SOLVED [CPANEL-23314] CSF Suspicious File Alerts (/tmp/pma_template_compiles) after V76 Update

[tui]

Hello,

I know that CSF/LFD is a non cPanel product, so i do not want to discuss something about it directly (how to disable alerts etc...).

After v76 i started to receive this alerts:

Suspicious File Alert
File: /tmp/pma_template_compiles_cpanelaccount/twig/xx/largenumbersandlettersfilename.php

This alerts started to appear after v76 update apparently in random times, i first see it on a new server that i deployed past week, then i started to receive this alerts from my other servers that i updated to v76

The path is almost always the same, the only thing that changes is the cpanelaccount, the folder after pma_template_compiles_cpanelaccount and the php filename

Im not looking a way or some response about how to disable CSF/LFD alerts, i want to know if v76 has a new behavior with php files or what is causing the creation of this files on server

 

[cPanelMichael]

Hello Everyone,

Internal case CPANEL-23314 is open to address an issue in cPanel & WHM version 76 where accessing phpMyAdmin as a cPanel user leads to the creation of pma_template_compiles_$user files in the system's /tmp directory. While this doesn't lead to any direct issues with cPanel & WHM itself, it's contrary to the behavior seen in applications such as Horde and Roundcube where temporary files are stored in the /home/$user/tmp/ directory.

This can lead to false positives from applications such as CSF that monitor the system's /tmp directory for suspicious files. I'll monitor this case and update this thread with more information on it's status as it becomes available.

In the meantime, anyone receiving these alerts from CSF can read the following section from the CSF ReadMe for information on how the Directory Watching feature works and how to configure it to ignore false positives:

9. Directory Watching
#####################

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
directories for suspicious files, i.e. script exploits.

If a suspicious file is found an email alert is sent using the template
filealert.txt.

NOTE: Only one alert per file is sent until lfd is restarted, so if you remove
a suspicious file, remember to restart lfd

To remove any suspicious files found during directory watching, enable
corresponding setting the suspicious files will be appended to a tarball in
/var/lib/csf/suspicious.tar and deleted from their original location. Symlinks
are simply removed.

If you want to extract the tarball to your current location, use:

tar -xpf /var/lib/csf/suspicious.tar

This will preserver the path and permissions of the original file.

Any false-positives can be added to /etc/csf/csf.fignore and lfd will then
ignore those listed files and directories.

Within csf.fignore is a list of files that lfd directory watching will ignore.
You must specify the full path to the file

You can also use perl regular expression pattern matching, for example:
/tmp/clamav.*
/tmp/.*\.wrk

Remember that you will need to escape special characters (precede them with a
backslash) such as \. \?

Pattern matching will only occur with strings containing an asterisk (*),
otherwise full file path matching will be applied

You can also add entries to ignore files owner by a particular user by
preceding it with user:, for example:
user:bob


Note: files owned by root are ignored

For information on perl regular expressions:
http://www.perl.com/doc/manual/html/pod/perlre.html

Here's a user-submitted example from this thread that shows how to add the pma_template_compiles_$user files in the system's /tmp directory to the CSF ignore list:

You may be able to stop the emails from CSF until the cPanel fix is published by adding a down-and-dirty regex to the /etc/csf/csf.fignore file

Something like:

/tmp\/pma_template_compiles_*

Let us know if you have any questions.

Thanks!

 

[tui]

Oh! Excellent

Does we have eta for this? receive dozens of alerts per hour per server for this issue a is bit annoying

 

[cPanelMichael]

Does we have eta for this? receive dozens of alerts per hour per server for this issue a is bit annoying

Hi @tui,

Update 11/06/2018: This is fixed in cPanel & WHM version 76.0.5 (tentatively planned for publication to the CURRENT tier on 11-07-2018 and to the RELEASE tier on 11-08-2018).

Thank you.

 

[rpvw]

You may be able to stop the emails from CSF until the cPanel fix is published by adding a down-and-dirty regex to the /etc/csf/csf.fignore file

Something like:

/tmp\/pma_template_compiles_*

 

[cPanelMichael]

Hello Everyone,

To update, this is fixed in cPanel & WHM version 76.0.5:

Fixed case CPANEL-23314: Update cpanel-phpmyadmin to 4.8.3-2.cp1176.

This version is currently published to the EDGE release tier, and should make it's way to the CURRENT release tier tomorrow. If all goes well, it will reach the RELEASE tier on Thursday. You can learn more about our release tiers by clicking here.

Thank you.

 

[DennisMidjord]

Great news, thanks!

 

[cPanelMichael]

Hello Everyone,

I want to point out that while this is fixed for new phpMyAdmin sessions in cPanel & WHM version 76.0.5, the existing /tmp/pma_template_compiles_resources* files/directories are not automatically removed after the update. The existing files/directories will need to be manually removed from the system's /tmp directory after the update to avoid additional notifications from CSF.

The compile files are now stored at /var/cpanel/userhomes/cpanelphpmyadmin/tmp for root phpMyAdmin sessions, and /home/$USER/tmp when cPanel users access phpMyAdmin.

Thank you.

 

[rpvw]

I want to point out that while this is fixed for new phpMyAdmin sessions in cPanel & WHM version 76.0.5, the existing /tmp/pma_template_compiles_resources* files/directories are not automatically removed after the update. The existing files/directories will need to be manually removed from the system's /tmp directory after the update to avoid additional notifications from CSF.

Wish I had read this before I removed the regex from the csf.fignore file

Note to self: - always read what Dr. Michael tells us to do !