'%{TX.0}',severity:'2'," #SecMarker END_PERL_INJECTION_1 # #SecRule ARGS|REQUEST_URI_RAW|XML:/* "@pm .pl |( =* ))"\ # "id:333847,phase:2,t:none,t:base64Decode,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1" # SecAction phase:2,id:334393,t:none,pass,nolog,skipAfter:END_PERL_INJECTION_2 # #SecRule ARGS|REQUEST_URI_RAW|XML:/*|!ARGS:/jform/ "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" \ #"phase:2,deny,status:403,capture,t:none,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Perl echo shellcode injection',id:380022,rev:2,logdata:'%{TX.0}',severity:'2'," #SecMarker END_PERL_INJECTION_2 # #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "@pm .pl |( =* ))"\ # "id:333848,phase:2,t:none,t:hexDecode,pass,nolog,skip:1" # SecAction phase:2,id:334394,t:none,pass,nolog,skipAfter:END_PERL_INJECTION_3 # #SecRule ARGS|REQUEST_URI_RAW|XML:/*|!ARGS:/jform/ "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" \ #"phase:2,deny,status:403,capture,t:none,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Perl echo shellcode injection',id:380121,rev:2,logdata:'%{TX.0}',severity:'2'," #SecMarker END_PERL_INJECTION_3 #Simple PHP injection rules ##TODO: Add in more exclusions #code injection attempt #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "< ?[?%] ?php ?.*[\"\(@]" \ #"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP code injection attempt',id:340852,rev:1,logdata:'%{TX.0}',severity:'2'" # ##code injection attempt #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "< ?[?%] ?php ?.*[\"\(@]" \ #"t:none,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP code injection attempt - base64 encoded',id:340853,rev:1,logdata:'%{TX.0}',severity:'2'" # ##code injection attempt #SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "< ?[?%] ?php ?.*[\"\(@]" \ #"t:none,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP code injection attempt - hex encoded',id:340854,rev:1,logdata:'%{TX.0}',severity:'2'" #LDAP injection #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/text/|!ARGS:/message/|!ARGS:/msg/|!ARGS:/txt/ "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ # "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: LDAP Injection Attack',id:'340212',rev:2,logdata:'%{TX.0}',severity:'2'" #SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ # "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: LDAP Injection Attack',id:'340213',rev:1,logdata:'%{TX.0}',severity:'2'" # #Information LEakage rules SecRule REQUEST_FILENAME "@pm ~ .bak .old .orig .copy .backup .swp .mdb vi.recover vim.recover"\ "id:333849,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:334395,t:none,pass,nolog,skipAfter:END_LEAKAGE_1 SecRule REQUEST_FILENAME "[a-z0-9]~$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390581,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data Leakage - attempt to access backup file (disable this rule if you require access to files that end with a tilde)'" SecRule REQUEST_FILENAME "\.bak$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390582,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .bak)'" SecRule REQUEST_FILENAME "\.old$" \ "t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390583,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .old)'" SecRule REQUEST_FILENAME "\.orig$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390584,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .orig)'" SecRule REQUEST_FILENAME "\.copy$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390586,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .copy)'" SecRule REQUEST_FILENAME "\.swp$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390587,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .swp)'" SecRule REQUEST_FILENAME "\.backup$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390588,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .backup)'" SecRule REQUEST_FILENAME "\.mdb$" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:390589,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .mdb)'" SecRule REQUEST_FILENAME "vim?\.recover" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,id:350589,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Data leakage - attempt to access vi recovery file (disable this rule if you require access to files that end with .mdb)'" SecMarker END_LEAKAGE_1 SecRule RESPONSE_BODY "@pm ---ASL-CONFIG-FILE--- Horde:" \ "id:333850,phase:4,t:none,pass,nolog,skip:1" SecAction phase:4,id:334396,t:none,pass,nolog,skipAfter:END_LEAKAGE_2 #prevents exposure of ASL config files on customer machine SecRule RESPONSE_BODY "---ASL-CONFIG-FILE---" \ "deny,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: ASL Configuration Leak Prevented',id:'380013',severity:'2',rev:1" #prevents exposure of ASL config files on customer machine SecRule RESPONSE_BODY "<title>Horde: System Capabilities Test</title>" \ "deny,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Horde system configuration Leak Prevented',id:'360013',severity:'2',rev:1" SecMarker END_LEAKAGE_2 #Rules to catch attack tools #generic XSS test pattern #><script>alert(12345)</script> SecRule ARGS "< ?script ?> ?(?:alert|document\.write) ?\( ?[<>a-z0-9_]{1,} ?\) ?< ?/ ?script" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhitespace,t:lowercase,id:390585,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible XSS probe'" #special exclusions for this rule file <LocationMatch /modules.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/target/|!ARGS:/redirect/|!ARGS:cforms_action_page|!ARGS:storyext|!ARGS:/^config/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:message|!ARGS:/^config/|!ARGS:SitePath|!ARGS:PreviewImage|!ARGS:Exlink|!ARGS:story|!ARGS:/page/|!ARGS:user_website|!ARGS:configuration[MODULE_PAYMENT_GOOGLECHECKOUT_MODE]|!ARGS:configParams[api][configParamValue]|!ARGS:q|!ARGS:stories_topics|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace,t:urlDecodeUni,t:lowercase,t:base64Decode,t:hexDecode,t:htmlEntityDecode,multimatch,id:340463,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/target/|!ARGS:/redirect/|!ARGS:cforms_action_page|!ARGS:storyext|!ARGS:/^config/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:message|!ARGS:/^config/|!ARGS:SitePath|!ARGS:PreviewImage|!ARGS:Exlink|!ARGS:story|!ARGS:/page/|!ARGS:user_website|!ARGS:configuration[MODULE_PAYMENT_GOOGLECHECKOUT_MODE]|!ARGS:configParams[api][configParamValue]|!ARGS:q|!ARGS:stories_topics|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340462,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin.php> SecRuleRemoveById 340009 340007 SecRuleRemoveById 390709 SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 340155 340016 SecRuleRemoveById 340163 #Skips #/wp-admin/admin.php?page=w3tc_cdn SecRule REQUEST_URI "/wp-admin/admin\.php\?(?:page=(?:w3tc_cdn|settings)|frm_action=)" \ "phase:2,id:'336793',rev:4,t:none,pass,nolog,skipAfter:END_RFI" SecRule ARGS|!ARGS:wordpressbling_mail|!ARGS:/^item_meta/|!ARGS:/^cp_/|!ARGS:dribbble|!ARGS:sugarroot|!ARGS:minify.cache.files|!ARGS:name|!ARGS:/banner/|!ARGS:/form_action/|!ARGS:/option/|!ARGS:/stream/|!ARGS:/analytics_code/|!ARGS:/endpoint/|!ARGS:_local|!ARGS:lookup|!ARGS:/hostname/|!ARGS:/cdn/|!ARGS:/^ad/|!ARGS:/image/|!ARGS:/target/|!ARGS:shrbase|!ARGS:facebook|!ARGS:/twitter/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:youtube|!ARGS:myspace|!ARGS:form|!ARGS:/logo/|!ARGS:/img/|!ARGS:unsubscribe|!ARGS:/^dest_to/|!ARGS:/rss/|!ARGS:/lm_slide/|!ARGS:/feed/|!ARGS:/footer/|!ARGS:/^jsfiles/|!ARGS:/include/|!ARGS:/pagination/|!ARGS:/link/|!ARGS:/image/|!ARGS:/path/|!ARGS:/page/|!ARGS:field_b|!ARGS:/refer/|!ARGS:/^gbu0_/|!ARGS:/site/|!ARGS:/button/|!ARGS:guestbookLink|!ARGS:xmlpath|!ARGS:/^update/|!ARGS:/^woo_ad/|!ARGS:act_filepath|!ARGS:/domain/|!ARGS:opphomepage|!ARGS:echi_google_analytics|!ARGS:/^echi_block_/|!ARGS:/^echi_ad/|!ARGS:/icon/|!ARGS:descripcion|!ARGS:xcont_priv|!ARGS:/comments/|!ARGS:email|!ARGS:/video/|!ARGS:hometext|!ARGS:/text/|!ARGS:web|!ARGS:/^config/|!ARGS:/^g2_manualpath/|!ARGS:/^sDescription/|!ARGS:hidepost_content_text|!ARGS:sText|!ARGS:sfhome|!ARGS:homepage|!ARGS:field_3_name|!ARGS:cforms_cmsg|!ARGS:bcontent|!ARGS:form_location|!ARGS:footer|!ARGS:field_4_name|!ARGS:cforms_redirect_page|!ARGS:cforms_action_page|!ARGS:ecards_more_pic_target|!ARGS:message|!ARGS:/^xfoot/|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/^FCKeditor/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:content|!ARGS:/linkedin/|!ARGS:outbound|!ARGS:out|!ARGS:/twitter/|!ARGS:/^field/|!ARGS:/button/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/youtube/|!ARGS:/affredir/|!ARGS:helpbox|!ARGS:return|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:thelink|!ARGS:params[altTag]|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:config[latestNewsRRS]|!ARGS:sponsor|!ARGS:config[ftp_server]|!ARGS:listViewerCode|!ARGS:/element/|!ARGS:/google/|!ARGS:courier_tracking|!ARGS:/field_id/|!ARGS:/social_profile/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340464,rev:54,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (admin.php)',deny,status:403" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule ARGS|!ARGS:wordpressbling_mail|!ARGS:/^item_meta/|!ARGS:/^cp_/|!ARGS:dribbble|!ARGS:sugarroot|!ARGS:minify.cache.files|!ARGS:name|!ARGS:/banner/|!ARGS:/form_action/|!ARGS:/option/|!ARGS:/button/|!ARGS:/stream/|!ARGS:/analytics_code/|!ARGS:/endpoint/|!ARGS:_local|!ARGS:lookup|!ARGS:/hostname/|!ARGS:/cdn/|!ARGS:/^ad/|!ARGS:/image/|!ARGS:/target/|!ARGS:shrbase|!ARGS:/twitter/|!ARGS:/domain/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:linkedin|!ARGS:youtube|!ARGS:myspace|!ARGS:form|!ARGS:/logo/|!ARGS:/img/|!ARGS:unsubscribe|!ARGS:/^dest_to/|!ARGS:/rss/|!ARGS:/lm_slide/|!ARGS:/feed/|!ARGS:/footer/|!ARGS:/^jsfiles/|!ARGS:/pagination/|!ARGS:/include/|!ARGS:/link/|!ARGS:/image/|!ARGS:/logo/|!ARGS:/path/|!ARGS:/page/|!ARGS:field_b|!ARGS:/refer/|!ARGS:/^gbu0_/|!ARGS:/site/|!ARGS:guestbookLink|!ARGS:xmlpath|!ARGS:/^update/|!ARGS:/^woo_ad/|!ARGS:act_filepath|!ARGS:act_link|!ARGS:opphomepage|!ARGS:event_link|!ARGS:echi_google_analytics|!ARGS:/^echi_block_/|!ARGS:/^echi_ad/|!ARGS:/^permalink/|!ARGS:/icon/|!ARGS:descripcion|!ARGS:xcont_priv|!ARGS:email|!ARGS:/video/|!ARGS:hometext|!ARGS:/text/|!ARGS:web|!ARGS:/^config/|!ARGS:/^g2_manualpath/|!ARGS:/^sDescription/|!ARGS:hidepost_content_text|!ARGS:sText|!ARGS:homepage|!ARGS:field_3_name|!ARGS:cforms_cmsg|!ARGS:bcontent|!ARGS:form_location|!ARGS:sslloginlink|!ARGS:footer|!ARGS:field_4_name|!ARGS:cforms_redirect_page|!ARGS:ecards_more_pic_target|!ARGS:cforms_action_page|!ARGS:message/|!ARGS:/^xfoot/|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/^FCKeditor/|!ARGS:/page/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:content|!ARGS:q|!ARGS:/linkedin/|!ARGS:outbound|!ARGS:out|!ARGS:/twitter/|!ARGS:/^field/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/youtube/|!ARGS:helpurl|!ARGS:helpbox|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:ajaxurl|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:install_url|!ARGS:/comments/|!ARGS:resource|!ARGS:thelink|!ARGS:/affredir/|!ARGS:params[altTag]|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:config[latestNewsRRS]|!ARGS:sfhome|!ARGS:sponsor|!ARGS:config[ftp_server]|!ARGS:/element/|!ARGS:/google/|!ARGS:listViewerCode|!ARGS:/field_id/|!ARGS:/social_profile/|!ARGS:courier_tracking "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340465,rev:54,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (admin.php)',deny,status:403" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecMarker END_RFI </LocationMatch> <LocationMatch /cpinquiry.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:comments|!ARGS:content|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340466,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (cpinquiry.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:comments|!ARGS:content|!ARGS:q|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340467,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (cpinquiry.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/area/save-page.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:signature|!ARGS:website|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:page-content|!ARGS:comments|!ARGS:content|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340468,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (save-page.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:signature|!ARGS:website|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:page-content|!ARGS:comments|!ARGS:content|!ARGS:q|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340469,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (save-page.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/guestbook.pl> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:FOOTER|!ARGS:MESSAGE|!ARGS:header|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340470,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (guestbook.pl)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:FOOTER|!ARGS:MESSAGE|!ARGS:header|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340471,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (guestbook.pl)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wysiwyg/save.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340113 341211 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/^Dialog/|!ARGS:/^content/|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340472,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/^Dialog/|!ARGS:/^content/|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340473,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/index.php> SecRuleRemoveById 390613 380018 SecRuleRemoveById 340144 SecRule ARGS|!ARGS:keywords|!ARGS:tiny_vals|!ARGS:info|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:Post|!ARGS:text|!ARGS:pagetext|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/sql/|!ARGS:query|!ARGS:query_string|!ARGS:query|!ARGS:description|!ARGS:/teaser/ "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table) |delete[[:space:]] .{,100} update.+set.+=|union all select |\bunion\b.{1,100}?\bselect\b.[a-z][0-9]+ |select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\()" \ "capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:370144,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',logdata:'%{TX.0}',deny,status:403" SecRuleRemoveById 340016 SecRule REQUEST_URI|ARGS|XML:/*|!ARGS:comment|!ARGS:keywords|!ARGS:info|!ARGS:/description/|!ARGS:/sql/|!ARGS:wysiwyg|!ARGS:query|!ARGS:/desc/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comments|!ARGS:text|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:introtext|!ARGS:Post|!ARGS:itembigtext|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:response[14]|!ARGS:/article/|!ARGS:/teaser/ "(?:(?:select|grant|delete|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,100}?\bselect\b.*[a-z0-9].*into.*from|select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\()" \ "capture,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:370016,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection',logdata:'%{TX.0}',deny,status:403" SecRuleRemoveById 340157 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340147 SecRuleRemoveById 340148 SecRuleRemoveById 340149 # Rule 340147: Generic XSS filter SecRule ARGS "!(^(submit\+>>|>>)$)" \ "t:none,t:urlDecodeUni,t:lowercase,capture,id:340247,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',chain,logdata:'%{TX.0}',deny,status:403" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:notice|!ARGS:/google/|!ARGS:/^information_description/|!ARGS:/category_description/|!ARGS:/formcode/|!ARGS:val333|!ARGS:/module/|!ARGS:stylesheet|!ARGS:wysiwyg|!ARGS:/embed/|!ARGS:udesc|!ARGS:description|!ARGS:ldesc|!ARGS:xdescription|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|< ?/?i?frame|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecRule ARGS "!(^(submit\+>>|>>)$)" \ "chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:340248,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/module/|!ARGS:/google/|!ARGS:/embed/|!ARGS:/category_description/|!ARGS:notice|!ARGS:/formcode/|!ARGS:val333|!ARGS:wysiwyg|!ARGS:onlineusers|!ARGS:offlineusers|!ARGS:description|!ARGS:fdesc|!ARGS:ldesc|!ARGS:/footer/|!ARGS:xdescription|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|< ?/?i?frame|\% ?env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,multiMatch" # Rule 340249: XSS injection SecRule ARGS "!(^(submit\+>>|>>)$)" \ "chain,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,capture,id:340249,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}',deny,status:403" SecRule REQUEST_URI "!(^/admin/index\.php\?route=module/)" chain SecRule REQUEST_URI|ARGS|!ARGS:/welcome_module/|!ARGS:onlineusers|!ARGS:offlineusers|!ARGS:stylesheet|!ARGS:stylesheet|!ARGS:/category_description/|!ARGS:notice|!ARGS:wysiwyg|!ARGS:/formcode/|!ARGS:val333|!ARGS:ldesc|!ARGS:fdesc|!ARGS:/footer/|!ARGS:xdescription|!ARGS:description|!ARGS:/embed/|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/form/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/header/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase" SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:form[pagina_text]|!ARGS:descripcion|!ARGS:description|!ARGS:message|!ARGS:comments|!ARGS:content "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.{1,100};(?:insert|declare @|varchar) ?|(?:and .{1,100} \(select |(?:drop|create)(\w+)table |declare .{1,100} varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select |union all select)" \ "phase:2,id:340457,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,t:replaceComments,t:compressWhiteSpace,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (/admin/index.php exclude)',deny,status:403" SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index\.php\?fuse=admin)" \ "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,status:403" SecRule ARGS|!ARGS:/^go/|!ARGS:/web/|!ARGS:/popup/|!ARGS:liketext|!ARGS:feed|!ARGS:/^field_/|!ARGS:/ping/|!ARGS:/service/|!ARGS:/img/|!ARGS:pp_path|!ARGS:vidid|!ARGS:/^field_id/|!ARGS:/^smeg_serv/|!ARGS:/website/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/app_update/|!ARGS:/gplus/|!ARGS:/twitter/|!ARGS:/google/|!ARGS:bic|!ARGS:cubecart4_path|!ARGS:field_vals|!ARGS:osc_path|!ARGS:events_map|!ARGS:xmlpath|!ARGS:homepage|!ARGS:input|!ARGS:email_contents|!ARGS:/link/|!ARGS:page_content|!ARGS:feed_copyright|!ARGS:/image/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:comments|!ARGS:/^opts/|!ARGS:text|!ARGS:code|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:referrer|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:SitePath|!ARGS:Exlink|!ARGS:contents|!ARGS:PreviewImage|!ARGS:pagelink|!ARGS:pagefeed|!ARGS:ShopPath|!ARGS:content|!ARGS:right|!ARGS:left|!ARGS:/^myDevEditControl_/|!ARGS:/link/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index\.php\?fuse=admin)" \ "phase:2,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340477,rev:30,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,status:403" SecRule ARGS|!ARGS:/^go/|!ARGS:/web/|!ARGS:/popup/|!ARGS:feed|!ARGS:liketext|!ARGS:/img/|!ARGS:/^field_/|!ARGS:/ping/|!ARGS:/service/|!ARGS:pp_path|!ARGS:vidid|!ARGS:bic|!ARGS:/^field_id/|!ARGS:/^smeg_serv/|!ARGS:/twitter/|!ARGS:/gplus/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/website/|!ARGS:/app_update/|!ARGS:/google/|!ARGS:cubecart4_path|!ARGS:osc_path|!ARGS:field_vals|!ARGS:events_map|!ARGS:xmlpath|!ARGS:homepage|!ARGS:input|!ARGS:email_contents|!ARGS:/link/|!ARGS:page_content|!ARGS:feed_copyright|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/image/|!ARGS:/page/|!ARGS:code|!ARGS:comments|!ARGS:/^opts/|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:SitePath|!ARGS:Exlink|!ARGS:contents|!ARGS:PreviewImage|!ARGS:pagelink|!ARGS:pagefeed|!ARGS:ShopPath|!ARGS:content|!ARGS:right|!ARGS:left|!ARGS:/^myDevEditControl_/|!ARGS:/link/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" chain SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admincp/user.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340163 SecRuleRemoveById 340162 340165 SecRule ARGS|!ARGS:/homepage/|!ARGS:/^userfield/|!ARGS:olduser|!ARGS:user[signature]|!ARGS:userfield[field10]|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340478,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/homepage/|!ARGS:/^userfield/|!ARGS:olduser|!ARGS:user[signature]|!ARGS:userfield[field10]|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340479,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admincp/template.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340113 341211 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:searchstring|!ARGS:template|!ARGS:olduser|!ARGS:user[signature]|!ARGS:userfield[field10]|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340482,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:searchstring|!ARGS:template|!ARGS:olduser|!ARGS:user[signature]|!ARGS:userfield[field10]|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340483,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /contact.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/domain/|!ARGS:fm_comments|!ARGS:contact_message|!ARGS:homepage|!ARGS:field4|!ARGS:Page|!ARGS:msg|!ARGS:comments|!ARGS:yourmessage|!ARGS:howhear|!ARGS:information|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:Message "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340484,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (contact.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/domain/|!ARGS:fm_comments|!ARGS:contact_message|!ARGS:Page|!ARGS:msg|!ARGS:comments|!ARGS:yourmessage|!ARGS:howhear|!ARGS:information|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url|!ARGS:Message "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340485,rev:8,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (contact.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/conf.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/^opts/|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340486,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/conf.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/^opts/|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340487,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/conf.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/posted/edit_listing.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:my_description|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340488,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:my_description|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340489,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /forums/private.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:message|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340490,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/private.php)',deny,status:403" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:message|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340491,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/private.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /forums/newreply.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340144 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:weblink|!ARGS:weblink_title|!ARGS:message|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340492,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:weblink|!ARGS:weblink_title|!ARGS:message|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340493,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" # Rule 340444: Generic SQL sigs SecRule ARGS|!ARGS:message "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table) |delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhitespace,t:lowercase,id:340444,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/forums/newreply.php)',deny,status:403,phase:2" </LocationMatch> <LocationMatch /admin/area/add-edit.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:descripcion|!ARGS:description|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340494,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:descripcion|!ARGS:description|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340495,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /links.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:S1|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:website|!ARGS:reciprocal \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340496,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/links.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:S1|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:website|!ARGS:reciprocal \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340497,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/links.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /forums/newreply.php> SecRuleRemoveById 340156 #Always bad SQL injection case w/ antievasion SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:topicseen|!ARGS:message "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "id:340498,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/forums/newreply.php)',logdata:'%{TX.0}',deny,status:403,phase:2" </LocationMatch> <LocationMatch /wysiwyg-edit> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:PageCopy|!ARGS:S1 \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340499,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:PageCopy|!ARGS:S1 \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340500,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mt-comments.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:static|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340503,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:static|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340504,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/dogen_display.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340014 340029 340021 340027 SecRuleRemoveById 340011 SecRuleRemoveById 340029 SecRuleRemoveById 340131 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 SecRuleRemoveById 390715 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:/referrer/|!ARGS:headerfile|!ARGS:footerfile|!ARGS:insertfile|!ARGS:/file$/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340505,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:/referrer/|!ARGS:headerfile|!ARGS:footerfile|!ARGS:insertfile|!ARGS:/file$/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340506,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mail.cgi> SecRuleRemoveById 340147 350147 331025 350148 350149 340113 341211 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /app-modernbill-admin/clients.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:emailBody \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340509,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:emailBody \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340510,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/database/dbpro.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:admin_email_text \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340511,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:admin_email_text \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340512,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> # <LocationMatch /admin/patch.php> SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340157 SecRule ARGS|!ARGS:patch_query "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table) |delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,id:340515,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/admin/patch.php)'" SecRule REQUEST_URI|ARGS|!ARGS:patch_query "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.*;(?:insert|declare|varchar)|(?:and .* \(select |(?:drop|create)(\w+)table|declare .* varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select |union all select )" \ "id:344516,t:none,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,t:replaceComments,t:compressWhiteSpace,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (/admin/patch.php)',deny,status:403,phase:2" </LocationMatch> <LocationMatch /images/logdnet.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:a|!ARGS:u \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340517,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:a|!ARGS:u \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340518,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /contact_form.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:Comments|!ARGS:/^Explain_/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340519,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/contact_form.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:Comments|!ARGS:/^Explain_/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340520,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/contact_form.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /forum/register.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:s|!ARGS:/page/|!ARGS:/url/|!ARGS:/userfield/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340521,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forum/register.ph)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:s|!ARGS:/page/|!ARGS:/url/|!ARGS:/userfield/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340522,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/forum/register.ph)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /manager/index.php> SecRuleRemoveById 340128 340159 380020 340113 341211 SecRuleRemoveById 340131 SecRuleRemoveById 340095 SecRule REQUEST_URI|ARGS|!ARGS:post "< ?\?" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,chain,id:360128,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote PHP command exection',deny,status:403,phase:2" SecRule REQUEST_URI|ARGS|!ARGS:/^layout/ "(?:(?:chr|fwrite|fopen|system|echr|passthru|include|php_uname|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_\w+) ?(?:\(|@|\: ?'?)|system\( ?getenv ?\( ?http_php ?\) ?\))" SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/prefix/|!ARGS:text_2|!ARGS:description|!ARGS:suitability|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:ta|!ARGS:post \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340523,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/manager/index.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:text_2|!ARGS:/prefix/|!ARGS:description|!ARGS:suitability|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:ta|!ARGS:post \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340524,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/manager/index.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRuleRemoveById 340855 SecRuleRemoveById 390715 SecRuleRemoveById 340159 SecRuleRemoveById 340157 SecRuleRemoveById 340016 SecRuleRemoveById 340160 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRule ARGS|!ARGS:post|!ARGS:filecontent|!ARGS:/gen_header/|!ARGS:/template/|!ARGS:newcontent|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/ "include ?\(" \ "capture,id:350855,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Include File Injection attempt in argument',logdata:'%{TX.0}',deny,status:403,phase:2" SecRule MATCHED_VAR "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/.*\)" SecRule ARGS|!ARGS:post|!ARGS:/sql/|!ARGS:query|!ARGS:/description/|!ARGS:/text/|!ARGS:Db_submit|!ARGS:/table/|!ARGS:EXPORTTABLE|!ARGS:message|!ARGS:previous_field|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:X-PageView|!ARGS_NAMES:/varchar/|!ARGS_NAMES:cfg_xsp_password|!ARGS:/body/|!ARGS:runQuery|!ARGS:field_type[]|!ARGS:/^field_type/|!ARGS:/^fieldtype_/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/subject/ "@pmFromFile sql.txt" \ "capture,id:350160,t:none,t:base64Decode,t:hexDecode,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,multimatch,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL Injection protection',logdata:'%{TX.0}',deny,status:403,phase:2" SecRule ARGS|XML:/*|!ARGS:post|!ARGS:data|!ARGS:/sql/|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:text|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:message|!ARGS:content "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?delete.*;(?:insert|declare|varchar)|and .* \( ?select |(?:drop|create)(\w+)table|(?:declare|convert) .* varchar\(|null ?, ?(?:null ?, ?(?:null|accesslevel|user_name)) ?,|concat\(|union select |union all select|\b\W*?cast\b\W*?\(.* as |xecresultset|' ?; ?declare\b\W*?|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \ "capture,id:350159,t:none,t:base64Decode,t:hexDecode,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:replaceComments,t:lowercase,t:compressWhiteSpace,rev:28,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (MM)',logdata:'%{TX.0}',multiMatch,deny,status:403,phase:2" SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:elements|!ARGS:post|!ARGS:keywords|!ARGS:/sql/|!ARGS:data|!ARGS:description|!ARGS:alternate1|!ARGS:comment|!ARGS:body|!ARGS:fulldescr|!ARGS:article_content|!ARGS:/sql/|!ARGS:query|!ARGS:/text/|!ARGS:txt|!ARGS:action|!ARGS:Db_submit|!ARGS:saved_data|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:message|!ARGS:steps|!ARGS:fck_body "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?delete.*;(?:insert|declare|varchar)|and .* \(select |(?:drop|create)(\w+)table|(?:declare|convert) .* varchar\(|null ?, ?(?:null ?, ?(?:null|accesslevel|user_name)) ?,|concat\(|union select |union all select|\b\W*?cast\b\W*?\(.* as|xecresultset|' ?; ?declare\b\W*?|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \ "capture,id:350157,t:none,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:32,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection',logdata:'%{TX.0}',deny,status:403,phase:2" </LocationMatch> <LocationMatch /cgi-bin/class/class_add.pl > SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:description|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340525,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:description|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/ \ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340526,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /insert_image> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:DirName "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340527,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/insert_image)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:DirName "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340528,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/insert_uimage)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /administration/news.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:body2|!ARGS:/page/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340529,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS ( /administration/news.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:body2|!ARGS:/page/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340530,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/administration/news.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/editor.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:/^Dialog/|!ARGS:/textarea/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340531,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/editor.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/page/|!ARGS:/^Dialog/|!ARGS:/textarea/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340532,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/editor.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-sys/FormMail.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Recommendations|!ARGS:Comments|!ARGS:background|!ARGS:redirect|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340533,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Recommendations|!ARGS:Comments|!ARGS:background|!ARGS:redirect|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340544,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /frame.aspx> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:u "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340545,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/frame.aspx)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:u "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340546,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/frame.aspx)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /spaw/gethref.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:img "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340547,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:img "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340548,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/mt/mt.fcgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/text/|!ARGS:/description/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340549,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/text/|!ARGS:/description/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340550,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /modules/google_cse/google_cse.js> SecRuleRemoveById 340160 </LocationMatch> <LocationMatch /runmodule.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^item_number/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340551,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/runmodule.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^item_number/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340552,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/runmodule.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/frame.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:pagina "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340553,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/frame.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^item_number/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340554,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/frame.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /videos/install> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:sitefolder "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340555,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/videos/install)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:sitefolder "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340556,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/videos/install)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /support/staff/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/contents/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340557,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/support/staff/index.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/contents/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340558,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/support/staff/index.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/procform.pl> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:banner|!ARGS:backlink|!ARGS:Requests/Comments "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340559,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/procform.pl)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:banner|!ARGS:backlink|!ARGS:Requests/Comments "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340560,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/procform.pl)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /editcontent.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^content_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340561,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/editcontent.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^content_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340562,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/admin/editcontent.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /html2rss/rss.aspx> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:U "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340563,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/html2rss/rss.aspx)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:U "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340564,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/html2rss/rss.aspx)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /winnder_step2.1.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:rules|!ARGS:terms "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340565,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS ( /winnder_step2.1.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:rules|!ARGS:terms "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340566,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS ( /winnder_step2.1.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /contact/website.php > SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:txtComments "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340567,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/contact/website.php )',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:txtComments "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340568,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/contact/website.php )',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /acp/template.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340569,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wbb/acp/template.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340570,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wbb/acp/template.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /sregister2-p.php> SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRule ARGS|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description|!ARGS:skills "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:346144,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/sregister2-p.php)',deny,status:403,phase:2" </LocationMatch> <LocationMatch /posting.php> SecRuleRemoveById 340156 340095 SecRule ARGS|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:/message/|!ARGS:/post/|!ARGS:/body/|!ARGS:/msg/|!ARGS:/text/|!ARGS:/txt/|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring] "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "id:344156,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/posting.php)',logdata:'%{TX.0}',deny,status:403,phase:2" SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /phpmysupport/trackerimage.php> SecRuleRemoveById 340026 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:base "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340571,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/phpmysupport/trackerimage.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:base "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340572,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/phpmysupport/trackerimage.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /chat.php> SecRuleRemoveById 340162 340165 350147 350148 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:dep "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340573,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/chat.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:dep "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340574,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/chat.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/edit.php> SecRuleRemoveById 340162 340165 390707 SecRuleRemoveById 340163 #SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:wpau-ftphost|!ARGS:adsensem-code|!ARGS:addresses|!ARGS:referredby|!ARGS:adrotate_bannercode "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ # "id:340575,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wp-admin/edit.php)'" #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" #SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:wpau-ftphost|!ARGS:adsensem-code|!ARGS:addresses|!ARGS:referredby|!ARGS:adrotate_bannercode "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ # "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340576,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/wp-admin/edit.php)'" #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /egroupware/etemplate/process_exec.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:exec[text]|!ARGS:/link/|!ARGS:/referer/|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340577,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/egroupware/etemplate/process_exec.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:exec[text]|!ARGS:/link/|!ARGS:/referer/|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340578,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/egroupware/etemplate/process_exec.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /install.php> SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 SecRuleRemoveById 341057 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /acollab/install/install.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:upload_dir "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340581,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/acollab/install/install.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:upload_dir "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340582,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/acollab/install/install.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /includes/popup.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:z "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340583,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/includes/popup.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:z "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340584,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/includes/popup.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/cgiemail/testform.txt> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:success "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340585,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/cgiemail/testform.txt)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:success "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340586,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-bin/cgiemail/testform.txt)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/doeditboard.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:headerfile|!ARGS:intro_body "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340587,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/doeditboard.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:headerfile|!ARGS:intro_body "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340588,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/doeditboard.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/item_processor.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:pictureremote "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340589,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/anyinventory/admin/item_processor.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:pictureremote "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340590,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/anyinventory/admin/item_processor.php)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Connector "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340591,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/default/browser.html)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Connector "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340592,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/default/browser.html)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /modules/mod_shoutbox.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:c|!ARGS:metodista "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:341592,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:c|!ARGS:metodista "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340593,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/options.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340113 341211 </LocationMatch> <LocationMatch /wp-admin/options-general.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340113 341211 340159 340157 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340113 341211 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/rss/|!ARGS:/aboutme/|!ARGS:site|!ARGS:src|!ARGS:/icsFile/|!ARGS:/jpgfile/|!ARGS:/^player-config/|!ARGS:/appid/|!ARGS:theme|!ARGS:/^aiosp_/|!ARGS:/icon/|!ARGS:/logo/|!ARGS:/button/|!ARGS:fb_id|!ARGS:/refer/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/^cforms/|!ARGS:/uri/|!ARGS:/gravatar/|!ARGS:/link/|!ARGS:username|!ARGS:/page/|!ARGS:/address/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^sm_pages_ur/|!ARGS:/feed/|!ARGS:/^IMConfig/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:ddsg_xml_path|!ARGS:sm_b_style|!ARGS:regplus_login_redirect "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,id:340594,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:18,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/rss/|!ARGS:/aboutme/|!ARGS:site|!ARGS:src|!ARGS:/icsFile/|!ARGS:/jpgfile/|!ARGS:/^player-config/|!ARGS:/appid/|!ARGS:theme|!ARGS:/^aiosp_/|!ARGS:/icon/|!ARGS:/logo/|!ARGS:/button/|!ARGS:fb_id|!ARGS:/refer/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/^cforms/|!ARGS:/uri/|!ARGS:/gravatar/|!ARGS:/link/|!ARGS:username|!ARGS:/page/|!ARGS:/address/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^sm_pages_ur/|!ARGS:/feed/|!ARGS:/^IMConfig/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:ddsg_xml_path|!ARGS:sm_b_style|!ARGS:regplus_login_redirect "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340595,rev:18,severity:4,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /app-modernbill-admin/configs.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/|!ARGS:/^configParams/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340596,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/|!ARGS:/^configParams/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340597,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/FormMail.pl> SecRuleRemoveById 340162 340163 340165 340147 340148 340149 </LocationMatch> <LocationMatch /cgi-bin/formmail.pl> SecRuleRemoveById 340162 340165 340147 340148 340149 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Recommendations|!ARGS:Comments|!ARGS:background|!ARGS:redirect|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340598,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Recommendations|!ARGS:Comments|!ARGS:background|!ARGS:redirect|!ARGS:/site/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340599,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mainsettings.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340600,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340601,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /site.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:dict "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340602,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:dict "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340603,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/ciadmin.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:securebase1|!ARGS:base1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340604,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:securebase1|!ARGS:base1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340605,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /category.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/page/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:desc|!ARGS:template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340607,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/page/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:desc|!ARGS:template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340608,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /modules/newbbex/post.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:hidden|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340609,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:hidden|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340610,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/mb/index2.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:index|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340611,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:index|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340612,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cerberus/parser.php> SecRuleRemoveById 350147 331025 350148 340009 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:xml|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340613,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:xml|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340614,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /imp/expand.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:field_value|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340615,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:field_value|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340616,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /livehelp/mastersettings.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:server|!ARGS:/url/|!ARGS:/redirect/|!ARGS:newwebpath|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340617,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:server|!ARGS:/url/|!ARGS:/redirect/|!ARGS:newwebpath|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340618,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /manager/edit_template.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:template|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340619,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:template|!ARGS:message|!ARGS:subject "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340620,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /clip/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:route_to "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340621,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:route_to "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340622,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/moduleinterface.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/template/|!ARGS:/^m1/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340623,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/template/|!ARGS:/^m1/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340624,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cpanel/saveType.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:embed "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340625,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:embed "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340626,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/basic_settings.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:custom_promo_code "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340627,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:custom_promo_code "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340628,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/site_setup.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:site_path "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340629,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:site_path "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340630,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /shopadmin/core.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:offer_copyright|!ARGS:offerDomain|!ARGS:con|!ARGS:offer_contactus|!ARGS:content|!ARGS:mail_content|!ARGS:reply "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340631,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:offer_copyright|!ARGS:offerDomain|!ARGS:con|!ARGS:offer_contactus|!ARGS:content|!ARGS:mail_content|!ARGS:reply "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340632,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /system/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^template/|!ARGS:/^field_id/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340633,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^template/|!ARGS:/^field_id/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340634,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /Mailer/TrueFM.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:forward|!ARGS:body_tag|!ARGS:http_referer|!ARGS:Address|!ARGS:Comment "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340635,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:forward|!ARGS:body_tag|!ARGS:http_referer|!ARGS:Address|!ARGS:Comment "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340636,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /ummmanager.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:login "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340637,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:login "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340638,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /install/step6.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^site_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340639,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^site_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340640,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /homeCounter.php> SecRuleRemoveById 340024 SecRuleRemoveById 340028 SecRuleRemoveById 340151 </LocationMatch> <LocationMatch /admincp/options.php> SecRuleRemoveById 340009 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:site_path|!ARGS:/^setting/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340641,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:site_path|!ARGS:/^setting/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340642,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /media/hochron.html> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:MemberSelectList "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340643,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:MemberSelectList "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340644,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/settings/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/|!ARGS:metaDescription "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340645,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^settings/|!ARGS:metaDescription "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340646,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cmspopouts/shortcuts.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:target_title "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340647,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:target_title "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340648,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /manufacturers_edit.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^edit/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340649,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^edit/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340650,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/contactmanage.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:response "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340651,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:response "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340652,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /giftcert.