1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

mod_security tmp Files Question

Discussion in 'Plesk for Linux - 8.x and Older' started by Chris@, Mar 17, 2007.

  1. Chris@

    Chris@ Guest

    0
     
    I am running mod_security on a Plesk box with the gotroot.com rule set (except for the badip and blacklist rules). I have just now noticed some hacker-related files showing up in my /tmp folder. I am guessing these must be related to mod_security. They all look something like this:
    20070309-012705-12.34.56.78-request_body-sazTGj

    The 12.34.56.78 is an IP address, it's different for each file. I have several of these, and the contents are different, some contain "Hacked by..." type messages, some are empty, some contain e-mail messages. When I scan the audit_log for the IP address, it always comes back as being triggered by a "PUT " request method, and the user agent is always "Microsoft Data Access Internet Publishing Provider DAV 1.1".

    Can someone verify these are created by mod_security? I did a lot of Web searching and I'm having trouble verifying that this is the case. If they are, why are they only created by a specific type of trigger (the "PUT" request with the specific user agent)?
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yep, if you're using our rules/configs thats expected behavior. Pretty cool huh?
     
  3. Chris@

    Chris@ Guest

    0
     
    Ya it's cool now that I know what it is, but it gave me a little jolt when I first saw the contents of the files. I was pretty sure it had to be mod_security related based on the file names, so thanks for confirming.

    If I decide in the future I don't want those files stored in my tmp how do I turn that feature off?
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Its a setting that escapes me at the moment, in 00mod_security.conf. Upload something or another.
     
  5. Chris@

    Chris@ Guest

    0
     
    I have this line in my modsecurity.conf, if I uncomment it will that do the trick?

    #SecUploadKeepFiles Off
     
  6. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yep, that looks like it. As a side note, I've never actually turned it off myself, since I collect those files to create rules from. If thats not it, you might want to check the mod_security docs.
     
Loading...