0

I am trying to install a Upload scanner for any uploads via the web server Apache using inspectFile method in ModSecurity. The scanner script I use here is provided by the Maldet itself which in turn uses clamd engine.

The files I am trying to deploy on the server are.

content of /etc/apache2/conf.d/modsec/modsec2.user.conf is 

 # cat /etc/apache2/conf.d/modsec/modsec2.user.conf SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "id:99,deny,log,status:406,msg:'Malware found'"

and content of /usr/local/maldetect/modsec.sh is:

 # cat /usr/local/maldetect/modsec.sh #!/usr/bin/env bash file="$1" inspath='/usr/local/maldetect' intcnf="$inspath/internals/internals.conf" if [ -f "$intcnf" ]; then source $intcnf fi ## these values can be overridden in conf.maldet.hookscan quarantine_hits=1 quarantine_clean=0 scan_tmpdir_paths='' isclamd=`pidof clamd 2> /dev/null` if [ "$isclamd" ] && [ -f "$clamdscan" ]; then clamd_scan=1 else clamd_scan=0 fi hookcnf="$inspath/conf.maldet.hookscan" if [ -f "$hookcnf" ]; then source $hookcnf fi cd /tmp ; $inspath/maldet --config-option quarantine_hits=$quarantine_hits,quarantine_clean=$quarantine_clean,tmpdir=/var/tmp,scan_tmpdir_paths=$scan_tmpdir_paths,scan_clamscan=$clamd_scan --hook-scan -a "$file"

Content of /usr/local/maldetect/internals/internals.conf is:

 # cat /usr/local/maldetect/internals/internals.conf ## # Linux Malware Detect v1.5 # (C) 2002-2016, R-fx Networks # (C) 2016, Ryan MacDonald # This program may be freely redistributed under the terms of the GNU GPL v2 ## # inspath=/usr/local/maldetect intcnf="$inspath/internals/internals.conf" libpath="$inspath/internals" intfunc="$libpath/functions" logdir="$inspath/logs" confpath="$inspath" cnffile="conf.maldet" cnf="$confpath/$cnffile" varlibpath="$inspath" maldet_log="$logdir/event_log" clamscan_log="$logdir/clamscan_log" datestamp=`date +"%y%m%d-%H%M"` utime=`date +"%s"` user=`whoami` wget_timeout="5" wget_retries="3" wget=`which wget 2> /dev/null` if [ "$(echo $OSTYPE | grep -i 'freebsd')" ]; then md5sum="/sbin/md5 -q" else md5sum=`which md5sum 2> /dev/null` fi hostid=`which hostid 2> /dev/null` if [ "$hostid" ]; then hostid=`$hostid | $md5sum | awk '{print$1}'` else hostid=`uname -a | $md5sum | awk '{print$1}'` fi storename_prefix="$hostid.$RANDOM" od=`which od 2> /dev/null` find=`which find 2> /dev/null` perl=`which perl 2> /dev/null` nice=`which nice 2> /dev/null` cpulimit=`which cpulimit 2> /dev/null` ionice=`which ionice 2> /dev/null` wc=`which wc 2> /dev/null` mail=`which mail 2> /dev/null` pidof=`which pidof 2> /dev/null` stat=`which stat 2> /dev/null` logger=`which logger 2> /dev/null` clamdscan=`which clamdscan 2> /dev/null` ignore_paths="$confpath/ignore_paths" ignore_sigs="$confpath/ignore_sigs" ignore_inotify="$confpath/ignore_inotify" ignore_file_ext="$confpath/ignore_file_ext" quardir="$varlibpath/quarantine" sessdir="$varlibpath/sess" sigdir="$varlibpath/sigs" cldir="$varlibpath/clean" tmpdir="$inspath/tmp" userbasedir="$varlibpath/pub" hits_history="$sessdir/hits.hist" quar_history="$sessdir/quarantine.hist" clean_history="$sessdir/clean.hist" suspend_history="$sessdir/suspend.hist" monitor_scanned_history="$sessdir/monitor.scanned.hist" sig_version_file="$sigdir/maldet.sigs.ver" if [ -f "$sig_version_file" ]; then sig_version=`cat $sig_version_file` fi sig_version_url="http://cdn.rfxn.com/downloads/maldet.sigs.ver" sig_sigpack_url="http://cdn.rfxn.com/downloads/maldet-sigpack.tgz" sig_clpack_url="http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz" sig_md5_file="$sigdir/md5v2.dat" sig_hex_file="$sigdir/hex.dat" sig_cav_hex_file="$sigdir/rfxn.ndb" sig_cav_md5_file="$sigdir/rfxn.hdb" sig_cust_md5_file="$sigdir/custom.md5.dat" sig_cust_hex_file="$sigdir/custom.hex.dat" lmd_versionsion_file="$inspath/VERSION" lmd_version="$ver" lmd_referer="LMD:$ver:$hostid" lmd_hash_file="$inspath/internals/VERSION.hash" lmd_hash_url="http://cdn.rfxn.com/downloads/maldet.current.hash" lmd_version_url="http://www.rfxn.com/downloads/maldet.current.ver" clamav_paths="/usr/local/cpanel/3rdparty/share/clamav/ /var/lib/clamav/ /var/clamav/ /usr/share/clamav/ /usr/local/share/clamav" tlog="$libpath/tlog" inotify=`which inotifywait 2> /dev/null` inotify_log="$inspath/logs/inotify_log" inotify_user_instances=128 inotify_trim=150000 hex_fifo_path="$varlibpath/internals/hexfifo" hex_fifo_script="$libpath/hexfifo.pl" hex_string_script="$libpath/hexstring.pl" scan_user_access_minuid=40 find_opts="-regextype posix-egrep" email_template="$libpath/scan.etpl" email_subj="maldet alert from $(hostname)" cron_custom_exec="$confpath/cron/custom.cron" cron_custom_conf="$confpath/cron/conf.maldet.cron" compatcnf="$libpath/compat.conf"

The problem is, Apache still allows malware uploads and spam emails go out from the server. I am pulling my hair here and not sure why it is not working :)

Any help would be appreciated.

Improve this question
6
  • If you run the tools manually over the offending content do they detect it ? Commented Mar 9, 2017 at 7:42
  • Yeah dear, it did worked. Commented Mar 9, 2017 at 7:44
  • Example: # /usr/local/maldetect/modsec.sh /home/USER/public_html/file.php 0 maldet: {HEX}php.base64.v23au.186 "/home/USER/public_html/file.php" and that file removed by the script. Commented Mar 9, 2017 at 7:45
  • I am not sure why Apache+Modsecurity ignoring it. Commented Mar 9, 2017 at 7:45
  • Check in your logs for any relevant infomation Commented Mar 9, 2017 at 7:47

1 Answer 1

Reset to default
0

I had this problem as well. A downgrade to mod_security version 2.7.3 solved the issue for me.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.