How to block a POST Text string using mod security ?

I have mod sec installed on my cpanel server and I have installed common rules etc, but i want to block a defacement bot which is modifying files through an as yet unidentified flaw in a file somewhere

an identifying part of the script it appends to files contains the text string "a9a007"

so i thought it should be possible to block this in query urls etc using mod security as an interim measure ?

 

thx added the rules

Having real problems trying to find the source, initially the hacker was uploading somehow a file to our server in a directory, the file was randomly named and contained a series of php code to find flaws in security (none disabled functions in php.ini etc)

We found this file, disabled any functions it might use

We are still getting attacked "successfully" once or twice a week with redirector code being added to .php and .html files on our site !!!
(Note nothing since adding the mod sec extra rules but this is very early days)

trying to find how they are gaining access and not really getting anywhere
checked messages log but nothing happening around the time of attacks
checked domain logs but nothing happening at time of attacks

any other pointers of where / how to check ?

 

the only facet of info I have found is from an older attack where an ip address was continuously over a very short timeframe so obviously a script accessing our forums (an old derivative of phpnuke / phpbb 2)

http://ourdomain.com/ftoptitle-137109.html&sa=U&ei=JBgnUdXtNaTg0QHZw4CICg&ved=0CLsBEBYwMTisAg&usg=AFQjCNG0v848-sF24eoGCwqcmgJywrALNA" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"

this may or may not be a red herring though