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:recipient_address "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340653,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:recipient_address "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340654,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /pages/news.htm> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:store "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340655,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:store "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340656,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /bb-login.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:re|!ARGS:_wp_http_referer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340657,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:re|!ARGS:_wp_http_referer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340658,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /adview.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:target1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340659,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:target1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340660,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /ajCart/cart.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:CARTDIR "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340661,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:CARTDIR "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340662,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /index.php/install/-/configure> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:DIR_REL "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340661,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:DIR_REL "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340662,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /store/zc_install/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /admin_config.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:pagename "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340663,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:pagename "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340664,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cutenews/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/http_script_dir/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:change_avatar|!ARGS:short_story "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340665,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/http_script_dir/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:change_avatar|!ARGS:short_story "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340666,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /data/nanoadmin.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^areaContent/|!ARGS:content "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340667,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^areaContent/|!ARGS:content "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340668,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /auctions/rsstml.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:XML "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340669,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:XML "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340670,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /install/util.php> SecRuleRemoveById 340157 </LocationMatch> <LocationMatch /egroupware/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^newssettings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340672,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^newssettings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340673,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /lclaccounts/setup/config.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^newssettings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340672,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^newssettings/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340673,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/post_property.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:map|!ARGS:photo "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340674,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:map|!ARGS:photo "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340675,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /filemanager/browser/default/browser.html> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Connector "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340676,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:Connector "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340677,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin.mvc> SecRuleRemoveById 350147 331025 350148 340113 341211 340147 340148 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/description/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/CFM_Fields/|!ARGS:Store_MvUPS_Server|!ARGS:/^Store_CustomerEmail_/|!ARGS:Store_OUI_GlobalHeader|!ARGS:Store_OUI_GlobalFooter|!ARGS:Store_OUI_InvoiceFooter "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340678,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/description/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/CFM_Fields/|!ARGS:Store_MvUPS_Server|!ARGS:/^Store_CustomerEmail_/|!ARGS:Store_OUI_GlobalHeader|!ARGS:Store_OUI_GlobalFooter|!ARGS:Store_OUI_InvoiceFooter "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340679,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /delivery/ck.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:oaparam__bannerid|!ARGS:oaparams "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340680,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:oaparam__bannerid|!ARGS:oaparams "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340681,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /proxy/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340682,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340683,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch ^/imp/> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:DefaultZDM|!ARGS:/http/|!ARGS:/refer/|!ARGS:/redirect/|!ARGS:subject|!ARGS:imapuser|!ARGS:/url/|!ARGS:/redirect/|!ARGS:u|!ARGS:message|!ARGS:/msg/|!ARGS:formData|!ARGS:form_img "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340684,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:DefaultZDM|!ARGS:/http/|!ARGS:/refer/|!ARGS:/redirect/|!ARGS:subject|!ARGS:imapuser|!ARGS:/url/|!ARGS:/redirect/|!ARGS:u|!ARGS:message|!ARGS:/msg/|!ARGS:formData|!ARGS:form_img "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340685,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch modules/mod_wowstatus/wowserverstatus.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /ucp.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:mode|!ARGS:message|!ARGS:remotelink|!ARGS:website|!ARGS:signature "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340686,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,deny,status:403,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:mode|!ARGS:message|!ARGS:remotelink|!ARGS:website|!ARGS:signature "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,deny,status:403,multimatch,id:340687,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /shopping/search.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340688,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340689,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /app-modernbill-admin/configs.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^configParams/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340690,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^configParams/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340691,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /sysadminarea.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^configParams/|!ARGS:/^update/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340692,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^configParams/|!ARGS:/^update/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340693,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /download.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/link/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:file|!ARGS:referer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340694,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/link/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:file|!ARGS:referer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340695,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /net2ftp_installer.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:package "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340696,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:package "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340697,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mediaplayer.swf> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340698,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340699,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /adm-misc.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:3|!ARGS:body|!ARGS:/txt/|!ARGS:/text/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340700,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:3|!ARGS:body|!ARGS:/txt/|!ARGS:/text/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340701,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /piwik.php> SecRuleRemoveById 340162 340165 331025 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:action_name|!ARGS:q|!ARGS:/ref/|!ARGS:link|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:download "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340702,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:action_name|!ARGS:q|!ARGS:/ref/|!ARGS:link|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:download "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:urlDecodeUni,t:none,t:base64Decode,t:hexDecode,t:htmlEntityDecode,multimatch,id:340703,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/file_edit.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:download|!ARGS:filebody "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340704,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:download|!ARGS:filebody "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340705,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/plugin-editor.php> SecRuleRemoveById 380006 340095 331028 340155 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340029 SecRuleRemoveById 390715 SecRuleRemoveById 340157 SecRuleRemoveById 380018 380019 380020 SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,multimatch,id:344729,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP plugin-editor',deny,status:403,phase:2" SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,id:344730,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP plugin-editor',deny,status:403,phase:2" SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:base64Decode,t:compressWhitespace,id:344731,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP plugin-editor',deny,status:403,phase:2" </LocationMatch> <LocationMatch /fplayer.swf> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:config "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340706,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:config "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340707,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mailer/images.php> SecRuleRemoveById 340084 </LocationMatch> <LocationMatch /mailer/redir.php> SecRuleRemoveById 340084 </LocationMatch> <LocationMatch /sqlpatch.php> SecRuleRemoveById 350147 340159 SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /tbl_select.php> SecRuleRemoveById 350148 SecRuleRemoveById 340160 SecRuleRemoveById 340157 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /cgi-bin/cart.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/image/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340708,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/image/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340709,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /tce_file.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340710,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340711,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /writeToSFDC.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect|!ARGS:/write/|!ARGS:/Past/|!ARGS:Reference_1_Contact_Info__c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340712,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect|!ARGS:/write/|!ARGS:/Past/|!ARGS:Reference_1_Contact_Info__c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340713,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/nmanage.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect|!ARGS:news "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "id:340714,t:none,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/file/|!ARGS:redirect|!ARGS:news "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340715,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /login.php> SecRuleRemoveById 390709 SecRuleRemoveById 340009 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340148 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:pass "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to Access protect file Remotely',id:'320465',rev:1,logdata:'%{TX.0}',severity:'2',deny,status:403,phase:2" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to Access protect file Remotely',id:'320466',rev:1,logdata:'%{TX.0}',severity:'2',deny,status:403,phase:2" SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:pass|!ARGS:returnto "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "t:normalisePath,capture,id:320464,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS',logdata:'%{TX.0}',deny,status:403,phase:2" SecRule ARGS|!ARGS:server|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/return/|!ARGS:password|!ARGS:ref|!ARGS:location|!ARGS:takeback|!ARGS:return|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:referrer|!ARGS:/homepage/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" \ "id:340716,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:server|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/return/|!ARGS:password|!ARGS:ref|!ARGS:location|!ARGS:takeback|!ARGS:return|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:referrer|!ARGS:/homepage/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340717,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',deny,status:403,phase:2" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/[head]/|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|< ?/?i?frame|\%env)" \ "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,multiMatch,capture,id:360030,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}',deny,status:403,phase:2" </LocationMatch> <LocationMatch /amember/admin/email.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:vars "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340718,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:vars "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340719,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /webinstall.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:mirror|!ARGS:ftp_server "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340720,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:mirror|!ARGS:ftp_server "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340721,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /pap.swf> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:v1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340722,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:v1 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340723,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /fckeditor.html> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:CustomConfigurationsPath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,id:340724,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:CustomConfigurationsPath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340725,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /timthumb.php> SecRuleRemoveById 340162 340165 340006 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,id:340726,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340727,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /phpthumb.php> SecRuleRemoveById 340162 340165 340006 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,id:375726,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:375727,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /upload.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /idevaffiliate/admin/setup.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:full_path "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,id:340730,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:full_path "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340731,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /install/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340159 SecRuleRemoveById 340157 SecRuleRemoveById 340160 SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /tbl_create.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /tbl_select.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /tbl_addfield.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /tbl_change.php> SecRuleRemoveById 350147 340155 SecRuleRemoveById 350148 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /phpmyadmin/> SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /movieonline.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:list "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340732,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:list "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340733,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /listings/client.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:line3 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340734,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:line3 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340735,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /test_index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:rf "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340736,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:rf "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340737,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /recommend.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:name "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340738,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:name "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340739,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /goodsCounter.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340151 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:u|!ARGS:cof|!ARGS:ureferrer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340740,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:u|!ARGS:cof|!ARGS:ureferrer "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340741,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /fla_video.swf> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /admin/admin_board.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:sql|!ARGS:address_whois "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340742,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:sql|!ARGS:address_whois "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340743,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /search_results.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:server_protocol|!ARGS:databasehost|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:act "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:341744,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:server_protocol|!ARGS:databasehost|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:act "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:341745,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-content/plugins/wordtube/lib/statistic.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340746,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340747,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /paadmin/categories.php> SecRuleRemoveById 380011 </LocationMatch> <LocationMatch /alt_clickmenu.php> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /get.php> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /admin-ajax.php> SecRuleRemoveById 340007 350147 331025 350148 340128 380121 390572 380020 390703 340165 340162 340163 380006 340748 340155 340145 SecRuleRemoveById 340018 SecRuleRemoveById 390708 SecRuleRemoveById 340113 341211 SecRule REQUEST_URI|ARGS|!ARGS:content|!ARGS:/^widget-my_requestquotewidget/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "deny,status:403,phase:2,t:none,t:lowercase,id:340748,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied'" </LocationMatch> <LocationMatch /administrator/index.php> SecRuleRemoveById 340162 340163 340165 SecRule REQUEST_URI "!(^/administrator/index\.php\?option=com_(?:ganalytics|install|config&tmpl))" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,id:336142,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{MATCHED_VAR}',chain" SecRule REQUEST_URI|ARGS|!ARGS:/source_code/|!ARGS:login|!ARGS:misc|!ARGS:gallerylist|!ARGS:pathubr_upload|!ARGS:custom_email|!ARGS:extra_info|!ARGS:/source_code/|!ARGS:junkWords|!ARGS:name_ip|!ARGS:marker|!ARGS:marker_select|!ARGS:conf_DOWNLOADROOT|!ARGS:/custom_field/|!ARGS:search_all|!ARGS:/^zcck/|!ARGS:/^tzfields/|!ARGS:contact_info|!ARGS:log_path|!ARGS:tmp_path|!ARGS:pathadmin|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:/video/|!ARGS:/biography/|!ARGS:/sermon/|!ARGS:notes|!ARGS:competitor|!ARGS:/^currentValue/|!ARGS:protocol_select|!ARGS:/constant_contact/|!ARGS:/^plugin/|!ARGS:/^params/|!ARGS:extern_file|!ARGS:rel_path|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:textfetch|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:/photo/|!ARGS:/media/|!ARGS:/icon/|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/linkedin/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:parent_name|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:importremote|!ARGS:/callback/|!ARGS:/sponsors/|!ARGS:/^akID/|!ARGS:service|!ARGS:want2Read|!ARGS:search_string|!ARGS:/preview/|!ARGS:/thumb/|!ARGS:subject|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:catalogue_search_code|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:Stream|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^V_feed/|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:pingback_service|!ARGS:/hostname/|!ARGS:/http/|!ARGS:email_forward|!ARGS:bannercode|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:Stream|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:vars[DBhostname]|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:success|!ARGS:short_story|!ARGS:/^css/|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/ftp/|!ARGS:gen_header|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:basehref|!ARGS:redir|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:lowercase,multimatch,chain" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule REQUEST_URI "!(^/administrator/index\.php\?option=com_(?:ganalytics|install|config))" \ "phase:2,deny,status:403,capture,id:336141,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{MATCHED_VAR}'" SecRule ARGS|!ARGS:misc|!ARGS:/source_code/|!ARGS:login|!ARGS:pathubr_upload|!ARGS:gallerylist|!ARGS:junkWords|!ARGS:extra_info|!ARGS:custom_email|!ARGS:name_ip|!ARGS:/source_code/|!ARGS:search_all|!ARGS:/stream/|!ARGS:marker|!ARGS:marker_select|!ARGS:conf_DOWNLOADROOT|!ARGS:/custom_field/|!ARGS:/^zcck/|!ARGS:log_path|!ARGS:/^tzfields/|!ARGS:contact_info|!ARGS:tmp_path|!ARGS:pathadmin|!ARGS:canonical|!ARGS:/addy/|!ARGS:/sermon/|!ARGS:/video/|!ARGS:/biography/|!ARGS:notes|!ARGS:competitor|!ARGS:/^currentValue/|!ARGS:protocol_select|!ARGS:/constant_contact/|!ARGS:/^plugin/|!ARGS:/^params/|!ARGS:extern_file|!ARGS:rel_path|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:textfetch|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:/photo/|!ARGS:/media/|!ARGS:/icon/|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/linkedin/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:parent_name|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:importremote|!ARGS:/callback/|!ARGS:/sponsors/|!ARGS:/^akID/|!ARGS:service|!ARGS:want2Read|!ARGS:search_string|!ARGS:/thumb/|!ARGS:/preview/|!ARGS:subject|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:catalogue_search_code|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:Stream|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^V_feed/|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:pingback_service|!ARGS:/hostname/|!ARGS:/http/|!ARGS:email_forward|!ARGS:bannercode|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:Stream|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:vars[DBhostname]|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:success|!ARGS:short_story|!ARGS:/^css/|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/ftp/|!ARGS:gen_header|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:basehref|!ARGS:redir|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" "t:none,t:urlDecodeUni,t:lowercase" SecRuleRemoveById 340147 350147 331025 350148 350149 340165 SecRuleRemoveById 340149 340148 SecRuleRemoveById 340029 340155 340027 SecRule ARGS|!ARGS:/jform/|!ARGS:/^element/|!ARGS:/text/ "(?:chr|fwrite|fopen|system|echr|passthru|php_uname|include|popen|proc_open|shell_exec|mysql_query|exec|eval|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_\w+) ?\( ?'?" \ "t:none,t:urlDecodeUni,t:lowercase,capture,chain,id:387123,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic php body attack attempt',logdata:'%{TX.0}'" SecRule ARGS|!ARGS:/jform/|!ARGS:/text/ "(?:(?:cd|mkdir)[[:space:]]+(?:/|[a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z])" SecRuleRemoveById 340016 SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/|ARGS|XML:/*|!ARGS:/^elements/|!ARGS:default|!ARGS:/php/|!ARGS:piece3code|!ARGS:/^jform/|!ARGS:/query/|!ARGS:/comment/|!ARGS:keywords|!ARGS:/description/|!ARGS:/sql/|!ARGS:query|!ARGS:/desc/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:/description/|!ARGS:/products_description/|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:Post|!ARGS:body|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,100}?\bselect\b.*[a-z0-9].*from|select (?:load_file|char\()|(?:insert|remark)test;)" \ "deny,status:403,phase:2,capture,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,id:350096,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection',logdata:'%{TX.0}',chain" SecRule REQUEST_URI "!(^/administrator/index\.php\?option=com_rsform)" SecRuleRemoveById 340017 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES:/utm/|ARGS|!ARGS:ncontent|!ARGS:/php/|!ARGS:/^elements/|!ARGS:/body/|!ARGS:/content/|!ARGS:/query/|!ARGS:/^jform/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comment|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:/sql/|!ARGS:query|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:introtext|!ARGS:Post|!ARGS:itembigtext|!ARGS:/article/|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "(?:insert into values|select from [a-z|0-9]!( and)|bulk insert|union select|union all select|convert \(.*from|select (?:load_file|char\()|(?:insert|remark)test;)" \ "deny,status:403,phase:2,capture,t:none,t:replaceComments,t:compressWhiteSpace,id:350097,rev:47,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection in ARGS',logdata:'%{TX.0}'" SecRuleRemoveById 340095 # Rule 340095: generic sig for more bad PHP functions SecRule ARGS|!ARGS:/keywords/|!ARGS:/content/|!ARGS:product_desc|!ARGS:editor_body|!ARGS:/mail/|!ARGS:/longdesc/|!ARGS:/^layout/|!ARGS:/quote/|!ARGS:/^element/|!ARGS:message|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/|!ARGS:email "(?:\(chr ?\([0-9]{1,3}\)|= ?f(?:open|write) ?\(|\b(?:passthru|php_uname|phpinfo|preg_\w+|shell_exec|exec|system) ?(?:\( ?(?:'|\")|@|\: ?')\b)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,deny,status:403,phase:2,capture,id:350095,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP attack in Argument',logdata:'%{TX.0}'" # Rule 340149: XSS injection SecRule REQUEST_URI "!(/administrator/index\.php\?option=com_(?:rsform|modules|sobipro|nbill|plugins|employment|aclassif|redshop|cckjseblod|templates))" \ "chain,deny,status:403,phase:2,t:none,t:lowercase,t:compressWhitespace,capture,id:310716,rev:34,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule ARGS|!ARGS:/^lang\[/|!ARGS:/premiere/|!ARGS:metakey|!ARGS:tcode|!ARGS:/accolade/|!ARGS:/insertstring/|!ARGS:thecode|!ARGS:/^vertex/|!ARGS:tz_media_code|!ARGS:slider|!ARGS:/dialogue/|!ARGS:answer|!ARGS:location|!ARGS:fieldstyle|!ARGS:/confirmation/|!ARGS:/limitpage/|!ARGS:/button/|!ARGS:thirdparty|!ARGS:/synopsis/|!ARGS:/question/|!ARGS:/custom/|!ARGS:/profile/|!ARGS:addr|!ARGS:fulladdress|!ARGS:msc.restrict|!ARGS:/instrumentation/|!ARGS:/disallow/|!ARGS:php_out|!ARGS:rs_specs|!ARGS:dloadexp|!ARGS:passwd|!ARGS:/leftcol/|!ARGS:/rightcol/|!ARGS:/projects/|!ARGS:/discography/|!ARGS:/^button/|!ARGS:/remark/|!ARGS:order_sign|!ARGS:/^breves/|!ARGS:/^zcck/|!ARGS:/specification/|!ARGS:/^tpl_/|!ARGS:/biog/|!ARGS:/^attr/|!ARGS:/custfoot/|!ARGS:/custhead/|!ARGS:/display/|!ARGS:/sml_/|!ARGS:/^ctl_next/|!ARGS:/print/|!ARGS:/quote/|!ARGS:/instructions/|!ARGS:/priceFormat/|!ARGS:overview|!ARGS:js|!ARGS:/^arg/|!ARGS:/^rsmailConfig/|!ARGS:deal_coupon|!ARGS:/review/|!ARGS:/^cb_/|!ARGS:/^extraf/|!ARGS:/send/|!ARGS:/enquire/|!ARGS:/accesoires/|!ARGS:tip|!ARGS:/^dms/|!ARGS:/^cf/|!ARGS:/testimonial/|!ARGS:/server/|!ARGS:/sherpa/|!ARGS:/feature/|!ARGS:/^tips/|!ARGS:/thank/|!ARGS:/term/|!ARGS:/script/|!ARGS:/filter/|!ARGS:/^jform/|!ARGS:/booking/|!ARGS:ad_code|!ARGS:output|!ARGS:ll|!ARGS:/chronofield/|!ARGS:/config/|!ARGS:/^option_value/|!ARGS:parent_path|!ARGS:/popup/|!ARGS:/footer/|!ARGS:Right_photo_1|!ARGS:code|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:misc|!ARGS:/layout/|!ARGS:/^form/|!ARGS:payment_extrainfo|!ARGS:/^xjxargs/|!ARGS:/param/|!ARGS:oid|!ARGS:value|!ARGS:/video/|!ARGS:embedVideo|!ARGS:/vendor_/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:quote-form|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/intro/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:/field_unit/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:/theme/|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS_NAMES:/^jform/|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:/notice/|!ARGS:/email/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/|!ARGS:/pagecode/|!ARGS:parent_path|!ARGS:/header/|!ARGS:/footer/|!ARGS:awards|!ARGS:/canceledpage/|!ARGS:/email/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" # Rule 340148: XSS injection with multimatch checks SecRule REQUEST_URI "!(/administrator/index\.php\?option=com_(?:rsform|sobipro|modules|nbill|employment|aclassif|redshop|cckjseblod|templates))" \ "chain,deny,status:403,phase:2,t:none,t:lowercase,capture,id:310717,rev:214,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule ARGS|ARGS_NAMES|!ARGS:/^lang\[/|!ARGS:/accolade/|!ARGS:metakey|!ARGS:/insertstring/|!ARGS:tcode|!ARGS:thecode|!ARGS:/^vertex/|!ARGS:tz_media_code|!ARGS:/dialogue/|!ARGS:slider|!ARGS:location|!ARGS:/format/|!ARGS:answer|!ARGS:/confirmation/|!ARGS:fieldstyle|!ARGS:/premiere/|!ARGS:/performances/|!ARGS:values|!ARGS:media|!ARGS:/synopsis/|!ARGS:/button/|!ARGS:thirdparty|!ARGS:/question/|!ARGS:/limitpage/|!ARGS:/disallow/|!ARGS:addr|!ARGS:fulladdress|!ARGS:/instrumentation/|!ARGS:msc.restrict|!ARGS:/profile/|!ARGS:passwd|!ARGS:rs_specs|!ARGS:dloadexp|!ARGS:/suffix/|!ARGS:/leftcol/|!ARGS:/rightcol/|!ARGS:title|!ARGS:php_out|!ARGS:/projects/|!ARGS:/discography/|!ARGS:order_sign|!ARGS:/remark/|!ARGS:/^button/|!ARGS:/^breves/|!ARGS:/^zcck/|!ARGS:/custom/|!ARGS:/sml_/|!ARGS:/^tpl_/|!ARGS:/biog/|!ARGS:/^attr/|!ARGS:/custhead/|!ARGS:/custfoot/|!ARGS:/display/|!ARGS:/userlist/|!ARGS:/print/|!ARGS:/^ctl_next/|!ARGS:/quote/|!ARGS:/instructions/|!ARGS:/specification/|!ARGS:overview|!ARGS:/^arg/|!ARGS:js|!ARGS:deal_coupon|!ARGS:/^rsmailConfig/|!ARGS:/review/|!ARGS:/^extraf/|!ARGS:/^cb_/|!ARGS:/enquire/|!ARGS:/send/|!ARGS:/^dms/|!ARGS:/accesoires/|!ARGS:tip|!ARGS:/^cf/|!ARGS:/testimonial/|!ARGS:/navigation/|!ARGS:/server/|!ARGS:/feature/|!ARGS:/sherpa/|!ARGS:id|!ARGS:/term/|!ARGS:/thank/|!ARGS:/script/|!ARGS:/booking/|!ARGS:/^jform/|!ARGS:ad_code|!ARGS:/msg/|!ARGS:/notice/|!ARGS:/email/|!ARGS:/priceFormat/|!ARGS:/caption/|!ARGS:/^tips/|!ARGS:/chronofield/|!ARGS:/config/|!ARGS:output|!ARGS:parent_path|!ARGS:/popup/|!ARGS:ll|!ARGS:/^option_value/|!ARGS:sidebar|!ARGS:code|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/info/|!ARGS:misc|!ARGS:thanksemail|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^form/|!ARGS:/layout/|!ARGS:/^xjxargs/|!ARGS:payment_extrainfo|!ARGS:/param/|!ARGS:/^language_strings/|!ARGS:misc|!ARGS:oid|!ARGS:layout|!ARGS:prefix|!ARGS:value|!ARGS:default_value|!ARGS:/video/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/embedVideo/|!ARGS:/intro/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:/tekst/|!ARGS:/field_unit/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:/duties/|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:parent_path|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/pagecode/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:awards|!ARGS:/ajax/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|\%env|< ?i?frame ?src ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=|shell\:|window\.location|asfunction:_root\.launch)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,multimatch" # Rule 340147: Generic XSS filter SecRule REQUEST_URI "!(/administrator/index\.php\?option=com_(?:rsform|sobipro|nbill|modules|employment|aclassif|redshop|cckjseblod|templates))" \ "chain,deny,status:403,phase:2,t:none,t:lowercase,capture,id:310718,rev:41,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/^lang\[/|!ARGS:metakey|!ARGS:tcode|!ARGS:thecode|!ARGS:/accolade/|!ARGS:/^vertex/|!ARGS:location|!ARGS:tz_media_code|!ARGS:slider|!ARGS:/format/|!ARGS:/confirmation/|!ARGS:answer|!ARGS:fieldstyle|!ARGS:/dialogue/|!ARGS:/performances/|!ARGS:values|!ARGS:media|!ARGS:/synopsis/|!ARGS:/button/|!ARGS:thirdparty|!ARGS:/question/|!ARGS:/premiere/|!ARGS:/disallow/|!ARGS:addr|!ARGS:/instrumentation/|!ARGS:fulladdress|!ARGS:msc.restrict|!ARGS:/profile/|!ARGS:/leftcol/|!ARGS:rs_specs|!ARGS:dloadexp|!ARGS:passwd|!ARGS:/rightcol/|!ARGS:title|!ARGS:/suffix/|!ARGS:php_out|!ARGS:/projects/|!ARGS:order_sign|!ARGS:/^button/|!ARGS:/remark/|!ARGS:/discography/|!ARGS:/^breves/|!ARGS:/custom/|!ARGS:/^zcck/|!ARGS:/limitpage/|!ARGS:/^tpl_/|!ARGS:/biog/|!ARGS:/^attr/|!ARGS:/custhead/|!ARGS:/custfoot/|!ARGS:/display/|!ARGS:/^arg/|!ARGS:/^ctl_next/|!ARGS:/print/|!ARGS:/quote/|!ARGS:/instructions/|!ARGS:deal_coupon|!ARGS:output|!ARGS:/^one/|!ARGS:ll|!ARGS:js|!ARGS:/^rsmailConfig/|!ARGS:/^extraf/|!ARGS:/send/|!ARGS:/^cb_/|!ARGS:/enquire/|!ARGS:/^dms/|!ARGS:/testimonial/|!ARGS:/accesoires/|!ARGS:tip|!ARGS:/feature/|!ARGS:/^cf/|!ARGS:/sherpa/|!ARGS:/review/|!ARGS:/server/|!ARGS:id|!ARGS:/term/|!ARGS:/thank/|!ARGS:/booking/|!ARGS:/msg/|!ARGS:/notice/|!ARGS:/email/|!ARGS:/caption/|!ARGS:ad_code|!ARGS:/pagecode/|!ARGS:/priceFormat/|!ARGS:/filter/|!ARGS:/^items/|!ARGS:/navigation/|!ARGS:/chronofield/|!ARGS:/script/|!ARGS:/specification/|!ARGS:/^code_/|!ARGS:/config/|!ARGS:/popup/|!ARGS:terms|!ARGS:parent_path|!ARGS:/^tips/|!ARGS:tag|!ARGS:/^form/|!ARGS:/^params/|!ARGS:/intro/|!ARGS:/info/|!ARGS:sidebar|!ARGS:code|!ARGS:/^option_value/|!ARGS:pay_inst_1|!ARGS:contact_info|!ARGS:thankyou|!ARGS:Right_photo_1|!ARGS:sml_prt_1|!ARGS:/layout/|!ARGS:thanksemail|!ARGS:/^jform/|!ARGS:/param/|!ARGS:/^xjxargs/|!ARGS:/^language_strings/|!ARGS:misc|!ARGS:layout|!ARGS:oid|!ARGS:prefix|!ARGS:/embedVideo/|!ARGS:value|!ARGS:default_value|!ARGS:/vendor_/|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/field_unit/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/duties/|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:/duties/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:parent_path|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:awards|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|\%env|< ?i?frame ?src ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=|shell\:|window\.location|asfunction:_root\.launch)" "t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecRuleRemoveById 340009 SecRuleRemoveById 390620 SecRuleRemoveById 340077 SecRuleRemoveById 380011 SecRuleRemoveById 380012 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340157 SecRuleRemoveById 340007 SecRuleRemoveById 340113 341211 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /administrator/index2.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340157 340095 380025 381025 340128 380018 340029 SecRule REQUEST_URI|ARGS|!ARGS:/onsubmitcode/|!ARGS:html|!ARGS:file|!ARGS:/^p_process_chat/|!ARGS:/template/|!ARGS:snippet|!ARGS:phpcode|!ARGS:intro|!ARGS:/title/|!ARGS:/^data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:newcontent|!ARGS:content|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/ "; ?(?:cat|ls|perl|uname|pwd|cp|kill|echo|tclsh8?|cpp|python|chown|rm|kill|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|bash|telnet) " \ "phase:2,deny,status:403,capture,id:343329,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhitespace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible command in REQUEST_URI or Argument',logdata:'%{TX.0}'" SecRuleRemoveById 340014 # Rule 340147: Generic XSS filter SecRule ARGS|ARGS_NAMES|!ARGS:/^cf/|!ARGS:/^OSDCS/|!ARGS:/^ARGS:booking_/|!ARGS:/^option_value/|!ARGS:/^one/|!ARGS:Right_photo_1|!ARGS:/term/|!ARGS:/^field/|!ARGS:/xargs/|!ARGS:/biography/|!ARGS:/review/|!ARGS:autogenerated|!ARGS:/^book/|!ARGS:/email/|!ARGS:/editor/|!ARGS:/listid/|!ARGS:/^_qf/|!ARGS:/select/|!ARGS:/filter/|!ARGS:/^tips/|!ARGS:/^items/|!ARGS:/navigation/|!ARGS:/chronofield/|!ARGS:/params/|!ARGS:tag|!ARGS:/^code_/|!ARGS:terms|!ARGS:/^form/|!ARGS:parent_path|!ARGS:/config/|!ARGS:/intro/|!ARGS:/info/|!ARGS:/^K2ExtraField/|!ARGS:/OSDCS/|!ARGS:info|!ARGS:server_validation|!ARGS:sidebar|!ARGS:pay_inst_1|!ARGS:/submitcode/|!ARGS:misc|!ARGS:/layout/|!ARGS:oid|!ARGS:layout|!ARGS:prefix|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "deny,status:403,phase:2,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:310618,rev:92,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRuleRemoveById 390620 SecRuleRemoveById 340009 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340113 341211 SecRuleRemoveById 340016 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRule ARGS|!ARGS:task|!ARGS:q|!ARGS:submit2|!ARGS:/query/|!ARGS:/sql/ "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "deny,status:403,phase:2,id:341544,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/administrator/index2.php)'" SecRuleRemoveById 380006 SecRuleRemoveById 380011 SecRule ARGS|!ARGS:task|!ARGS:submit2|!ARGS:/query/|!ARGS:/sql/ "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,deny,status:403,phase:2,id:341545,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection (/administrator/index2.php)'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:message|!ARGS:text|!ARGS:/^form/| "/(\x3D|=)[^\n]*(\x3C|<)[^\n]+(\x3E|>)" \ "t:none,t:compressWhitespace,deny,status:403,phase:2,id:380006,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS Generic attack'" SecRule REQUEST_URI|ARGS|!ARGS:fcontent|!ARGS:videoplayer|!ARGS:/css/|!ARGS:/^wpm/|!ARGS:/message/|!ARGS:body|!ARGS:wysiwyg_input|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:message "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "deny,status:403,phase:2,t:none,t:lowercase,id:340789,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied'" SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 380012 SecRuleRemoveById 340159 SecRuleRemoveById 340151 SecRule ARGS|!ARGS:/text/|!ARGS:fck_tw_body|!ARGS:/query/|!ARGS:/sql/|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:text|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:message|!ARGS:content "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.*;(?:insert|declare|varchar)|(?:and .* \(select |(?:drop|create)(\w+)table|declare .* varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select |union all select |\b\W*?cast\b\W*?\(.* as |xecresultset|';declare\b\W*?|;set @)" \ "deny,status:403,phase:2,multiMatch,id:341808,t:none,t:base64Decode,t:hexDecode,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:lowercase,t:replaceComments,t:compressWhiteSpace,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (MM)'" SecRule REQUEST_URI "!(/products/index\.php\?gallery=)" \ "deny,status:403,phase:2,chain,t:none,t:lowercase,id:340794,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied'" SecRule REQUEST_URI|ARGS|!ARGS:/message/|!ARGS:body|!ARGS:/css/|!ARGS:/^wpm/|!ARGS:wysiwyg_input|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:message|!ARGS:videoplayer "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" SecRuleRemoveById 340007 SecRule REQUEST_URI|ARGS|!ARGS:fcontent|!ARGS:/message/|!ARGS:/css/|!ARGS:/^wpm/|!ARGS:body|!ARGS:wysiwyg_input|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:message|!ARGS:videoplayer "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "deny,status:403,phase:2,t:none,t:lowercase,id:340796,rev:14,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied'" </LocationMatch> <LocationMatch /req.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340026 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:str2 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340744,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:str2 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340750,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cgi-bin/news/news.cgi> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340026 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:341746,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340752,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/themes.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 #SecRule ARGS|!ARGS:tz_feedburner_email|!ARGS:tz_feedburner|!ARGS:tz_selectedtab|!ARGS:/icon/|!ARGS:/logo/|!ARGS:/linkedin/|!ARGS:/youtube/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/link/|!ARGS:/theme/|!ARGS:/logo/|!ARGS:flickr|!ARGS:/banner/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/banner/|!ARGS:/image/|!ARGS:revchurch_video|!ARGS:/^YBN_/|!ARGS:bfa_ata_logo "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ # "id:340753,chain,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" #SecRule ARGS|!ARGS:tz_feedburner_email|!ARGS:tz_feedburner=|!ARGS:tz_selectedtab|!ARGS:/icon/|!ARGS:/logo/|!ARGS:/linkedin/|!ARGS:/youtube/|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/link/|!ARGS:/theme/|!ARGS:/logo/|!ARGS:flickr|!ARGS:/banner/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/banner/|!ARGS:/image/|!ARGS:revchurch_video|!ARGS:/^YBN_/|!ARGS:bfa_ata_logo "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ # "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340754,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /edit-item.php> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /removed.php> SecRuleRemoveById 340084 </LocationMatch> <LocationMatch /ezGctrlpanel.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:defaultprodpg|!ARGS:/redirect/|!ARGS:/link/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/pthanks/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:350746,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:defaultprodpg|!ARGS:/redirect/|!ARGS:/link/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/pthanks/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:350756,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "deny,status:403,phase:2,!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /magazine/index.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/path/|!ARGS:/site/|!ARGS:return|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:q|!ARGS:/referer/|!ARGS:/refer/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:343745,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/path/|!ARGS:/site/|!ARGS:return|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:q|!ARGS:/referer/|!ARGS:/refer/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340758,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /fckeditor/editor/filemanager/browser/default/browser.html> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /track.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/referrer/|!ARGS:/^S/|!ARGS:ref|!ARGS:/referer/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340745,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/referrer/|!ARGS:/^S/|!ARGS:ref|!ARGS:/referer/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340760,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /flashgallery.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /req.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^S/|!ARGS:str2 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340761,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^S/|!ARGS:str2 "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340762,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/patch.php> SecRuleRemoveById 340157 SecRuleRemoveById 340160 </LocationMatch> <LocationMatch /etc/reality-info.css> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /alt_doc.php> SecRuleRemoveById 380011 340113 341211 340145 390572 SecRuleRemoveById 340147 340148 350147 331025 350148 340149 </LocationMatch> <LocationMatch /product_modify.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:distribution|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^efields/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,id:340763,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:distribution|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^efields/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340764,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /fix.swf> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:x "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340765,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:x "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340766,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /typo3/alt_mod_frameset.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /cnf_config.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^val_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340767,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^val_/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340768,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /classes/crop_image.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /members/create_listing.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /livesupport/install/dbperform.php> SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 </LocationMatch> <LocationMatch /st/out.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:u "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340769,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:u "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340770,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /db_sql.php> SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 </LocationMatch> <LocationMatch /catch.php > SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:ru "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340771,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:ru "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340772,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/languages.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^var_value/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340775,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^var_value/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340776,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /slideshow/admin/p.php> SecRuleRemoveById 340151 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:a "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,id:340776,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:a "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "deny,status:403,phase:2,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340778,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/theme-editor.php> SecRuleRemoveById 340855 340095 340155 340159 340157 380020 340011 SecRuleRemoveById 340029 SecRuleRemoveById 340113 341211 SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340128 SecRuleRemoveById 341045 SecRuleRemoveById 390715 SecRuleRemoveById 340006 SecRule REQUEST_URI "!(alt_mod_frameset.php|checkout_shipping.php|^/components/com_zoom/etc/|/admin\.swf\?nick=|/editor/filemanager/browser/default/browser\.html\?(Type=Image&)?Connector=\.\./\.\./connectors)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,deny,status:403,phase:2,chain,t:normalisePath,id:340671,rev:19,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied in URI/ARGS', chain" SecRule REQUEST_URI|ARGS|!ARGS:webpage[content]|!ARGS:article[content]|!ARGS:filecontent|!ARGS:/text/|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:content|!ARGS:newcontent "(?:\.\./\.\./|\.\|\./\.\|\./\.\.)" #PHP injection SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:/content/|!ARGS:/descripcion/|!ARGS:/text/|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/message/|!ARGS:/msg/ "\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|(?:g|b)z(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:(?:g|b)z)?file|dir)|gzinflate|base64_decode|str_rot13|move_uploaded_file|(?:proc_|bz)open|call_user_func|$_(?:(?:pos|ge)t|session))\b" \ "phase:2,deny,status:403,rev:4,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Injection Attack',id:'390725',logdata:'%{TX.0}',severity:'2'" SecRule ARGS|!ARGS:newcontent|!ARGS:khxc_incphp--filename|!ARGS:file_contents|!ARGS:filecontent|!ARGS:message|!ARGS:defaultParamList|!ARGS:body|!ARGS:gbu0_proddetdisp--incdisp "(?:or.+1[[:space:]]*=[[:space:]][0-9]|(?:or 1=[0-9]|'.+)--'|null is null)" \ "t:urlDecodeUni,t:urlDecodeUni,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340777,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection'" SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:345729,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP theme-editor',deny,status:403,phase:2" SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:345730,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP theme-editor',deny,status:403,phase:2" SecRule ARGS "(?:(?:eval|passthru) ?\( ?(?:base64_decode|gz(?:inflate|decode|encode)) ?\(|str_rot13 ?\()" \ "t:none,t:base64Decode,t:compressWhitespace,t:lowercase,id:345731,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious code injection via WP theme-editor',deny,status:403,phase:2" </LocationMatch> <LocationMatch /components/com_oziogallery/preview.swf> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:xmlPath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340779,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:xmlPath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340780,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /fla_music.swf> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /mickadmincp/user.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfield/|!ARGS:user[homepage] "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340781,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfield/|!ARGS:user[homepage] "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340782,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/tools.php> SecRuleRemoveById 380006 390707 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /includes/c0ntaktu3.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:bad_template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340785,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:bad_template "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340786,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /formmail.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:this_form "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340787,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:this_form "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340788,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /free.cgi> SecRuleRemoveById 340018 </LocationMatch> <LocationMatch /plugins/wp-postratings/postratings-admin-ajax.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /search.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340026 SecRule ARGS|!ARGS:search_keywords|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340790,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:search_keywords|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:file "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340791,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /online/index.php > SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340792,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340793,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /contenido/main.php> SecRuleRemoveById 340144 340016 340029 390715 340145 390572 340128 380018 SecRule ARGS|!ARGS:display_query|!ARGS:Db_submit|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description|!ARGS:output "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340795,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',chain" </LocationMatch> <LocationMatch /imageresize.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /taguchitest.php> SecRuleRemoveById 340022 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:r "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340797,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:r "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340798,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /forums/modcp/moderate.php> SecRuleRemoveById 340144 SecRule ARGS|!ARGS:/text/|!ARGS:display_query|!ARGS:Db_submit|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340799,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',chain" </LocationMatch> <LocationMatch /odp/index.php> SecRuleRemoveById 380007 SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:c "/\w*(\x27|\’)(\x6F|o|\x4F)(\x72|r|\x52)" \ "t:none,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340800,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: SQL Inject Generic signature'" </LocationMatch> <LocationMatch /Yanner.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /pluskernel/settings.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:r "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340801,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:r "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340802,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /sql_error.php> SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /login-register.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340803,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340804,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /lecture.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:lec_rm|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:lec_doc "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340805,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:lec_rm|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:lec_doc "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340806,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /response.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340807,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340808,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /edit_css.ph> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /modules/mod_oneononechat/phpfunctions.php> SecRuleRemoveById 340149 SecRuleRemoveById 340148 </LocationMatch> <LocationMatch /sql/fileman2.php> SecRuleRemoveById 340007 SecRule REQUEST_URI|ARGS|!ARGS:dir|!ARGS:/txt/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:wysiwyg_input|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "phase:2,deny,status:403,t:none,t:lowercase,id:340810,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied'" </LocationMatch> <LocationMatch /wp-content/plugins/simple-popup-images/popup.php> SecRuleRemoveById 340026 </LocationMatch> <LocationMatch /design/swapimages_onmousemove.js> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /edit_image> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:DirName|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340811,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:DirName|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340812,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /server.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/^p_/|!ARGS:rf|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340813,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/^p_/|!ARGS:rf|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:aardvark_page "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340814,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /php/compress.php> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /tbl_replace.php> SecRuleRemoveById 350147 331025 340029 340155 340113 341211 SecRuleRemoveById 350148 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch wp-content/themes/bobv2/dax.swf> SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /wp-admin/plugin-install.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:s|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:/web/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340815,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:s|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:/web/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340816,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" </LocationMatch> <LocationMatch /sitemap/index.php> SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule ARGS|!ARGS:errmsg "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|< ?iframe ?|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|\bon(?:abort|blur|change|click|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b|script |shell\:|window\.location)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340817,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /tbl_row_action.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /www/delivery/lg.php> SecRuleRemoveById 340148 340162 340163 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /tiny_mce/themes/advanced/source_editor.htm> SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admincp/automediaembed_admin.php> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /wp-comments-post.php> SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /compose.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 390711 SecRuleRemoveById 390620 SecRuleRemoveById 390613 390614 </LocationMatch> <LocationMatch /cgi-bin/database/admin.pl> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/note/|!ARGS:/summary/|!ARGS:section|!ARGS:/xml/|!ARGS:/^descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:comment|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,chain,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340818,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule ARGS "!(^(submit\+>>|>>)$)" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:section|!ARGS:/note/|!ARGS:/summary/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:/^descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:comment|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame)" \ "phase:2,deny,status:403,chain,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340819,rev:22,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" SecRule ARGS "!(^(submit\+>>|>>)$)" "t:none,t:lowercase" # XSS injection SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:footnote|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/^descr/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:Submit|!ARGS:comment|!ARGS:/message/|!ARGS:formSubmit|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|script |shell\:|window\.location)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340820,rev:18,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" SecRule ARGS "!(^(submit\+>>|>>)$)" </LocationMatch> <LocationMatch /cynghrair/change.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /adm_noticies.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /plugins/ctrt/index.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:log|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:/^descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:comment|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340821,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:log|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:/^descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:comment|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame)" \ "phase:2,deny,status:403,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340822,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" # XSS injection SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:log|!ARGS:process_login|!ARGS:message|!ARGS:oldmsg|!ARGS:t_cont|!ARGS:footnote|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/^descr/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:Submit|!ARGS:comment|!ARGS:/message/|!ARGS:formSubmit|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|script |shell\:|window\.location)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340823,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /install.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /install1.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /wp-admin/themes.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admincp/> SecRuleRemoveById 340147 350147 331025 350148 350149 390707 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /admincp/css.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /modules/upl/wc/CSXML.php> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /onmouseover.js> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admincp/vbacmps_install.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /manage/bios/edit/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /manage/index.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 # Rule 340147: Generic XSS filter SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/description/|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:cache|!ARGS:_module|!ARGS:_op|!ARGS:title|!ARGS:desc|!ARGS:news|!ARGS:expiry|!ARGS:domain|!ARGS:email_id|!ARGS:obj_itop|!ARGS:route|!ARGS:token|!ARGS:/^mymodule/|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:/quote/|!ARGS:/print/|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:360678,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',chain,logdata:'%{TX.0}'" SecRule ARGS "!(^(submit\+>>|>>)$)" # Rule 340148: XSS injection with multimatch checks SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/description/|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:cache|!ARGS:_module|!ARGS:_op|!ARGS:title|!ARGS:desc|!ARGS:news|!ARGS:expiry|!ARGS:domain|!ARGS:pay_inst_1|!ARGS:route|!ARGS:token|!ARGS:/^mymodule/|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:/quote/|!ARGS:/print/|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "chain,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:360679,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}',multiMatch" SecRule ARGS "!(^(submit\+>>|>>)$)" "t:none,t:lowercase" # Rule 340149: XSS injection SecRule REQUEST_URI|ARGS|!ARGS:cache|!ARGS:_module|!ARGS:_op|!ARGS:title|!ARGS:desc|!ARGS:news|!ARGS:expiry|!ARGS:domain|!ARGS:/description/|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/^jform/|!ARGS:route|!ARGS:token|!ARGS:/^mymodule/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:login_form|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:/quote/|!ARGS:paepdc|!ARGS:/quote/|!ARGS:/print/|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:341149,rev:112,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule ARGS "!(^(submit(\+| )>>|>>)$)" "t:none,t:lowercase" </LocationMatch> <LocationMatch /cgi-bin/cp-admin.cgi> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /_admin/> SecRuleRemoveById 340006 SecRuleRemoveById 340007 SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /siteadmin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /cmsadmin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /forumadmin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /management/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /manager/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /edit_product> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /rssadmin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /order/input.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/page/|!ARGS:order|!ARGS:youtube|!ARGS:reply|!ARGS:/^B/|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/product_desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:/descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:replaceNulls,t:compressWhitespace,t:lowercase,id:341823,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/^B/|!ARGS:order|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/product_desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:/descr/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame)" \ "phase:2,deny,status:403,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340824,rev:33,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /ftp/index.php> SecRuleRemoveById 340144 SecRule ARGS|!ARGS:state|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,phase:2,deny,status:403,id:340825,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',chain" </LocationMatch> <LocationMatch /editField.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin1/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /edit/index.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /ticketreply.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340144 SecRule ARGS|!ARGS:reply|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=|union all select |union select [a-z][0-9]+ )" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:340852,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2',chain" </LocationMatch> <LocationMatch /tiny_mce/plugins/advlink/link.htm> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /webadmin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /front_content.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/main/> SecRuleRemoveById 340017 </LocationMatch> <LocationMatch /install/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /FormMail.conf> SecRuleRemoveById 340017 SecRule ARGS|!ARGS:CompanyType|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:/^sql/|!ARGS:/products_description/|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:sql_query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "(?:insert into values|select from [a-z|0-9]|bulk insert|union select |union all select|convert \(.*from)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340826,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection in ARGS'" </LocationMatch> <LocationMatch /Wizard/Pages> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/email.php> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /dict.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:request|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340827,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:request|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340828,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" </LocationMatch> <LocationMatch /webadmin.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /admin/> SecRuleRemoveById 340007 SecRuleRemoveById 340009 SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /ntunnel_mysql.ph> SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 </LocationMatch> <LocationMatch /planner.php> SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:title|!ARGS:request|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340829,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:title|!ARGS:request|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340830,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" </LocationMatch> <LocationMatch /facebook/> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /install2.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /install.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /stream/index.php> SecRuleRemoveById 340018 </LocationMatch> <LocationMatch /secure.php> SecRuleRemoveById 340007 SecRuleRemoveById 340009 SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /uplay/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /mapas_admin_edit.php> SecRule ARGS|!ARGS:/titulo/|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340831,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/titulo/|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340832,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /projectpier/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/supportkb.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340095 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /systemadmin/supportkb.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340095 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /manage.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin_panel/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /inc/php/img.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/media/> SecRuleRemoveById 340164 </LocationMatch> <LocationMatch /wizard_forms.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/content/types/import> SecRuleRemoveById 340160 </LocationMatch> <LocationMatch /wp-admin/post.php> SecRuleRemoveById 340147 350147 331025 350148 350149 380020 340006 390707 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380006 SecRuleRemoveById 340095 SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /wp-admin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 390620 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /tstemplate/ts/index.php> SecRuleRemoveById 340017 </LocationMatch> <LocationMatch /alta.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /setup/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /install/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/settings.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /projects/csb/ticket/> SecRuleRemoveById 340144 </LocationMatch> <LocationMatch /contenido/main.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /orderform/processor.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /cgi-bin/soupermail.pl> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /read_dump.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin_center/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admincenter/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /HomeDeveloper.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /bevestiging.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /imagemanager/stream/index.php> SecRuleRemoveById 390614 SecRuleRemoveById 390615 SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /export.php> SecRuleRemoveById 340160 340155 SecRuleRemoveById 340016 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /privado/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /webform/configure> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /portalcp/vbpoptions.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /thubservice.php > SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /user.php> SecRuleRemoveById 340162 340163 SecRule ARGS|!ARGS:homepage|!ARGS:return|!ARGS:/user/|!ARGS:/pass/|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:www|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340833,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:homepage|!ARGS:return|!ARGS:/user/|!ARGS:/pass/|!ARGS:/icon/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:www|!ARGS:/text/|!ARGS:/redir/|!ARGS:/image/|!ARGS:/^userfile/|!ARGS:page|!ARGS:passwordlogin "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340834,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /survey/index.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/move/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340835,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/move/|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340836,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" SecRule REQUEST_URI|ARGS|!ARGS:/move/|!ARGS:embeddump|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|script |shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340837,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /forum/post.php> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /crop_auto.php> SecRuleRemoveById 340007 SecRuleRemoveById 340008 </LocationMatch> <LocationMatch /admin/main.php> SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /thumb.php> SecRuleRemoveById 340161 340007 340006 340162 340163 340165 </LocationMatch> <LocationMatch /com_virtuemart/fetchscript.php> SecRuleRemoveById 340007 SecRuleRemoveById 340026 </LocationMatch> <LocationMatch /uploader.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /survey/preview.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|!ARGS:/survey/|ARGS_NAMES|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340840,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" # Rule 340148: XSS injection SecRule REQUEST_URI|ARGS|!ARGS:/survey/|ARGS_NAMES|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340841,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" # Rule 340149: XSS injection SecRule REQUEST_URI|ARGS|!ARGS:/survey/|!ARGS:embeddump|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|script |shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340842,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /linkmachine.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340162 340165 340163 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /productadd.php> SecRuleRemoveById 340144 SecRule ARGS|!ARGS:create|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:message|!ARGS:/^SQL/|!ARGS:query_string|!ARGS:query|!ARGS:description "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" \ "t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,phase:2,deny,status:403,id:340843,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2'" </LocationMatch> <LocationMatch /admint/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /setupCTCForm.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/db.php> SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 </LocationMatch> <LocationMatch /admin-translate/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /mailtemplate_outpay1_result.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /Admin/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /supportannouncements.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /socialware/popups/add_friend.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /open.php> SecRule ARGS|!ARGS:/site/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:340844,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/site/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:q "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:340845,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /order/totals.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/token/|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340846,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:token/|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340847,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" # Rule 340149: XSS injection SecRule REQUEST_URI|ARGS|!ARGS:/token/|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340848,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack'" </LocationMatch> <LocationMatch /admin/write.php> SecRuleRemoveById 340016 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:/text/|!ARGS:/movie/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comments|!ARGS:text|!ARGS:/descr/|!ARGS:/^sql/|!ARGS:contactMessage|!ARGS:cts|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:introtext|!ARGS:Post|!ARGS:sql_query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,100}?\bselect\b.*[a-z0-9].*from)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:340849,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection'" </LocationMatch> <LocationMatch /admin/addvideo.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /installation/install3.php > SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /installation/install.php > SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /install/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340852 SecRuleRemoveById 340853 SecRuleRemoveById 340854 </LocationMatch> <LocationMatch /categorie.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/iframe/|!ARGS:/page/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:340850,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/iframe/|!ARGS:/page/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:340851,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" </LocationMatch> <LocationMatch /install.php> SecRuleRemoveById 340009 SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /quick_reply.php> SecRuleRemoveById 340016 </LocationMatch> <LocationMatch /adm-misc.php> SecRuleRemoveById 340009 SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /install/> SecRuleRemoveById 340009 SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /Glossary.pl> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin-create-edit-page.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /question/question.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/> SecRuleRemoveById 390707 SecRuleRemoveById 390711 SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /administrator/> SecRuleRemoveById 390707 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /adm/> SecRuleRemoveById 390707 SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /typo3/> SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /setup/> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /portal/index.php> SecRuleRemoveById 340009 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:/highlight/|!ARGS:name|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/description/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/content/|!ARGS:/data/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/description/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:webpage[content]|!ARGS:article[content]|!ARGS:filecontent|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:content|!ARGS:/body/ "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "phase:2,deny,status:403,t:none,t:normalisePath,t:lowercase,capture,id:340860,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /components/com_zoom/etc/> SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /admin_orders.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /Setup.jspa> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/pages.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /sql.php3> SecRuleRemoveById 340009 SecRuleRemoveById 340160 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /sql.php> SecRuleRemoveById 340009 SecRuleRemoveById 340160 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /ipn_main_handler.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/^item_name/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340870,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/^item_name/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?):/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340871,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:/^item_name/|!ARGS:newyddionc|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:340872,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /xcloner.php> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /cms/content.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:short|!ARGS:keywords|!ARGS:/code/|!ARGS:plaatje|!ARGS:ranking_info|!ARGS:/callback/|!ARGS:subject|!ARGS:pic|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:/webcam/|!ARGS:search_string|!ARGS:direct|!ARGS:yt_thumb|!ARGS:fflv|!ARGS:direct|!ARGS:/site/|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:user_mail_register_no_approval_required_body|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:/webseite/|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:/youtube/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:pic1|!ARGS:/click/|!ARGS:rf|!ARGS:/web/|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:/img/|!ARGS:Stream|!ARGS:CP_email|!ARGS:flvsite|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:V_feed_email|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/^description/|!ARGS:notification_body|!ARGS:sitead|!ARGS:/^product_long_/|!ARGS:/^topic_content_/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:logo_path|!ARGS:prehtml_root|!ARGS:revpro_video|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/html_content/|!ARGS:desc|!ARGS:descripcion|!ARGS:body_html|!ARGS:/^field_id_/|!ARGS:wpUploadDescription|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:/description/|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:hostname|!ARGS:htmlSource|!ARGS:/virtual_http_path/|!ARGS:/virtual_https_path/|!ARGS:f_content|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:blog|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/^commontemplate/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:forum_desc|!ARGS:file_contents|!ARGS:newDesc|!ARGS:return_to|!ARGS:Stream|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:/^fields_prev/|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:intro_content|!ARGS:vinculo|!ARGS:openid_return_to|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:fulldescr|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:google|!ARGS:definition|!ARGS:openid.return_to|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:ppicture|!ARGS:paypal_ipn|!ARGS:defaultImage|!ARGS:title|!ARGS:html|!ARGS:dbody|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:commontemplate[header]|!ARGS:uri|!ARGS:wp_home|!ARGS:/^blockbody/|!ARGS:field11|!ARGS:field_id_7|!ARGS:/^ViewState/|!ARGS:vars[DBhostname]|!ARGS:postvars|!ARGS:base1|!ARGS:cart_header|!ARGS:setting[description]|!ARGS:video_google|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:livesite|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:html_code|!ARGS:/http_script_dir/|!ARGS:cfgfilecontent|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:/Website/|!ARGS:sig|!ARGS:template_data|!ARGS:template|!ARGS:option[ping_sites]|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:vars[siteName]|!ARGS:replycontents|!ARGS:sitedisclaimer|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:ecards_more_pic_target|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:/^products_description/|!ARGS:terms_content|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:revnews_video|!ARGS:/sponsor_banner/|!ARGS:videoPath|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:agendWebPage|!ARGS:params[helpsite]|!ARGS:iconnew|!ARGS:wpau-ftphost|!ARGS:gen_header|!ARGS:button_dir|!ARGS:news_desc|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:wptextbox1|!ARGS:edit[site_mission]|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/^sql_/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:team[logo]|!ARGS:helpbox|!ARGS:return|!ARGS:basehref|!ARGS:/^redirect/|!ARGS:redir|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:portal_body|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:body|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:missing_fields_redirect|!ARGS:templatePath|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/redirect/|!ARGS:src|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:site_desc|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:site|!ARGS:memo|!ARGS:live_site|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:g2_return|!ARGS:goto|!ARGS:site_first|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:xajaxargs[]|!ARGS:backto|!ARGS:/^http/|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:hamechalets_desc|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:description|!ARGS:ret|!ARGS:newDescription|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:video|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:in[http]|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:virtual_http_path|!ARGS:cta_content|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:/^virtual_http/|!ARGS:cta_content|!ARGS:map_description_1|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:field5|!ARGS:p_content|!ARGS:f_site|!ARGS:CANCEL_RETURN "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" \ "phase:2,deny,status:403,capture,id:340873,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:keywords|!ARGS:short|!ARGS:plaatje|!ARGS:ranking_info|!ARGS:/code/|!ARGS:/callback/|!ARGS:pic|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:/webcam/|!ARGS:search_string|!ARGS:yt_thumb|!ARGS:subject|!ARGS:direct|!ARGS:user_mail_register_no_approval_required_body|!ARGS:fflv|!ARGS:direct|!ARGS:/site/|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid_identifier|!ARGS:/adres/|!ARGS:/logo/|!ARGS:/webseite/|!ARGS:resolution|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:/youtube/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:pic1|!ARGS:clickTag1|!ARGS:rf|!ARGS:web|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:/img/|!ARGS:Stream|!ARGS:CP_email|!ARGS:flvsite|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^V_feed/|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:notification_body|!ARGS:sitead|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/^topic_content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:logo_path|!ARGS:prehtml_root|!ARGS:revpro_video|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/html_content/|!ARGS:desc|!ARGS:body_html|!ARGS:/^field_id_/|!ARGS:wpUploadDescription|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:host|!ARGS:webpath|!ARGS:/text/|!ARGS:whereto|!ARGS:/description/|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:pingback_service|!ARGS:hostname|!ARGS:htmlSource|!ARGS:/virtual_http_path/|!ARGS:/virtual_https_path/|!ARGS:f_content|!ARGS:email_forward|!ARGS:blog|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/^commontemplate/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:newDesc|!ARGS:forum_desc|!ARGS:file_contents|!ARGS:return_to|!ARGS:Stream|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:newwebpath|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:/^fields_prev/|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:intro_content|!ARGS:vinculo|!ARGS:openid_return_to|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:fulldescr|!ARGS:soundname|!ARGS:Direccionsitioweb|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:google|!ARGS:ud_web|!ARGS:openid.return_to|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:ppicture|!ARGS:paypal_ipn|!ARGS:defaultImage|!ARGS:title|!ARGS:html|!ARGS:dbody|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:commontemplate[header]|!ARGS:wp_home|!ARGS:/^blockbody/|!ARGS:field11|!ARGS:field_id_7|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:vars[DBhostname]|!ARGS:base1|!ARGS:cart_header|!ARGS:setting[description]|!ARGS:webcam|!ARGS:video_google|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:livesite|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/webaddress/|!ARGS:/http_script_dir/|!ARGS:cfgfilecontent|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:/Website/|!ARGS:sig|!ARGS:template_data|!ARGS:template|!ARGS:option[ping_sites]|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:vars[siteName]|!ARGS:replycontents|!ARGS:sitedisclaimer|!ARGS:sm_b_style|!ARGS:success|!ARGS:short_story|!ARGS:/^css/|!ARGS:ecards_more_pic_target|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:/^products_description/|!ARGS:terms_content|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:revnews_video|!ARGS:/sponsor_banner/|!ARGS:videoPath|!ARGS:web_site|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:params[helpsite]|!ARGS:iconnew|!ARGS:agendWebPage|!ARGS:wpau-ftphost|!ARGS:gen_header|!ARGS:button_dir|!ARGS:news_desc|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:wptextbox1|!ARGS:edit[site_mission]|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/^sql_/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/url/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:team[logo]|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:basehref|!ARGS:/redirect/|!ARGS:redir|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:portal_body|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:body|!ARGS:Post|!ARGS:data[Label][website]|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:webeditor1|!ARGS:oldmsg|!ARGS:src|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:site_desc|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:site|!ARGS:memo|!ARGS:live_site|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:user_website|!ARGS:g2_return|!ARGS:goto|!ARGS:site_first|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:userDetails[web_address]|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:web_address|!ARGS:msgpreview|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:xajaxargs[]|!ARGS:backto|!ARGS:/^http/|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:hamechalets_desc|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:description|!ARGS:newDescription|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:video|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:in[http]|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:virtual_http_path|!ARGS:cta_content|!ARGS:x_website|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:/^virtual_http/|!ARGS:cta_content|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:field5|!ARGS:p_content|!ARGS:f_site|!ARGS:CANCEL_RETURN "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" \ "phase:2,deny,status:403,id:340874,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,capture,chain,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /mailordermanager5.mvc> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /content_pop.