Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problem with ModSecurity and Maldetect

Discussion in 'Security' started by GenialRO, Mar 21, 2016.

  1. GenialRO

    GenialRO Registered

    Joined:
    Mar 21, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Hello,

    Recently i have installed Maldetect on my server and now i have problem when try to upload file from php script.

    In ModSecurity Tools i recive:
    Request:
    POST     /ajax/upload_img
    Action Description:
    Access denied with code 406 (phase 2).
    Justification:
    File "/tmp//20560321-15343-Vu-3v1Z6wzuB0pgAAAAT-file-u49s7m" rejected by the approver script "/usr/local/maldetect/modsec.sh": Linux Malware Detect v1.

    What is the problem??
     
    #1 GenialRO, Mar 21, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you review /usr/local/apache/logs/error_log to determine the specific error message that's output when this happens?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Mar 21, 2016
  3. GenialRO

    GenialRO Registered

    Joined:
    Mar 21, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator

    This i found in error_log
    [Mon Mar 21 20:57:05.824179 2016] [:error] [pid 13413] [client 9x.1xx.xx0.141] ModSecurity: Access denied with code 406 (phase 2). File "/tmp//20160321-205705-VvBEAVZ6wzoAADRlrOAAAAAV-file-YqTblb" rejected by the approver script "/usr/local/maldetect/modsec.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "3"] [id "99"] [msg "Malware found"] [severity "CRITICAL"] [hostname "xxxxxx"] [uri "/ajax/upload_img"] [unique_id "VfEAVZ62zoAADRlrOAAAV"]
     
    #3 GenialRO, Mar 21, 2016
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    If you have this set up, you should know how it works. Maldet scanning hooks into modsec are very.... unpolished. Anyway how it works is the file upload is put into /tmp, scanned by maldet, and then depending if the script returns a 0 or 1 the upload is denied or allowed.

    You should have a rule somewhere in modsec2.user.conf or another includes that looks something like this:

    SecRule "FILES_TMPNAMES" "@inspectFile /usr/local/maldetect/modsec.sh" "some actions / ID number here"

    You could temporarily disable that rule, make modifications to whitelist your IP, or manually scan the file you are trying to upload with maldet to see why it is being detected and rejected.

    I strongly recommend using clamdscan or CXS instead of maldet for this purpose. The maldet script is buggy and slow. See my post here: Log Checking
     
    #4 quizknows, Mar 21, 2016
    GenialRO likes this.
  5. GenialRO

    GenialRO Registered

    Joined:
    Mar 21, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator

    @quizknows, thanks for help. I installed CXS and now all working fine.
     
    #5 GenialRO, Mar 23, 2016
    quizknows likes this.
(You must log in or sign up to post here.)
Loading...
Similar Threads - Problem ModSecurity Maldetect
  1. Elliot Hagerty

    Outgoing SPAM Email Problems

    Elliot Hagerty, Aug 17, 2018 at 6:05 AM, in forum: E-mail Discussion
    Replies:
    3
    Views:
    35
    cPanelLauren
    Aug 17, 2018 at 2:15 PM
  2. mayadesigns

    Problemas Disco LLeno

    mayadesigns, Aug 15, 2018 at 12:45 PM, in forum: Discusión en Español
    Replies:
    2
    Views:
    98
    cPanelLauren
    Aug 16, 2018 at 9:34 AM
  3. SamL

    DNS problem but I do not know what.

    SamL, Aug 15, 2018 at 4:22 AM, in forum: Bind/DNS/Nameserver
    Replies:
    2
    Views:
    44
    cPanelLauren
    Aug 15, 2018 at 9:42 AM
  4. Martin Salas

    Problemas con envío de correo a través de webmail

    Martin Salas, Aug 14, 2018 at 11:36 AM, in forum: Discusión en Español
    Replies:
    3
    Views:
    51
    cPanelLauren
    Aug 14, 2018 at 11:59 AM
  5. sozotech

    SOLVED WHMCS integration problem after upgrade to 74

    sozotech, Aug 14, 2018 at 8:23 AM, in forum: General Discussion
    Replies:
    7
    Views:
    200
    sozotech
    Aug 14, 2018 at 2:35 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice