Hi,
first of all I think this forum is the very right place for mod_rewrite but my question is about mod_security and I couldn't find anywhere else.. so your suggestions for another forum or for solution ideas are all welcome;

I've been running a mambo site (xp+apache+php+mysql+mambo) for a while without any problems, site became more popular and I've installed the modsecurity module. I'm using it with bundled rules and nowadays I'm reading some php warning messages from apache error.log, like;

[client 195.140.135.xx] PHP Warning: main(http://ess.quux_foo.net/therules.dat): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden\r\n in http://example.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13
[client 195.140.135.xx] PHP Warning: main(): Failed opening 'http://ess.quux-foo.net/therules.dat' for inclusion (include_path='.;c:\\php4\\pear') in http://example.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13

[client 200.67.229.xx] PHP Warning: main(?/includes/HTML_toolbar.php): failed to open stream: No such file or directory in \\www\\contenttab.php on line 13
[client 200.67.229.xx] PHP Fatal error: main(): Failed opening required '?/includes/HTML_toolbar.php' (include_path='.;c:\\php4\\pear') in \\www\\contenttab.php on line 13

those warning and error messages are from apache error.log file, nothing is printed out to the browser. BTW those urls (example.com , ess.quux-foo.net) do not belong to me, I guess they are what is called cross sites, hosting some kind of compromised code to redirect attacks.. my modsecurity config catches most of the similar type of crossite attacks.
How should I define new rules for modsecurity to match these patterns and deny them before php gives warnings and fatal errors?
thanks

[edited by: jdMorgan at 3:48 pm (utc) on Mar. 22, 2006]
[edit reason] Examplified (dangerous) URLs. See TOS. [/edit]