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /backend/noticias_abm.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /pncrtl/options.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin.cgi> SecRuleRemoveById 340147 350147 331025 350148 350149 380020 340029 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340855 SecRuleRemoveById 340128 SecRuleRemoveById 340131 SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /fim_thumb.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /intaketemp.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sqltoexcel/sql2excel.php> SecRuleRemoveById 340016 </LocationMatch> <LocationMatch /moodle/mod/glossary/edit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /miespacio/adpaepdc.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch ext/ics_awstats/mod1/index.php> SecRuleRemoveById 340026 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340151 SecRule ARGS|!ARGS:config "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:320463,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:config "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" "phase:2,deny,status:403,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:320462,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)'" </LocationMatch> <LocationMatch /Wizard/Edit/Modules/Eshop/Product/Insert> SecRuleRemoveById 340009 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:redirect_to|!ARGS:field_id_29|!ARGS:/highlight/|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/description/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/content/|!ARGS:/data/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/description/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:webpage[content]|!ARGS:article[content]|!ARGS:filecontent|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:content|!ARGS:/body/ "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "phase:2,deny,status:403,t:none,t:normalisePath,t:lowercase,capture,id:321463,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /ucp.php> SecRuleRemoveById 340007 SecRule REQUEST_URI|ARGS|!ARGS:redirect|!ARGS:/resolution/|!ARGS:/description/|!ARGS:/comment/|!ARGS:/obrazek/|!ARGS:/txt/|!ARGS:/keywords/|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:/body/|!ARGS:/content/|!ARGS:/html/|!ARGS:filename "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "phase:2,deny,status:403,t:none,t:lowercase,capture,id:321464,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /response_3D.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340151 SecRule ARGS|!ARGS:config|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/domain/|!ARGS:ResponsePath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:320468,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:config|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/domain/|!ARGS:ResponsePath "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" "phase:2,deny,status:403,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:320469,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (modules.php)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /GetClientPolicies.aspx> SecRuleRemoveById 340147 350147 331025 350148 350149 340162 340165 340163 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:xml|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:320470,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:xml|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:320472,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}',multimatch" # Rule 340149: XSS injection SecRule REQUEST_URI|ARGS|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:xml|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:user[usertitle]|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceNulls,t:compressWhitespace,id:320471,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /add_product.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:picture|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:320572,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:179,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:picture|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:320473,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,chain,rev:179,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /wp-admin/page.php> SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /affiliate/scripts/server.ph> SecRuleRemoveById 340144 </LocationMatch> <LocationMatch /modules/resize.php$> SecRuleRemoveById 340009 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:g2_prefix|!ARGS:g2_form[path]|!ARGS:/keyword/|!ARGS:field_id_29|!ARGS:/highlight/|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/description/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/content/|!ARGS:/data/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/description/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:webpage[content]|!ARGS:article[content]|!ARGS:filecontent|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:content|!ARGS:/body/|!ARGS:imagefile "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "phase:2,deny,status:403,t:none,t:normalisePath,t:lowercase,capture,id:321486,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS', logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /nota_abm.php$> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 </LocationMatch> <LocationMatch /admin/service/productToCategory.php> SecRuleRemoveById 340157 </LocationMatch> <LocationMatch /admin/moduleinterface.php> SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /ajax_file_upload.php> SecRuleRemoveById 340006 340007 347008 SecRule ARGS|!ARGS:folder|!ARGS:/description/|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "phase:2,deny,status:403,t:none,t:lowercase,capture,id:320486,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" SecRule ARGS "\.\./\.\./\.\./\.\./\.\./\.\./\.\./" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:normalisePath,id:359008,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious deep path recursion denied'" </LocationMatch> <LocationMatch /ajax_create_folder.php> SecRuleRemoveById 340006 340007 347008 SecRule ARGS|!ARGS:folder|!ARGS:/description/|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "phase:2,deny,status:403,t:none,t:lowercase,capture,id:320487,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" SecRule ARGS "\.\./\.\./\.\./\.\./\.\./\.\./\.\./" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:normalisePath,id:359008,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious deep path recursion denied'" </LocationMatch> <LocationMatch /test_templates.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /phpminiadmin.php> SecRuleRemoveById 340144 SecRuleRemoveById 340016 </LocationMatch> <LocationMatch /webacula/restorejob/> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /calendar/functions/popup.php> SecRuleRemoveById 390715 #PHP injection SecRule REQUEST_FILENAME|ARGS|XML:/*|!ARGS:/descripcion/|!ARGS:/text/|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/message/|!ARGS:/msg/ "\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|(?:g|b)z(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:(?:g|b)z)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func|$_(?:(?:pos|ge)t|session))\b" \ "phase:2,deny,status:403,rev:4,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP Injection Attack',id:'390726',logdata:'%{TX.0}',severity:'2'" </LocationMatch> <LocationMatch /cms/> SecRuleRemoveById 340113 341211 SecRule QUERY_STRING|ARGS|!ARGS:content|!ARGS:wrap|!ARGS:txtContent|!ARGS:/template/|!ARGS:text "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,id:390727,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: cross site scripting stealth attempt to inject javascript ',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /tbl_export.php> SecRuleRemoveById 350147 340155 SecRuleRemoveById 350148 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /import.php> SecRuleRemoveById 340095 340157 SecRuleRemoveById 380018 380019 380020 SecRuleRemoveById 340128 SecRuleRemoveById 340009 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:/sql/|!ARGS:/txt/|!ARGS:/summary/|!ARGS:/text/|!ARGS:/^config/|!ARGS:/^dPcfg/|!ARGS:g2_prefix|!ARGS:g2_form[path]|!ARGS:/keyword/|!ARGS:field_id_29|!ARGS:/highlight/|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/description/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/content/|!ARGS:/data/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/description/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:webpage[content]|!ARGS:article[content]|!ARGS:filecontent|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:content|!ARGS:/body/ "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \ "phase:2,deny,status:403,t:none,t:normalisePath,capture,id:390728,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Protected Path Access denied in URI/ARGS', logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /civicrm/admin/> SecRuleRemoveById 340149 350147 350148 </LocationMatch> <LocationMatch /civicrm/report/contact/summary> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /instellingen.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:IDEAL_EMAIL "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:390729,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:IDEAL_EMAIL "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:390730,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,multimatch,capture,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/listing_editresult.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> #below, ARGS:grossprofit case #3668 <LocationMatch /admin/items_price_result.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/configure_homepage.php> SecRuleRemoveById 380018 380019 380020 350147 350148 340147 340148 340149 </LocationMatch> <LocationMatch /newreply.php> SecRuleRemoveById 390621 </LocationMatch> <LocationMatch /editpost.php> SecRuleRemoveById 390621 380020 </LocationMatch> <LocationMatch /admin/file_manager.php> SecRuleRemoveById 340855 </LocationMatch> <LocationMatch /includes/conteudosActions.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /webim/button.php> SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /includes/multimediaActions.php> SecRuleRemoveById 340006 </LocationMatch> <LocationMatch /includes/lojaActions.php> SecRuleRemoveById 390703 </LocationMatch> <LocationMatch /config/index.php> SecRuleRemoveById 340007 SecRule REQUEST_URI|ARGS|!ARGS:/CACHE_PATH/|!ARGS:SQLiteDataDir|!ARGS:/description/|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "phase:2,deny,status:403,t:none,t:lowercase,capture,id:390731,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /modedit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/categories.php> SecRuleRemoveById 340147 350147 331025 350148 350149 340162 340165 340163 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /addClass.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /MediaLibrary.php> SecRuleRemoveById 390700 </LocationMatch> <LocationMatch /meta_admin.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /admin/question_edit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/processors/directory_addedit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /wp-admin/widgets.php> SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /admin/aprod.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /admin/ritem.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /affiliate/scripts/server.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sifr.swf> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/smalladmin/index.php> SecRuleRemoveById 340016 </LocationMatch> <LocationMatch /content_manager.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /account/loginPost/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:video_credits|!ARGS:move2|!ARGS:hoperation|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:send|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:370147,rev:87,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic XSS filter',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:video_credits|!ARGS:move2|!ARGS:hoperation|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:send|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?>|< ?/?i?frame|\%env)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,multimatch,capture,id:370148,rev:95,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /admin/package_edit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /cgi-bin/setup.cgi> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /pncrtl/template.php> SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /novedades_abm.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /cgi-bin/PManage/pmanage.cgi> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sage/download.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /VersionCheck.php> SecRuleRemoveById 330700 </LocationMatch> <LocationMatch /Kameleon.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340026 #SecRule ARGS "!@pmFromFile trusted-domains.conf" chain SecRule REQUEST_URI|ARGS|!ARGS:static|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:370149,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:static|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:370150,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /click.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340026 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:370151,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:c "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:370152,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/cruise_co_process.php> SecRuleRemoveById 340152 </LocationMatch> <LocationMatch /supportcenter/> SecRuleRemoveById 340152 </LocationMatch> <LocationMatch /sendmail.php> SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /files_code.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/hidden/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:370153,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/hidden/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:370154,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,chain,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /modify.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/direct/|!ARGS:/thumb/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:370155,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/direct/|!ARGS:/thumb/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:370156,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,capture,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/layout/edit/> SecRuleRemoveById 380018 380019 380020 SecRule ARGS|REQUEST_URI_RAW|XML:/*|!ARGS:filecontent|!ARGS:/template/|!ARGS:/header/|!ARGS:/^layout/ "(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|include|php_uname|preg_\w+|execute)\s*[\"\(@]" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potentially malicious PHP code injection attempt',id:370157,rev:1,logdata:'%{TX.0}',severity:'2'" </LocationMatch> <LocationMatch /edit_behaviour.php> SecRuleRemoveById 340016 SecRuleRemoveById 340146 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 SecRuleRemoveById 340159 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 340156 SecRuleRemoveById 340155 SecRuleRemoveById 340157 SecRuleRemoveById 340160 SecRuleRemoveById 390711 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 </LocationMatch> <LocationMatch /otrs/index.pl> SecRuleRemoveById 390715 340009 390709 340007 340006 SecRuleRemoveById 340095 SecRuleRemoveById 340027 SecRuleRemoveById 340011 SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 340128 SecRuleRemoveById 340131 SecRuleRemoveById 380018 380019 380020 </LocationMatch> <LocationMatch /content/edit/> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /ISES/config.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^func_key/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:360663,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/^func_key/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:360664,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /cacti/data_input.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /cgi-bin/bmailerCP.cgi> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /wp-admin/admin.php> SecRuleRemoveById 390707 340095 340007 SecRuleRemoveById 390572 SecRuleRemoveById 340145 331025 331026 331027 331028 </LocationMatch> <LocationMatch /control_panel.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /apsona_svc.php> SecRuleRemoveById 340159 SecRule ARGS|XML:/*|!ARGS:data|!ARGS:/sql/|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:text|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:message|!ARGS:content "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?delete.*;(?:insert|declare|varchar)|and .* \( ?select |(?:drop|create)(\w+)table|(?:declare|convert) .* varchar\(|null ?, ?(?:null ?, ?(?:accesslevel|user_name)) ?,|concat\(|union select |union all select|\b\W*?cast\b\W*?\(.* as |xecresultset|' ?; ?declare\b\W*?|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \ "phase:2,deny,status:403,capture,id:360665,t:none,t:base64Decode,t:hexDecode,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,t:replaceComments,t:compressWhiteSpace,rev:28,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection (MM)',logdata:'%{TX.0}',multiMatch" </LocationMatch> <LocationMatch /css/gallery-css.php> SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /rcv_paypal.php> SecRuleRemoveById 340095 SecRule ARGS|!ARGS:/item_name/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:message|!ARGS:email|!ARGS:/description/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|preg_\w+|shell_exec|exec|eval|system) ?\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:360666,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP attack in Argument',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /upload_crop.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /admin/generic_edit.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340095 SecRuleRemoveById 340147 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/edit_workshops.php> SecRuleRemoveById 340095 SecRuleRemoveById 380025 381025 380126 SecRule ARGS|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:message|!ARGS:email|!ARGS:/description/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|preg_\w+|shell_exec|exec|system) ?\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:360667,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP attack in Argument',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /collect_db.php> SecRuleRemoveById 390614 </LocationMatch> <LocationMatch /a__iIconCreateLive.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:contentfrom "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,id:360668,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:contentfrom "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:360669,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /etc/get_testimonial.php> SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /_vti_bin/_vti_aut/author.exe> SecRuleRemoveById 390709 #Protected file upload protection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup .wwwacl .history .bash_history" \ "id:333851,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skip:1" SecAction phase:2,id:334397,t:none,pass,nolog,skipAfter:END_FILE_PROTECTION_SPEC_1 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:tiny_vals|!ARGS:/description/|!ARGS:content|!ARGS:/keyword/|!ARGS:/desc/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/search/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/|!ARGS:/data/ "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|httpd\.conf|boot\.ini)\b|\/etc\/|/\.(?:history|bash_history|sh_history)$)" \ "phase:2,deny,status:403,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to Access protect file Remotely',id:'360670',rev:14,logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|httpd\.conf|boot\.ini)\b|\/etc\/|/\.(?:history|bash_history|sh_history)$)" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to Access protect file Remotely',id:'360671',rev:6,logdata:'%{TX.0}',severity:'2'" # SecMarker END_FILE_PROTECTION_SPEC_1 </LocationMatch> <LocationMatch /admin/reclame.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /install/itron.php> SecRuleRemoveById 340157 SecRuleRemoveById 340855 SecRuleRemoveById 340159 SecRuleRemoveById 340157 SecRuleRemoveById 340016 SecRuleRemoveById 340160 </LocationMatch> <LocationMatch /editcode.php> SecRuleRemoveById 340016 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340147 SecRuleRemoveById 340148 SecRuleRemoveById 340149 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 350149 </LocationMatch> <LocationMatch /query_highlighted_block.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:360672,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:360673,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /query_block_highlight.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:360674,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:360675,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /query_block.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:360676,t:none,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:theme|!ARGS:/url/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:360677,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /shopadmin/index.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /cms/rss.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/cms-edit.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/manufacturers.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /EventAddAction.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin/settings/customerror> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /edit_design.php > SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /api.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /editresult_listing.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /products_product_process.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /admin_prod.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /editproperty_process.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sections_process.php> SecRuleRemoveById 340147 350147 331025 350148 350149 SecRuleRemoveById 340148 SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sg_saveentry.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /admin_content_config.php> SecRuleRemoveById 350147 331025 350148 350149 340007 </LocationMatch> <LocationMatch /credit_log2.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /folio-edit.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /admin/prodedit.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /livezilla/server.php> SecRuleRemoveById 350147 331025 350148 340113 341211 </LocationMatch> <LocationMatch /flvprovider.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /subscribe_user2group.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /editcontent_process.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /select_category.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /acp/options.php> SecRuleRemoveById 350147 331025 350148 350149 </LocationMatch> <LocationMatch /editroster.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /process.php> SecRuleRemoveById 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:fu|!ARGS:/text/|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cforms/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:theme|!ARGS:returnBond|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:media|!ARGS:parent_name|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:/blog/|!ARGS:/video/|!ARGS:/^field1/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:importremote|!ARGS:/callback/|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:akID[46][value]|!ARGS:setmedia|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:/callback/|!ARGS:subject|!ARGS:pic|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:search_string|!ARGS:direct|!ARGS:yt_thumb|!ARGS:fflv|!ARGS:direct|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:user_mail_register_no_approval_required_body|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:/youtube/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:pic1|!ARGS:/click/|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:Stream|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:notification_body|!ARGS:/^product_long_/|!ARGS:/^topic_content_/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:desc|!ARGS:descripcion|!ARGS:/^field_id_/|!ARGS:wpUploadDescription|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:host|!ARGS:/txt/|!ARGS:whereto|!ARGS:/description/|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:hostname|!ARGS:/virtual_http_path/|!ARGS:/virtual_https_path/|!ARGS:f_content|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:forum_desc|!ARGS:file_contents|!ARGS:newDesc|!ARGS:/return/|!ARGS:Stream|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:/^fields_prev/|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:/help/|!ARGS:short_story|!ARGS:intro_content|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:fulldescr|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:/link/|!ARGS:request_uri|!ARGS:google|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:ppicture|!ARGS:paypal_ipn|!ARGS:defaultImage|!ARGS:title|!ARGS:dbody|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:wp_home|!ARGS:/^blockbody/|!ARGS:field11|!ARGS:field_id_7|!ARGS:/^ViewState/|!ARGS:vars[DBhostname]|!ARGS:postvars|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/http_script_dir/|!ARGS:cfgfilecontent|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:replycontents|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:ecards_more_pic_target|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:terms_content|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:wpau-ftphost|!ARGS:gen_header|!ARGS:button_dir|!ARGS:news_desc|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:team[logo]|!ARGS:return|!ARGS:ureferrer|!ARGS:basehref|!ARGS:/^redirect/|!ARGS:redir|!ARGS:refertoyouby|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:portal_body|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:body|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:missing_fields_redirect|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:/referer/|!ARGS:/refer/|!ARGS:/redirect/|!ARGS:src|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:g2_return|!ARGS:goto|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^http/|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:hamechalets_desc|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:description|!ARGS:ret|!ARGS:newDescription|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:in[http]|!ARGS:dynafield[_SIGNATURE]|!ARGS:virtual_http_path|!ARGS:cta_content|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:/^virtual_http/|!ARGS:cta_content|!ARGS:map_description_1|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:field5|!ARGS:p_content|!ARGS:CANCEL_RETURN|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:330162,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:fu|!ARGS:/text/|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cforms/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:theme|!ARGS:returnBond|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:media|!ARGS:parent_name|!ARGS:back|!ARGS:/facebook/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:/blog/|!ARGS:/video/|!ARGS:/^field1/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:importremote|!ARGS:/callback/|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:akID[46][value]|!ARGS:setmedia|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:/callback/|!ARGS:subject|!ARGS:pic|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:search_string|!ARGS:direct|!ARGS:yt_thumb|!ARGS:fflv|!ARGS:direct|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:user_mail_register_no_approval_required_body|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:/youtube/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:pic1|!ARGS:/click/|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:Stream|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:notification_body|!ARGS:/^product_long_/|!ARGS:/^topic_content_/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:address|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:desc|!ARGS:descripcion|!ARGS:/^field_id_/|!ARGS:wpUploadDescription|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:host|!ARGS:/txt/|!ARGS:whereto|!ARGS:/description/|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:hostname|!ARGS:/virtual_http_path/|!ARGS:/virtual_https_path/|!ARGS:f_content|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:RTServerName|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:advBannerMessage|!ARGS:thumb|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:forum_desc|!ARGS:file_contents|!ARGS:newDesc|!ARGS:/return/|!ARGS:Stream|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:/^fields_prev/|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:/help/|!ARGS:short_story|!ARGS:intro_content|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:fulldescr|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:/link/|!ARGS:request_uri|!ARGS:google|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:from_href|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:ppicture|!ARGS:paypal_ipn|!ARGS:defaultImage|!ARGS:title|!ARGS:dbody|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:wp_home|!ARGS:/^blockbody/|!ARGS:field11|!ARGS:field_id_7|!ARGS:/^ViewState/|!ARGS:vars[DBhostname]|!ARGS:postvars|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:ret_address|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:/http_script_dir/|!ARGS:cfgfilecontent|!ARGS:/^PLUGIN_FEED/|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:flds[Message]|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:replycontents|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:ecards_more_pic_target|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:terms_content|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:wpau-ftphost|!ARGS:gen_header|!ARGS:button_dir|!ARGS:news_desc|!ARGS:x_organizational|!ARGS:href|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/^rss/|!ARGS:/rss$/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:team[logo]|!ARGS:return|!ARGS:ureferrer|!ARGS:basehref|!ARGS:/^redirect/|!ARGS:redir|!ARGS:refertoyouby|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:portal_body|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:body|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:missing_fields_redirect|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:/referer/|!ARGS:/refer/|!ARGS:/redirect/|!ARGS:src|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:g2_return|!ARGS:goto|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^http/|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:hamechalets_desc|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:description|!ARGS:ret|!ARGS:newDescription|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:in[http]|!ARGS:dynafield[_SIGNATURE]|!ARGS:virtual_http_path|!ARGS:cta_content|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:/^virtual_http/|!ARGS:cta_content|!ARGS:map_description_1|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:field5|!ARGS:p_content|!ARGS:CANCEL_RETURN|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:330163,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /properties.