RewriteCond %{QUERY_STRING} (b|%62|%42)(a|%61|%41)(s|%73|%53)(e|%65|%45)(6|%36)(4|%34)(_|%5f)(e|%65|%45|d|%64|%44)(e|%65|%45|n|%6e|%4e)(c|%63|%43)(o|%6f|%4f)(d|%64|%44)(e|%65|%45)(.*)(()(.*)()) [NC,OR]
RewriteCond %{QUERY_STRING} (allow_url_(fopen|include)|auto_prepend_file|blexbot|browsersploit|(c99|php)shell|curltest|disable_functions?|document_root|elastix|encodeuricom|exec|exploit|fclose|fgets|fputs|fsbuff|fsockopen|gethostbyname|grablogin|hmei7|input_file|load_file|null|open_basedir|outfile|passthru|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site((.){0,2})copier|sux0r|trojan|wget|xertive) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|)|%0a|%0d|%22|%27|%3c|%3e|%00)(.*)(/*|alter|base64|benchmark|cast|char|concat|convert|create|encode|declare|delete|drop|insert|md5|order|request|script|select|set|union|update) [NC,OR]
RewriteCond %{QUERY_STRING} ((+|%2b)(concat|delete|get|select|union)(+|%2b)) [NC,OR]
RewriteCond %{QUERY_STRING} (union)(.*)(select)(.*)((|%28) [NC,OR]
RewriteCond %{QUERY_STRING} (concat)(.*)((|%28) [NC]
RewriteRule .* - [F,L]
# RewriteRule .* /moban_log.php?log [L,NE,E=moban_QUERY_STRING:%1___%2___%3]
</IfModule>
# moban:[REQUEST URI]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} !(moban_log.php) [NC]
RewriteCond %{REQUEST_URI} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{REQUEST_URI} (=?\('|%27)/?)(.) [NC,OR]
RewriteCond %{REQUEST_URI} (/)(*|"|'|.|,|&|&?)/?$ [NC,OR]
RewriteCond %{REQUEST_URI} (.)(php)(()?([0-9]+)())?(/)?$ [NC,OR]
RewriteCond %{REQUEST_URI} (/)(vbulletin|boards|vbforum)(/)? [NC,OR]
RewriteCond %{REQUEST_URI} (^|~|`|<|>|,|%|\|{|}|[|]||) [NC,OR]
RewriteCond %{REQUEST_URI} (.(s?ftp-?)config|(s?ftp-?)config.) [NC,OR]
RewriteCond %{REQUEST_URI} ({0}|"?0"?="?0|(/(|...|+++|\") [NC,OR]
RewriteCond %{REQUEST_URI} (thumbs?(_editor|open)?|tim(thumbs?)?)(.php) [NC,OR]
RewriteCond %{REQUEST_URI} (/)(fck|ckfinder|fullclick|ckfinder|fckeditor) [NC,OR]
RewriteCond %{REQUEST_URI} (.|20)(get|the)(_)(permalink|posts_page_url)(() [NC,OR]
RewriteCond %{REQUEST_URI} (///|??|/&&|/*(.*)*/|/:/|\\|0x00|%00|%0d%0a) [NC,OR]
RewriteCond %{REQUEST_URI} (/%7e)(root|ftp|bin|nobody|named|guest|logs|sshd)(/) [NC,OR]
RewriteCond %{REQUEST_URI} (/)(etc|var)(/)(hidden|secret|shadow|ninja|passwd|tmp)(/)?$ [NC,OR]
RewriteCond %{REQUEST_URI} (s)?(ftp|http|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR]
RewriteCond %{REQUEST_URI} (/)(=|$&?|&?(pws|rk)=0|_mm|_vti_|cgi(.|-)?|(=|/|;|,)nt.) [NC,OR]
RewriteCond %{REQUEST_URI} (.)(conf(ig)?|ds_store|htaccess|htpasswd|init?|mysql-select-db)(/)?$ [NC,OR]
RewriteCond %{REQUEST_URI} (/)(bin)(/)(cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)(/)?$ [NC,OR]
RewriteCond %{REQUEST_URI} (/)(::[0-9999]|%3a%3a[0-9999]|127.0.0.1|localhost|loopback|makefile|pingserver|wwwroot)(/)? [NC,OR]
RewriteCond %{REQUEST_URI} ((null)|{$itemURL}|cAsT(0x|echo(.*)kae|etc/passwd|eval(|self/environ|+union+all+select) [NC,OR]
RewriteCond %{REQUEST_URI} (/)(awstats|(c99|php|web)shell|document_root|error_log|listinfo|muieblack|remoteview|site((.){0,2})copier|sqlpatch|sux0r) [NC,OR]
RewriteCond %{REQUEST_URI} (/)((php|web)?shell|conf(ig)?|crossdomain|fileditor|locus7|nstview|php(get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin)(.*)(.|() [NC,OR]