Problem with ModSecurity and Maldetect

GenialRO

Registered
Mar 21, 2016
3
1
3
Romania
cPanel Access Level
Root Administrator
Hello,

Recently i have installed Maldetect on my server and now i have problem when try to upload file from php script.

In ModSecurity Tools i recive:
Request:
POST
/ajax/upload_img
Action Description:
Access denied with code 406 (phase 2).
Justification:
File "/tmp//20560321-15343-Vu-3v1Z6wzuB0pgAAAAT-file-u49s7m" rejected by the approver script "/usr/local/maldetect/modsec.sh": Linux Malware Detect v1.

What is the problem??
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello :)

Could you review /usr/local/apache/logs/error_log to determine the specific error message that's output when this happens?

Thank you.
 

GenialRO

Registered
Mar 21, 2016
3
1
3
Romania
cPanel Access Level
Root Administrator
Hello :)

Could you review /usr/local/apache/logs/error_log to determine the specific error message that's output when this happens?

Thank you.

This i found in error_log
[Mon Mar 21 20:57:05.824179 2016] [:error] [pid 13413] [client 9x.1xx.xx0.141] ModSecurity: Access denied with code 406 (phase 2). File "/tmp//20160321-205705-VvBEAVZ6wzoAADRlrOAAAAAV-file-YqTblb" rejected by the approver script "/usr/local/maldetect/modsec.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "3"] [id "99"] [msg "Malware found"] [severity "CRITICAL"] [hostname "xxxxxx"] [uri "/ajax/upload_img"] [unique_id "VfEAVZ62zoAADRlrOAAAV"]
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If you have this set up, you should know how it works. Maldet scanning hooks into modsec are very.... unpolished. Anyway how it works is the file upload is put into /tmp, scanned by maldet, and then depending if the script returns a 0 or 1 the upload is denied or allowed.

You should have a rule somewhere in modsec2.user.conf or another includes that looks something like this:

SecRule "FILES_TMPNAMES" "@inspectFile /usr/local/maldetect/modsec.sh" "some actions / ID number here"

You could temporarily disable that rule, make modifications to whitelist your IP, or manually scan the file you are trying to upload with maldet to see why it is being detected and rejected.

I strongly recommend using clamdscan or CXS instead of maldet for this purpose. The maldet script is buggy and slow. See my post here: Log Checking
 
  • Like
Reactions: GenialRO

GenialRO

Registered
Mar 21, 2016
3
1
3
Romania
cPanel Access Level
Root Administrator
If you have this set up, you should know how it works. Maldet scanning hooks into modsec are very.... unpolished. Anyway how it works is the file upload is put into /tmp, scanned by maldet, and then depending if the script returns a 0 or 1 the upload is denied or allowed.

You should have a rule somewhere in modsec2.user.conf or another includes that looks something like this:

SecRule "FILES_TMPNAMES" "@inspectFile /usr/local/maldetect/modsec.sh" "some actions / ID number here"

You could temporarily disable that rule, make modifications to whitelist your IP, or manually scan the file you are trying to upload with maldet to see why it is being detected and rejected.

I strongly recommend using clamdscan or CXS instead of maldet for this purpose. The maldet script is buggy and slow. See my post here: Log Checking

@quizknows, thanks for help. I installed CXS and now all working fine.
 
  • Like
Reactions: quizknows