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /db_update.php> SecRuleRemoveById 350147 331025 350148 340147 340149 340149 </LocationMatch> <LocationMatch /admin/prodadd.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /mt.fcgi> SecRuleRemoveById 340162 340165 340113 341211 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:text|!ARGS:/url/|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:350474,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (mt.cgi)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:text|!ARGS:/url/|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,status:403,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:350475,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (mt.cgi)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRuleRemoveById 350147 331025 350148 340147 340148 340149 SecRule ARGS "!(^(submit\+>>|>>)$)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,capture,id:350247,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',chain,logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/text/|!ARGS:livezillacode|!ARGS:/embed/|!ARGS:fdesc|!ARGS:ldesc|!ARGS:/script/|!ARGS:xdescription|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|< ?/?i?frame|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecRule ARGS "!(^(submit\+>>|>>)$)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,capture,id:350248,rev:129,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:/text/|!ARGS:livezillacode|!ARGS:ldesc|!ARGS:fdesc|!ARGS:/footer/|!ARGS:xdescription|!ARGS:/embed/|!ARGS:/script/|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/form/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/header/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase" </LocationMatch> <LocationMatch /mt.cgi> SecRuleRemoveById 340162 340165 340113 341211 SecRuleRemoveById 340163 SecRuleRemoveById 350147 331025 350148 340147 340148 340149 SecRule ARGS "!(^(submit\+>>|>>)$)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,capture,id:350248,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',chain,logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/text/|!ARGS:livezillacode|!ARGS:/embed/|!ARGS:fdesc|!ARGS:ldesc|!ARGS:/script/|!ARGS:xdescription|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|< ?/?i?frame|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace" SecRule ARGS "!(^(submit\+>>|>>)$)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,capture,id:350249,rev:129,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:/text/|!ARGS:livezillacode|!ARGS:ldesc|!ARGS:fdesc|!ARGS:/footer/|!ARGS:xdescription|!ARGS:/embed/|!ARGS:/script/|!ARGS:desc|!ARGS:design_description|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:match_report|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/form/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/header/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc|mocha\:|!(i|t)on(?:abort|blur|change|click!s|dragdrop|focus|keydown|keypress|keyup)|onmouse(?:down|move|out|over|up)|shell\:|window\.location|asfunction:_root\.launch|\%env)" "t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase" </LocationMatch> <LocationMatch /Systeembeheer/> SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /admin/add_sighting.php> SecRuleRemoveById 350147 331025 350148 340147 340149 340149 </LocationMatch> <LocationMatch /ticket_detail.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /createsite.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340095 </LocationMatch> <LocationMatch /cleanedit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /zabbix/setup.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /upldgallery.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /tooltip_result.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /edit_orders.php> SecRuleRemoveById 350147 331025 350148 340148 340147 340149 </LocationMatch> <LocationMatch /tableedit.php> SecRuleRemoveById 350147 331025 350148 390621 </LocationMatch> <LocationMatch /admin_previewjobs.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /businessadd2.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /packages-rest.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /connectors/resource/index.php> SecRuleRemoveById 350147 331025 350148 340162 340165 340163 </LocationMatch> <LocationMatch /admin/editMessagesExec.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /backend.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /imp/redirect.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /edetailing_nsclc.html> SecRuleRemoveById 390615 </LocationMatch> <LocationMatch /wibstats.php> SecRuleRemoveById 390615 </LocationMatch> <LocationMatch /admincp/plugin.php> SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340160 SecRuleRemoveById 340016 SecRuleRemoveById 340017 SecRuleRemoveById 380023 </LocationMatch> <LocationMatch /maakpromotieorderb.php> SecRuleRemoveById 390707 </LocationMatch> <LocationMatch /admin/listcontent.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /showtable/update.php> SecRuleRemoveById 340162 340165 340163 SecRule ARGS|!ARGS:q|!ARGS:guid|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:330475,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (mt.cgi)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" SecRule ARGS|!ARGS:q|!ARGS:guid|!ARGS:text|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:url|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:bg_image|!ARGS:imageFile|!ARGS:siteurl|!ARGS:install_url|!ARGS:comments_commentFind|!ARGS:resource|!ARGS:thelink|!ARGS:x_receipt_link_url|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:clickurl|!ARGS:filecontent|!ARGS:inc|!ARGS:link|!ARGS:fck_body|!ARGS:fck_brief|!ARGS:introtext|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:userpicpersonal|!ARGS:blog_url|!ARGS:body|!ARGS:linkdescr|!ARGS:Post|!ARGS:last_msg|!ARGS:params[link]|!ARGS:texty|!ARGS:params[request_url]|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:templatePath|!ARGS:fulltext|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:config_helpurl|!ARGS:website_link|!ARGS:view|!ARGS:redirect_to|!ARGS:return_link_url|!ARGS:products_image|!ARGS:_wp_original_http_referer|!ARGS:refer|!ARGS:oldmsg|!ARGS:lk_url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,deny,status:403,chain,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:330476,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (mt.cgi)'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/locations/editphoto.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /admin/translation_tool.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /admin/edituserplugin.php> SecRuleRemoveById 350147 331025 350148 340029 </LocationMatch> <LocationMatch /imp/mailbox.php> SecRuleRemoveById 390613 390614 </LocationMatch> <LocationMatch /services/prefs.php> SecRuleRemoveById 390613 390614 </LocationMatch> <LocationMatch /admin/update-page.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /uploadify/uploadify.php> SecRuleRemoveById 340007 SecRuleRemoveById 340006 </LocationMatch> <LocationMatch /admin/savestory.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /chat/server.php> SecRuleRemoveById 350147 331025 350148 340162 340165 340163 390715 340029 </LocationMatch> <LocationMatch /cha-insertproduct.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /ezedit/server.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /cometchat_receive.php> SecRuleRemoveById 390616 </LocationMatch> <LocationMatch /admin/news_editresult.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /items_attribute_result.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /bcadmn/index.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /thub.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/sidenavsave.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /imp/message.php> SecRuleRemoveById 350147 331025 350148 390613 390614 </LocationMatch> <LocationMatch /cgi-bin/editor/wsd> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/sitesettings.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /workadmin.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /addons/imagelibrary/select_image.php> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /news_edit.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /wp-faq-css.php> SecRuleRemoveById 340145 331025 331026 331027 331028 390572 </LocationMatch> <LocationMatch /cfk-action.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /htmle.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /product_edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /cgi-bin/BackupPC_Admin> SecRuleRemoveById 390709 </LocationMatch> <LocationMatch /delivery/spc.php> SecRuleRemoveById 340145 331025 331026 331027 331028 340165 390572 </LocationMatch> <LocationMatch /includes/share.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /kronolith/> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /delivery/ajs.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /browse.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /watermark.php> SecRuleRemoveById 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:330477,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:330478,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /addcontent.php> SecRuleRemoveById 350147 331025 350148 SecRuleRemoveById 340161 </LocationMatch> <LocationMatch /showmail.php> SecRuleRemoveById 390703 </LocationMatch> <LocationMatch /aprogram.php> SecRuleRemoveById 340006 340009 340007 </LocationMatch> <LocationMatch /admin/edit-event.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /extrainfo.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /extraInfo.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/company/modify.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /dimcp/setting.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /JG_radioF.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /tiki-editpage.php> SecRuleRemoveById 340095 380025 </LocationMatch> <LocationMatch /power_news_add.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /JG_tekstA.php> SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /static_content_editresult.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /shopadmin/login.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /sgal_thumb.php> SecRuleRemoveById 340006 SecRuleRemoveById 340007 </LocationMatch> <LocationMatch /livehelp/image.php> SecRuleRemoveById 340016 </LocationMatch> <LocationMatch /ajax.php> SecRuleRemoveById 340027 340145 </LocationMatch> <LocationMatch /saveConfig.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /products.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /edit-process.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /phpminiadmin.php> SecRuleRemoveById 340016 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /freePost.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /advertpro/admin/admin.pl> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /inc/flash_to_db_insert.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /blocks/form/services.php> SecRuleRemoveById 350147 331025 350148 340147 340148 </LocationMatch> <LocationMatch /admin/settings/> SecRuleRemoveById 350147 331025 350148 340147 340148 </LocationMatch> <LocationMatch /ajax.php> SecRuleRemoveById 350147 331025 350148 340027 340095 390572 380020 340147 340148 340149 </LocationMatch> <LocationMatch /manager/ispmgr> SecRuleRemoveById 350147 331025 350148 340027 340095 SecRuleRemoveById 340016 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /editimage.html> SecRuleRemoveById 350147 331025 350148 340147 340148 340007 340165 </LocationMatch> <LocationMatch /admin/siteprefs.php> SecRuleRemoveById 350147 331025 350148 340147 340148 </LocationMatch> <LocationMatch /admin/include/update.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /admin/directory.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/video_add.php> SecRuleRemoveById 350147 331025 350148 340148 340149 340147 </LocationMatch> <LocationMatch /admin/products/entry/index.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /editconfirm.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /connectors/element/snippet.php> SecRuleRemoveById 350147 331025 350148 340128 380018 340029 SecRule REQUEST_URI|ARGS "< ?\?" \ "t:none,t:urlDecodeUni,t:lowercase,phase:2,deny,status:403,capture,chain,id:361128,rev:14,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote PHP command exection',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:view|!ARGS:payment_extrainfo|!ARGS:solution|!ARGS:resolution|!ARGS:message|!ARGS:/template/|!ARGS:msg|!ARGS:/php/|!ARGS:gen_header|!ARGS:/layout/|!ARGS:post|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/|!ARGS:footerfile|!ARGS:/descr/|!ARGS:titleMetatags|!ARGS:/content/|!ARGS:/^eip_/ "(?:(?:chr|fwrite|fopen|system|echr|passthru|php_uname|popen|proc_open|shell_exec|mysql_query|eval|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|preg_\w+) ?\(|system\( ?getenv ?\( ?http_php ?\) ?\))" </LocationMatch> <LocationMatch /plugins/podpress/podpress_backend.ph> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /productos_edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/produto_script.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /db_structure.php> SecRuleRemoveById 340016 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /mail.cgi> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /hades_framework/option_panel/ajax.php> SecRuleRemoveById 340162 340165 340163 340147 340148 340149 SecRule REQUEST_URI|ARGS|!ARGS:/values/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:361129,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/values/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,id:361130,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /apsona_svc.php> SecRuleRemoveById 340095 SecRule ARGS "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|preg_\w+|shell_exec|mysql_query|exec|eval|base64_decode|decode_base64) ?\()" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:361131,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /s_listing.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/module-inventory/> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /items_name_result.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /webmail/src/addressbook.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /cms-setup/> SecRuleRemoveById 350147 331025 350148 390727 340157 340159 </LocationMatch> <LocationMatch /s_search.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /cpage.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /display_property.aspx> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/admin-stats.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /quickscan/8a.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /creatematchstats.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /add-process.php> SecRuleRemoveById 350147 331025 350148 340147 </LocationMatch> <LocationMatch /admin/pages/updates.php> SecRuleRemoveById 340016 340029 340095 340128 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /login_status.php> SecRuleRemoveById 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:next|!ARGS:origin|!ARGS:no_session|!ARGS:no_user|!ARGS:ok_session "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:362129,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:next|!ARGS:origin|!ARGS:no_session|!ARGS:no_user|!ARGS:ok_session "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:362130,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /db_search.php> SecRuleRemoveById 340016 340029 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /gravityforms/preview.php> SecRuleRemoveById 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/input/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:362131,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/input/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:362132,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/contmin.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /add_static_cgi.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /ash/default.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /ratesadmin.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /testamin.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /DARTIframe.html> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /jomsocial/profile/edit> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /administratie/Pro/servers.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /admin/payment.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /cms/save.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /admin/pages/update.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /administrator/options.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /modules/catalogs/save_element.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /admin_modal/save/> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /favicon.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /admin/components.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /admin/postbagdo.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 </LocationMatch> <LocationMatch /wp-admin/media.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /administrator/index3.php> SecRuleRemoveById 340095 </LocationMatch> <LocationMatch /portaladmin/edit_annonce1.php> SecRuleRemoveById 340007 340006 347008 </LocationMatch> <LocationMatch /portaladmin/add_annonce1.php> SecRuleRemoveById 340007 340006 347008 </LocationMatch> <LocationMatch /cms_centralparking.php> SecRuleRemoveById 350147 331025 350148 341047 340148 340149 340113 341211 </LocationMatch> <LocationMatch /save_lesson.php> SecRuleRemoveById 350147 331025 350148 340016 </LocationMatch> <LocationMatch /e_brochure_edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /aboutus-pages_exe.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /tbl_alter.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /newspro.cgi> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/video_edit.php> SecRuleRemoveById 340147 340148 340149 </LocationMatch> <LocationMatch /email/test.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/groupedit.php> SecRuleRemoveById 350147 331025 350148 340162 340165 340163 </LocationMatch> <LocationMatch /retail_oordenkings.edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /lesson_edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /mailtemplate_dhltrack_result.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /browse_links.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /quote_rads.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /tweet-blender/ws.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /video_edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /save.json> SecRuleRemoveById 340162 340165 340163 340029 </LocationMatch> <LocationMatch /admin/test.html> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /wp-admin/nav-menus.php> SecRuleRemoveById 350147 331025 350148 390614 390707 </LocationMatch> <LocationMatch /wp-admin/admin-post.php> SecRuleRemoveById 350147 331025 350148 390614 380020 </LocationMatch> <LocationMatch /admin/portfolio/edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /wp-content/plugins/pods/ajax/showform.php> SecRuleRemoveById 350147 331025 350148 340029 </LocationMatch> <LocationMatch /manage/team/create.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /sage_download.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /template_content_editresult.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 </LocationMatch> <LocationMatch /adm/index.php> SecRuleRemoveById 350147 331025 350148 340149 340147 340148 340113 341211 </LocationMatch> <LocationMatch /e_brochure_email.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /addlinks.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /adminsettings.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /modules/news/nav.php> SecRuleRemoveById 350147 331025 350148 340029 340016 </LocationMatch> <LocationMatch /addnews.php> SecRuleRemoveById 350147 331025 350148 340149 </LocationMatch> <LocationMatch /administrator/postarticles.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /administrator/contactus.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /administrator/homepagecontent.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /filebrowser/umifilebrowser.html> SecRuleRemoveById 340007 340006 347008 </LocationMatch> <LocationMatch /coupons_exclusions.php> SecRuleRemoveById 390707 </LocationMatch> <LocationMatch /wp-content/plugins/VoltRank> SecRuleRemoveById 340147 340148 340149 </LocationMatch> <LocationMatch /admin_configvalues.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /processAddEditProduct.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /eecms.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340095 340016 380025 340029 SecRuleRemoveById 340160 SecRuleRemoveById 340157 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /builder/postsitedata.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /SettingsGeneralAction.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /wp-comments-post.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /include/load_page.php> SecRuleRemoveById 390572 340145 </LocationMatch> <LocationMatch /profile/shopSettings.jsf> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /multimediaSave.do> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /business_profile_engine.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /jupgrade/administrator/index.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /v2_configvars_engine.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /BookingCalendar/php/save.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /wizard/start.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /MailTemplateEditAction.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /admin/settingsContact.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /property-edit.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /server/webissues/handler.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 390904 </LocationMatch> <LocationMatch /admin/db_edit.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 340162 340163 </LocationMatch> <LocationMatch /index.php/datafeedmanager/adminhtml_datafeedmanager/save> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 </LocationMatch> <LocationMatch /venue-edit.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 </LocationMatch> <LocationMatch /cms-setup/> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 </LocationMatch> <LocationMatch /wp-admin/theme-install.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /admin/products_add.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 </LocationMatch> <LocationMatch /admin/story_uploader.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 SecRule ARGS|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64) ?\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:344195,rev:33,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /include/ajax_price.php> SecRuleRemoveById 390572 340145 </LocationMatch> <LocationMatch /page_editor/save_page.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 </LocationMatch> <LocationMatch /admin/story_prosess.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 SecRule ARGS|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64) ?\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:344196,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /admin/story_process.php> SecRuleRemoveById 340147 340148 340149 350147 331025 350148 340095 390572 340145 SecRule ARGS|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:/text/|!ARGS:/txt/|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|(?:passthru|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64) ?\()" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:344196,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /seopanel/login.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /doku.php> SecRuleRemoveById 350147 331025 350148 340095 </LocationMatch> <LocationMatch /shopperpress/PPT/ajax/actions.php> SecRuleRemoveById 350147 331025 350148 340162 340165 340163 </LocationMatch> <LocationMatch /wp-content/plugins/spostarbust/images/index.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /emailXMLasAttachment.ph> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /console/manage_products.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /agents/uploader/doUpload.php> SecRuleRemoveById 380006 380007 </LocationMatch> <LocationMatch /wp-load.php> SecRuleRemoveById 340095 340094 </LocationMatch> <LocationMatch /textpattern/index.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /filemanager/filemanager.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340113 341211 </LocationMatch> <LocationMatch /imagecrop.php> SecRuleRemoveById 340162 340165 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/file/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336633,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/file/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336634,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /dashboard.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /ie-style.php> SecRuleRemoveById 340165 340162 340163 340021 </LocationMatch> <LocationMatch /plugins/likebox.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /bb_gate.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /imgprod.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /phpmyvisites.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /admin/editpage.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340113 341211 </LocationMatch> <LocationMatch /modules/mod_ajax_contact/ajax.php> SecRuleRemoveById 390703 </LocationMatch> <LocationMatch /admin/artwork/index/upload_file> SecRuleRemoveById 380006 </LocationMatch> <LocationMatch /admin/media/upload.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340113 341211 </LocationMatch> <LocationMatch /php-stats.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /a_config_dt.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 340113 341211 </LocationMatch> <LocationMatch /aom/item/index.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /orders/orderSave.php> SecRuleRemoveById 350147 331025 350148 340145 390572 </LocationMatch> <LocationMatch /nucleus/index.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /save_post.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /provider/offers.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /plugins/wp-slimstat/wp-slimstat-js.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /editor/sitemanger/index.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /admin/addClientVideo.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /single_upload.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /betrieb.