Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-23314] CSF Suspicious File Alerts (/tmp/pma_template_compiles) after V76 Update

Discussion in 'Security' started by tui, Oct 27, 2018.

  1. tui

    tui Well-Known Member

    Joined:
    Jun 15, 2007
    Messages:
    83
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello,

    I know that CSF/LFD is a non cPanel product, so i do not want to discuss something about it directly (how to disable alerts etc...).

    After v76 i started to receive this alerts:

    Code:
    Suspicious File Alert
    File: /tmp/pma_template_compiles_cpanelaccount/twig/xx/largenumbersandlettersfilename.php
    This alerts started to appear after v76 update apparently in random times, i first see it on a new server that i deployed past week, then i started to receive this alerts from my other servers that i updated to v76

    The path is almost always the same, the only thing that changes is the cpanelaccount, the folder after pma_template_compiles_cpanelaccount and the php filename

    Im not looking a way or some response about how to disable CSF/LFD alerts, i want to know if v76 has a new behavior with php files or what is causing the creation of this files on server
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    Internal case CPANEL-23314 is open to address an issue in cPanel & WHM version 76 where accessing phpMyAdmin as a cPanel user leads to the creation of pma_template_compiles_$user files in the system's /tmp directory. While this doesn't lead to any direct issues with cPanel & WHM itself, it's contrary to the behavior seen in applications such as Horde and Roundcube where temporary files are stored in the /home/$user/tmp/ directory.

    This can lead to false positives from applications such as CSF that monitor the system's /tmp directory for suspicious files. I'll monitor this case and update this thread with more information on it's status as it becomes available.

    In the meantime, anyone receiving these alerts from CSF can read the following section from the CSF ReadMe for information on how the Directory Watching feature works and how to configure it to ignore false positives:

    Code:
    9. Directory Watching
    #####################
    
    Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
    directories for suspicious files, i.e. script exploits.
    
    If a suspicious file is found an email alert is sent using the template
    filealert.txt.
    
    NOTE: Only one alert per file is sent until lfd is restarted, so if you remove
    a suspicious file, remember to restart lfd
    
    To remove any suspicious files found during directory watching, enable
    corresponding setting the suspicious files will be appended to a tarball in
    /var/lib/csf/suspicious.tar and deleted from their original location. Symlinks
    are simply removed.
    
    If you want to extract the tarball to your current location, use:
    
    tar -xpf /var/lib/csf/suspicious.tar
    
    This will preserver the path and permissions of the original file.
    
    Any false-positives can be added to /etc/csf/csf.fignore and lfd will then
    ignore those listed files and directories.
    
    Within csf.fignore is a list of files that lfd directory watching will ignore.
    You must specify the full path to the file
    
    You can also use perl regular expression pattern matching, for example:
    /tmp/clamav.*
    /tmp/.*\.wrk
    
    Remember that you will need to escape special characters (precede them with a
    backslash) such as \. \?
    
    Pattern matching will only occur with strings containing an asterisk (*),
    otherwise full file path matching will be applied
    
    You can also add entries to ignore files owner by a particular user by
    preceding it with user:, for example:
    user:bob
    
    
    Note: files owned by root are ignored
    
    For information on perl regular expressions:
    http://www.perl.com/doc/manual/html/pod/perlre.html
    Here's a user-submitted example from this thread that shows how to add the pma_template_compiles_$user files in the system's /tmp directory to the CSF ignore list:

    Let us know if you have any questions.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    eva2000 likes this.
  3. tui

    tui Well-Known Member

    Joined:
    Jun 15, 2007
    Messages:
    83
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Oh! Excellent :)

    Does we have eta for this? receive dozens of alerts per hour per server for this issue a is bit annoying
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @tui,

    Update 11/06/2018: This is fixed in cPanel & WHM version 76.0.5 (tentatively planned for publication to the CURRENT tier on 11-07-2018 and to the RELEASE tier on 11-08-2018).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    You may be able to stop the emails from CSF until the cPanel fix is published by adding a down-and-dirty regex to the /etc/csf/csf.fignore file

    Something like:
    Code:
    /tmp\/pma_template_compiles_*
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    To update, this is fixed in cPanel & WHM version 76.0.5:

    Fixed case CPANEL-23314: Update cpanel-phpmyadmin to 4.8.3-2.cp1176.

    This version is currently published to the EDGE release tier, and should make it's way to the CURRENT release tier tomorrow. If all goes well, it will reach the RELEASE tier on Thursday. You can learn more about our release tiers by clicking here.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Great news, thanks!
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    I want to point out that while this is fixed for new phpMyAdmin sessions in cPanel & WHM version 76.0.5, the existing /tmp/pma_template_compiles_resources* files/directories are not automatically removed after the update. The existing files/directories will need to be manually removed from the system's /tmp directory after the update to avoid additional notifications from CSF.

    The compile files are now stored at /var/cpanel/userhomes/cpanelphpmyadmin/tmp for root phpMyAdmin sessions, and /home/$USER/tmp when cPanel users access phpMyAdmin.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Kent Brockman, rpvw and eva2000 like this.
  9. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Wish I had read this before I removed the regex from the csf.fignore file :mad::oops::(

    Note to self: - always read what Dr. Michael tells us to do !
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice