1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

[solved] Maldet ModSecurity rule report false positive even file is OK by maldet

Discussion in 'Apache' started by postcd, Jan 11, 2019.

  1. #1
    UPDATE: I found the cause. I had to remove this line from the rule:
    SecTmpSaveUploadedFiles On



    this is the ModSecurity rule i found and be claimed to scan web server file uploads by Malware Detect software:

    SecRequestBodyAccess On
    SecTmpSaveUploadedFiles On
    SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99587,msg:'Malware found by LinuxMalwareDetect.'"
    Code (markup):
    When i upload image (certainly clean image of an nature scenery), ModSecurity stop the request:

    Request:POST /wp-admin/async-upload.php
    Action Description: Access denied with code 406 (phase 2).
    Justification: File "/tmp/20190111-110811-XDh5G5teQx0AAHSqbjYAAAAA-file-lw445E" rejected by the approver script "/usr/local/maldetect/modsec.
    Code (markup):
    But when i DISABLE above mentioned ModSecurity rule, deploy changes, restart Apache, the upload WORKS.

    Then i go to command line and check if Maldet really consider the file malware:
    # /usr/local/maldetect/modsec.sh /home/acctnamehere/www/wp-content/uploads/2019/01/foto2.jpg

    maldet(3065): {scan} setting maximum execution time for 'find' file list: 14400sec
    1 maldet: OK

    I check file permissions, here i am unsure if are correct:
    # ls -lha /usr/local/maldetect/modsec.sh
    lrwxrwxrwx 1 root root 11 Sep 1 23:56 /usr/local/maldetect/modsec.sh -> hookscan.sh*

    In /usr/local/maldetect/conf.maldet is:
    # Allows non-root users to perform scans. This must be enabled when
    # using mod_security2 upload scanning or if you want to allow users
    # to perform scans. When enabled, this will populate 'pub/' with user
    # owned quarantine, session and temporary paths to facilitate scans.
    # [ 0 = disabled, 1 = enabled, disabled by default ]
    Code (markup):
    So the ModSecurity rule is wrong? Can you please suggest how to fix the rule?
    Last edited: Jan 11, 2019
    postcd, Jan 11, 2019 IP