Perhaps you should add the mod_sec rules first? Or it have been missing?
The path for mode_sec was on /usr/local/apache/conf/
Btw some of C99 has succesfully made them self "disappear" from ClamAV.
ClamAV cannot recognize that special C99 as a trojan/virus.
So ClamAV will be unused on that case.
Mod_Sec is just only as the first gate with their rules.
If, sometimes, php shells can get through over it, so the last defend is phpSuexec (Suphp is better) and php disable_functions.
And ofcourse suhosin.
The most important thing is how to prevent that script to read/write all files and directories on our servers.
It can be made by php_disable functions and php priveledge as per user.
Are you sure that php.ini that being used (disable_functions edited) is the right php.ini for all web users?