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /wiki/lib/exe/fetch.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /wp-admin/press-this.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /pagine.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /admin/order-categories.php> SecRuleRemoveById 390572 340145 </LocationMatch> <LocationMatch /livehelp/> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /LiveHelp/> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /livehelpnew/> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /LiveHelpNew/> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /raidlogimport/admin/dkp.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /p.php> SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:t "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:378451,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{MATCHED_VAR}',chain" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admincp/verticalresponse.php> SecRuleRemoveById 350147 331025 350148 340145 390572 SecRuleRemoveById 340160 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /admin/editart.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /panel/content/itinerary.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/adminMailing.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /homepageedit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/jobedit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /media-upload.php> SecRuleRemoveById 340162 340165 340163 390707 </LocationMatch> <LocationMatch /ndxz-studio> SecRuleRemoveById 340162 340165 340163 340147 340148 340149 </LocationMatch> <LocationMatch /ndxzstudio> SecRuleRemoveById 340162 340165 340163 340147 340148 340149 </LocationMatch> <LocationMatch /admin/json.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /_salvaXML.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /imp/imple.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /cms/settings.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /destination-edit.php> SecRuleRemoveById 340162 340163 340165 350147 350148 </LocationMatch> <LocationMatch /posthtml.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /template_edit.asp> SecRuleRemoveById 350147 331025 350148 390727 </LocationMatch> <LocationMatch /question/edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /cgi-bin/menu.pl> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /add_article.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /admin/update.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /wp-content/plugins/contactme/xd_receiver.php> SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /edit_home.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /update-news.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /mod/quiz/attempt.php> SecRuleRemoveById 350147 331025 350148 340007 340006 </LocationMatch> <LocationMatch /linnworks_xml.php> SecRuleRemoveById 350147 331025 350148 380018 </LocationMatch> <LocationMatch /order/saveEshop> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /comments.php> SecRuleRemoveById 340007 340006 SecRule ARGS|!ARGS:/^resp/|!ARGS:rpath|!ARGS:data|!ARGS:/body/|!ARGS:editor1|!ARGS:/sidebar/|!ARGS:/template/|!ARGS:/desc/|!ARGS:resolution|!ARGS:/problem/|!ARGS:/solution/|!ARGS:/^style_options/|!ARGS:/CACHE_PATH/|!ARGS:connector|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "deny,status:403,t:none,t:lowercase,capture,id:343307,rev:39,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Generic Path Recursion denied',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /viewraid.php> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /twitter/tweets-grab.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /admin/set_label.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /index.php/profile/register/registerProfile> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /code_editor.php> SecRuleRemoveById 350147 350148 340147 340148 340149 331025 340029 340128 380018-380021 340095 390715 340113 341211 340006-340007 340011 340014 340016 340017 340021 340027 340029 340095 340118 340128 340131 340133 340144 340164 380006 390709 390715 390801 390810 393449 </LocationMatch> <LocationMatch /popeditmarker.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /connectors/security/access/policy/template.php> SecRuleRemoveById 350147 331025 350148 340016 340147 340148 340149 </LocationMatch> <LocationMatch /modiwats.php> SecRuleRemoveById 350147 331025 350148 340162 340163 340165 380016 340149 340147 340148 390572 340009 </LocationMatch> <LocationMatch /php-stats.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /banner-edit.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /content-edit.php> SecRuleRemoveById 350147 331025 350148 340147 340148 340149 </LocationMatch> <LocationMatch /paymentRecall.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /hostmeinadmin/clientshosting.php> SecRuleRemoveById 350147 331025 350148 340148 340147 340149 </LocationMatch> <LocationMatch /processwire/page/edit> SecRuleRemoveById 350147 331025 350148 340148 340147 340149 </LocationMatch> <LocationMatch /admin/general_settings.php> SecRuleRemoveById 350147 331025 350148 340148 340147 340149 </LocationMatch> <LocationMatch /adclick.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /admin_edit_cat.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /listings/client.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/file/|!ARGS:info "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336133,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:/file/|!ARGS:info "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336134,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /kontaktformular_web-plaaning.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /web-planning.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /shop/remote.php> SecRuleRemoveById 390572 390703 SecRule ARGS|XML:/*|!ARGS:/^products/ "(?:or.+1[[:space:]]*=[[:space:]]1|or 1=[0-9]|admin'(?: --| #)| or '1'='1--|having 1 ?= ?1 --|or\+1=[0-9]|null is null ?--|\b(\d+) ?(?:=|<>|<=>|!=) ?[1-3]\b)" \ "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:380572,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible SQL injection probe',logdata:'%{TX.0}'" </LocationMatch> <LocationMatch /beta_add_record.php> SecRuleRemoveById 350147 331025 350148 </LocationMatch> <LocationMatch /eCheck_receipt.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /livehelp/send.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /tweets-grab-ldn.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:api "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336135,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/url/|!ARGS:api "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336136,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /receipt.php> SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRule REQUEST_URI|ARGS|!ARGS:/^list/|!ARGS:/url/|!ARGS:/img/|!ARGS:api|!ARGS:/uri/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336137,t:none,t:normalisePath,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/^list/|!ARGS:/url/|!ARGS:/img/|!ARGS:api|!ARGS:/uri/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336138,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/contenu/modif/> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /admin/processproperty.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /admin/newsletter/envoi.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /extplorer/index.php> SecRuleRemoveById 350147 350148 340147 340148 340007 </LocationMatch> <LocationMatch /administrator/functions/update_article.ph> SecRuleRemoveById 350147 350148 340007 340006 </LocationMatch> <LocationMatch /functions/client.php> SecRuleRemoveById 340162 340163 340165 SecRule REQUEST_URI|ARGS|!ARGS:info "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336139,t:none,t:urlDecodeUni,t:normalisePath,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:info "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336140,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /op.php> SecRuleRemoveById 340195 </LocationMatch> <LocationMatch /mod_raxo_allmode/tools/tb.php> SecRuleRemoveById 340162 340163 340165 SecRule REQUEST_URI|ARGS|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336240,t:none,t:urlDecodeUni,t:normalisePath,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336241,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /edit_offer.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /foto-graveren.php> SecRuleRemoveById 340162 340163 340165 SecRule REQUEST_URI|ARGS|!ARGS:/afbeelding/|!ARGS:/foto/|!ARGS:/Photo/|!ARGS:/image/|!ARGS:/img/|!ARGS:src|!ARGS:/^MA/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336242,t:none,t:urlDecodeUni,t:normalisePath,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/afbeelding/|!ARGS:/foto/|!ARGS:/Photo/|!ARGS:/image/|!ARGS:/img/|!ARGS:src|!ARGS:/^MA/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336243,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /beta_new_update.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /webdav.php> SecRuleRemoveById 392301 </LocationMatch> <LocationMatch /sassistant/monitoring.php> SecRuleRemoveById 340162 340163 340165 340009 390709 SecRule REQUEST_URI|ARGS|!ARGS:/monitor/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:336244,t:none,t:urlDecodeUni,t:normalisePath,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" SecRule REQUEST_URI|ARGS|!ARGS:/monitor/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:336245,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{TX.0}',chain" SecRule MATCHED_VAR "!@beginsWith http:/%{SERVER_NAME}/" </LocationMatch> <LocationMatch /admin/printDeExpediat.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /shop/presta_admin/index.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /adduserplugin.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /admin/edithtmlblob.php> SecRuleRemoveById 350147 350148 390727 </LocationMatch> <LocationMatch /video_admin/editvideo/> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /administrator/functions/update_article.php> SecRuleRemoveById 350147 350148 390727 340113 341211 </LocationMatch> <LocationMatch /catalog/admbre/categories.php> SecRuleRemoveById 340164 350147 350148 </LocationMatch> <LocationMatch /send_weeklyadlist.php> SecRuleRemoveById 350147 350148 390727 </LocationMatch> <LocationMatch /admin-edit.php> SecRuleRemoveById 390707 </LocationMatch> <LocationMatch /admin/producto.php> SecRuleRemoveById 390614 </LocationMatch> <LocationMatch /service/psnabe/clientsservices.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /wp-admin/options-permalink.php> SecRuleRemoveById 390704 </LocationMatch> <LocationMatch /ga.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /server_databases.php> SecRuleRemoveById 350148 SecRuleRemoveById 340160 SecRuleRemoveById 340157 SecRuleRemoveById 340144 SecRuleRemoveById 380020 SecRuleRemoveById 380019 SecRuleRemoveById 340155 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /amember/admin/email.php> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /send_weeklyadlist.php> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /support/agent/index.php> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /Web-Services/emailMe.php> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /we_cmd.php> SecRuleRemoveById 350148 350147 340147 340148 340149 340029 </LocationMatch> <LocationMatch /manage_news.php> SecRuleRemoveById 350148 350147 </LocationMatch> <LocationMatch /admin/addersivu.php> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /vqgen/> SecRuleRemoveById 350148 350147 340147 340148 340149 </LocationMatch> <LocationMatch /hallinta/kirjailija.php> SecRuleRemoveById 350148 350147 340147 340148 340149 340162 340163 340165 </LocationMatch> <LocationMatch /json-api/cpanel> SecRuleRemoveById 340029 340162 340163 </LocationMatch> <LocationMatch /mod/quiz/attempt.php> SecRuleRemoveById 390572 </LocationMatch> <LocationMatch extplorer/index.php> SecRuleRemoveById 350148 350147 </LocationMatch> <LocationMatch /wp-content/themes/oakland/theme/functions/upload.php> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /acp/vbshout.php> SecRuleRemoveById 390707 </LocationMatch> <LocationMatch /property.php> SecRuleRemoveById 340162 340163 SecRule ARGS|!ARGS:id|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:pattern_select|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:junkWords|!ARGS:/foto/|!ARGS:/^attr_/|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:api|!ARGS:details|!ARGS:/^field/|!ARGS:profile_id|!ARGS:/^complete_action/|!ARGS:/^option_value/|!ARGS:/buzz/|!ARGS:cc_list_id|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:^/xcpr_/|!ARGS:back|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:catalogue_search_code|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:service|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:/^input_/|!ARGS:embed_code|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:refsrc|!ARGS:hp|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:loc|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:/logo/|!ARGS:go|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/export/|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:/click/|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:/body/|!ARGS:/^product_long_/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:/hostname/|!ARGS:/http/|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:advBannerMessage|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:paypal_ipn|!ARGS:title|!ARGS:/frame/|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:helpbox|!ARGS:ureferrer|!ARGS:redir|!ARGS:refertoyouby|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:refer|!ARGS:oldmsg|!ARGS:/referer/|!ARGS:/refer/|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:ret|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:320162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:287,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI|ARGS|!ARGS:id|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:pattern_select|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:/foto/|!ARGS:junkWords|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:catalogue_search_code|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^V_feed/|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:pingback_service|!ARGS:/hostname/|!ARGS:/http/|!ARGS:f_content|!ARGS:email_forward|!ARGS:bannercode|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:file_contents|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:vars[DBhostname]|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:short_story|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:agendWebPage|!ARGS:/ftp/|!ARGS:gen_header|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:redir|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:from|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:msgpreview|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:cta_content|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:cta_content|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:p_content|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:lowercase,multimatch,id:320163,rev:287,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{MATCHED_VAR}',chain" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /theme/functions/upload.php> SecRuleRemoveById 340007 340006 </LocationMatch> <LocationMatch /showimage.php.jpg> SecRuleRemoveById 340035 </LocationMatch> <LocationMatch /forums/admin/index.php> SecRuleRemoveById 340162 340163 340165 SecRule ARGS|!ARGS:/field_/|!ARGS:id|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:api|!ARGS:details|!ARGS:/^field/|!ARGS:profile_id|!ARGS:/^complete_action/|!ARGS:/^option_value/|!ARGS:/buzz/|!ARGS:cc_list_id|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:^/xcpr_/|!ARGS:back|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:catalogue_search_code|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:service|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:/^input_/|!ARGS:embed_code|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:refsrc|!ARGS:hp|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:loc|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:/logo/|!ARGS:go|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/export/|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:/click/|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:attribute29|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:/body/|!ARGS:/^product_long_/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:email_sig|!ARGS:/^artsee_banner_/|!ARGS:pingback_service|!ARGS:showStr|!ARGS:/hostname/|!ARGS:/http/|!ARGS:bannercode|!ARGS:email_forward|!ARGS:fetch|!ARGS:/txt/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:advBannerMessage|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:contactMessage|!ARGS:var_value[usps_labels_help_2]|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:dynadata[_SIGNATURE]|!ARGS:paypal_ipn|!ARGS:title|!ARGS:/frame/|!ARGS:l1_bdy|!ARGS:theMessage|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:EditorHTML|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:option[home]|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:statusaddress|!ARGS:revnews_ad_120|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:note|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:helpbox|!ARGS:ureferrer|!ARGS:redir|!ARGS:refertoyouby|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:referredby|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:notes|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:refer|!ARGS:oldmsg|!ARGS:/referer/|!ARGS:/refer/|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:fb_ref|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:ret|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,id:320164,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI|ARGS|!ARGS:/field_/|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:sfhome|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:catalogue_search_code|!ARGS:/link/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:payment_home|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:dcsref|!ARGS:lec_rm|!ARGS:n-state|!ARGS:CP_email|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodLogo|!ARGS:prodDownload|!ARGS:/^V_feed/|!ARGS:itemIntro|!ARGS:photo|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:banner_top|!ARGS:banners_list|!ARGS:heading|!ARGS:packageComments|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:host|!ARGS:/text/|!ARGS:whereto|!ARGS:item[content]|!ARGS:pathToPiwik|!ARGS:email_sig|!ARGS:minicms_content|!ARGS:feed|!ARGS:/^artsee_banner_/|!ARGS:fetch|!ARGS:pingback_service|!ARGS:/hostname/|!ARGS:/http/|!ARGS:f_content|!ARGS:email_forward|!ARGS:bannercode|!ARGS:mesg|!ARGS:forward|!ARGS:atc_content|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:question_content|!ARGS:u|!ARGS:header|!ARGS:action|!ARGS:cptpl_dir|!ARGS:file_contents|!ARGS:contents|!ARGS:arg6|!ARGS:dbhost|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:relocate|!ARGS:add_fd3|!ARGS:headers-28|!ARGS:soundname|!ARGS:bbcode_tpl|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:wp_home|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:vars[DBhostname]|!ARGS:base1|!ARGS:cart_header|!ARGS:layout|!ARGS:short_story|!ARGS:/sponsor_banner/|!ARGS:newText|!ARGS:PageCopy|!ARGS:amp;loc|!ARGS:f_header|!ARGS:option[78]|!ARGS:savecontent|!ARGS:agendWebPage|!ARGS:/ftp/|!ARGS:gen_header|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:note|!ARGS:domain|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:clickTAG|!ARGS:problem|!ARGS:default_banner|!ARGS:archive_chrono|!ARGS:home|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:redir|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:filecontent|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:FULL_URL|!ARGS:HOMEPAGE_URL|!ARGS:ATTACHMENTS_URL|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:signature|!ARGS:disc|!ARGS:utmr|!ARGS:user[signature]|!ARGS:Query|!ARGS:steps|!ARGS:bbcode_replace|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:from|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:msgpreview|!ARGS:fb_ref|!ARGS:notes|!ARGS:pn_domain|!ARGS:newidentities[0][signature]|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:pp_bio_content|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:BLK_block_content|!ARGS:ret|!ARGS:Store_CustomerEmail_Header|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:content|!ARGS:/^data\[tt_content\]/|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:newcontent|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:data[Email][comment]|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:home_top|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:dynafield[_SIGNATURE]|!ARGS:payment_extrainfo|!ARGS:cta_content|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:cta_content|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:p_content|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:lowercase,multimatch,id:320165,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)',logdata:'%{MATCHED_VAR}',chain" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /link_list.js.php> SecRuleRemoveById 340003 340020 340158 </LocationMatch> <LocationMatch /ajax_get_file_listing.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /cgi-bin/send.pl> SecRuleRemoveById 340158 340147 340148 341049 340157 </LocationMatch> <LocationMatch /send_mail_with_attachment.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /ts_manage.php> SecRuleRemoveById 340162 340163 340165 350147 350148 </LocationMatch> <LocationMatch /plugins/eqdkp_uploader/dialog.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /plugins/eqdkp_lightbox/dialog.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /admin/addEditProperties.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /muokkaa_suomi.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /cms/setpage.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /quick_updates.php> SecRuleRemoveById 390707 </LocationMatch> <LocationMatch /custom404css.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /extra_info_pages.php> SecRuleRemoveById 340113 341211 </LocationMatch> <LocationMatch /wp-admin/edit-tags.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /qrcode/img.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /randomimage.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /acp/user.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /save_page_settings.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /admin/changedata.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /cadmin/index.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /magento/index.php/banner> SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /factor_edit.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin/options/editpl.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /upload/scripts/ajax.sfsyncphotos.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /adminepharmac.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /siteadmin/leafs/addinline> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /dmxEditor/dialogs/upload.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /plugins/system/phpimageeditor/index.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /galeria/thumbs.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /prize_posting.php> SecRuleRemoveById 390572 </LocationMatch> <LocationMatch /clientservices.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /ajax_save_name.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /ckeditor/xss> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /muuta.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /admin-osb.php > SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /envoi-code.html> SecRuleRemoveById 340128 SecRuleRemoveById 350147 340159 SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 380018 </LocationMatch> <LocationMatch /tiki-edit_css.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin/index.cfm> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /e107_plugins/sgallery/showpic.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /modules/mod_rar_radio/tmpl/player/player.php> SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /admin/editPackage.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /systeembeheer/mysql> SecRuleRemoveById 350147 340159 SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /view_system_style_source.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin/autorisierung.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /updatetemp.html> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin_zoej.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /content/item/edit/> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /cgi-bin/helpdesk/ajax.cgi> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /ajax_image_thumbnail.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /ajax_delete_file.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /tools/reacties.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /administration/basic_settings.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /fdlhq/admin/config.php> SecRuleRemoveById 340162 340163 340165 </LocationMatch> <LocationMatch /admin-osb.php> SecRuleRemoveById 340149 </LocationMatch> <LocationMatch /sysext/tstemplate/> SecRuleRemoveById 340145 390572 </LocationMatch> <LocationMatch /dbadmin/> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /tbl_structure.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /imagens.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /app_dev.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /generator/index.php> SecRuleRemoveById 390712 </LocationMatch> <LocationMatch /admin/item_processor.php> SecRuleRemoveById 340165 340162 340163 </LocationMatch> <LocationMatch /editcode/> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /admin/pages/thememail.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin/pages/themechooser.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /thumbopen.php> SecRuleRemoveById 340162 340165 340006 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,id:341726,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:/redirect/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/redir/|!ARGS:src "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:341727,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /sendmessage.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /admin-themes-editor.php> </LocationMatch> <LocationMatch /kangooadmin/index.php> SecRuleRemoveById 340162 SecRuleRemoveById 340163 </LocationMatch> <LocationMatch /business_profile_engine.php> SecRuleRemoveById 350147 350148 340029 </LocationMatch> <LocationMatch /backmin/index.php> SecRuleRemoveById 340147 340148 340149 350147 350148 340113 341211 </LocationMatch> <LocationMatch /livechat/ajax/footprints.php> SecRuleRemoveById 340165 </LocationMatch> <LocationMatch /typo3conf/> SecRuleRemoveById 340145 </LocationMatch> <LocationMatch /ntunnel_mysql.php> SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /magmi_saveprofile.php> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /magmi_saveconfig.php> SecRuleRemoveById 340009 340006 340007 </LocationMatch> <LocationMatch /details.php > SecRuleRemoveById 390614 </LocationMatch> <LocationMatch /detail_ispravak.php> SecRuleRemoveById 350147 350148 </LocationMatch> <LocationMatch /page/addedit.php> SecRuleRemoveById 340006 340007 </LocationMatch> <LocationMatch /booking_apartman_podaci.php> SecRuleRemoveById 340145 </LocationMatch> <LocationMatch /sfpadmin.php> SecRuleRemoveById 340009 340147 340148 340149 350147 350148 340113 SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /iwp/ajax.php> SecRuleRemoveById 340162 340163 </LocationMatch> <LocationMatch /setup/config.php> SecRuleRemoveById 340009 </LocationMatch> <LocationMatch /ziegenproblem.php> SecRuleRemoveById 340145 </LocationMatch> <LocationMatch /image.php> SecRuleRemoveById 340162 340165 340006 SecRuleRemoveById 340163 SecRule ARGS|!ARGS:/url/|!ARGS:f "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,id:341737,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" SecRule ARGS|!ARGS:/url/|!ARGS:f "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \ "capture,phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:htmlEntityDecode,t:lowercase,multimatch,id:341738,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS',logdata:'%{MATCHED_VAR}'" SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" </LocationMatch> <LocationMatch /unesi.komentar.inc.php> SecRuleRemoveById 340162 340165 340163 </LocationMatch> <LocationMatch /tiki-auto_save.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /querywindow.php> SecRuleRemoveById 350147 340159 SecRuleRemoveById 340016 340155 SecRuleRemoveById 350147 SecRuleRemoveById 350148 SecRuleRemoveById 340017 SecRuleRemoveById 340144 SecRuleRemoveById 340145 331025 331026 331027 331028 SecRuleRemoveById 340146 SecRuleRemoveById 340155 SecRuleRemoveById 340156 SecRuleRemoveById 340157 SecRuleRemoveById 340159 SecRuleRemoveById 340160 SecRuleRemoveById 340162 340165 SecRuleRemoveById 340163 SecRuleRemoveById 340164 SecRuleRemoveById 340165 SecRuleRemoveById 380019 SecRuleRemoveById 380020 SecRuleRemoveById 380022 380121 380122 SecRuleRemoveById 380023 SecRuleRemoveById 380024 SecRuleRemoveById 380025 381025 380126 SecRuleRemoveById 390572 SecRuleRemoveById 390711 </LocationMatch> <LocationMatch /static_content_editresult_mobile.php> SecRuleRemoveById 340147 340148 340149 350147 350148 </LocationMatch> <LocationMatch /admin/form/configuration.php> SecRuleRemoveById 340162 340163 </LocationMatch>
Copyright ©2k19 -
Hexid
|
Tex7ure