How to security check uploaded file with PHP ( DA- CB2- Nginx + PHP-FPM) ?

rnc

Verified User
Joined
Jun 8, 2013
Messages
72
Hello
we have a directadmin server that have CustomBuild 2 with nginx as webserver and PHP-FPm

this site server public images files

in past week
we start receiving abuse report from datacenter with text like following


The security experts of cyscon GmbH like to inform you, that at least one of our scanners caught the following content, and we consider it as malicious:
########################################################################

# begin logs
IP: xx.150.xxx.xxx
URL: http://domain.com/img1/gox1jhbilyemxki4nh6e.png
Port: 80
Tested on: Mon, 24 Jun 2013 18:38:34 +0200
Result: TR/Hijacker.Gen


what shal we do ?
what system we could use as antivirus to scan files upon they uploading to the server ?
what a about a cron job to scanb home directory and removed trojans ??
can mod security do something about this ? ( webserver is NGINX not APACHE)

i need to mention that the home directory contain long long list of files ( 1TB full of smalland big files ( most of the <500KB pictures)

regards
 
Search these forms for clamav. It can be used to search files as they're uploaded or once they're on the server.

Jeff
 
Thanks for the reply

Search these forms for clamav. It can be used to search files as they're uploaded or once they're on the server.

Jeff

hello
and thankyou for reply
i searched forum
but i dont find anything related to uploaded file
they referred to EXIM

and i think they could work for Apache and CGI or SUPHP if there is any
am i right ?
 
what shal we do ?
what system we could use as antivirus to scan files upon they uploading to the server ?
what a about a cron job to scanb home directory and removed trojans ??
can mod security do something about this ? ( webserver is NGINX not APACHE)

Hello,

Use modsecurity as a standalone service with malware detect+clamav to check uploaded files via nginx.
 
I don't have a full guide for now, and I doubt there is a need to write a guide on how to install mod security. To install modsecurity, you are free to use any guide you find from official sources (probably you will find some on these forums).

This one for example https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_NGINX (if you want to use it with NGINX).

A quick guide on how to install Maldetect (Linux Malware Detect) can be found here: http://forum.directadmin.com/showthread.php?t=45851
More information can be found here: http://www.rfxn.com/projects/linux-malware-detect/

clamAv can be installed from custombuild script. It does not require anything special.

Here you can find information about Integration with ClamAV

http://www.modsecurity.org/document...1.9.3/html-multipage/06-special_features.html


p.s. In case you want somebody to configure it for you, feel free to contact some of us here, who offers system administrating services on a commercial bases (me as well).
 
ModSecurity (and upload scan with ClamAV (modsecurity_uploadscan=yes)) are now available in CB 2.0 for use with Nginx.
 
ModSecurity (and upload scan with ClamAV (modsecurity_uploadscan=yes)) are now available in CB 2.0 for use with Nginx.

Hi smtalk,

Is the modsecurity_uploadscan scanning feature only support for Nginx web server?
If we use Apache, should we disable this modsecurity_uploadscan and enable another?

Thank you.
 
No, it means nginx is supported in addition to Apache (FYI: ModSecurity is also supported in LiteSpeed and Openlitespeed).
 
No, it means nginx is supported in addition to Apache (FYI: ModSecurity is also supported in LiteSpeed and Openlitespeed).

Thank you smtalk.
We enabled both modsecurity_uploadscan and suhosin_php_uploadscan.
The suhosin can identify and block the eicar_com.zip well known AV sample file while the modsecurity can't identify the AV sample.
We check that the modsecurity, modsecurity_rule and runav.conf is in place
May I seek for your kindly advise on what the missing part is?

Thank you very much
 
By searching and test almost a day, I found that we should add if the mod_security is 2.9 or above, this is NECESSARY
Code:
SecTmpSaveUploadedFiles On
With this setting, the uploaded file will save into /tmp/ and allow runav.pl to scan the file instead of NULL file.

Here are the modsecurity debug log before and after the setting.
Before:
Code:
[9] Multipart: Added part header "Content-Disposition" "form-data; name=\"fileToUpload\"; filename=\"[B]eicar_com.zip[/B]\""
[9] Multipart: Added part header "Content-Type" "application/x-zip-compressed"
[9] Multipart: Content-Disposition name: fileToUpload
[9] Multipart: Content-Disposition filename: eicar_com.zip
[9] Multipart: Added file part 7f74e8018920 to the list: name "fileToUpload" file name "eicar_com.zip" (offset 170, length 184)
[9] Multipart: Added part header "Content-Disposition" "form-data; name=\"submit\""
[9] Multipart: Content-Disposition name: submit
[9] Multipart: Added data to variable: Upload Image
[9] Multipart: Added part 7f74e801b358 to the list: name "submit" (offset 450, length 12)
[9] Input filter: Bucket type EOS contains 0 bytes.
[9] Input filter: Bucket type EOS contains 0 bytes.
[5] Adding request argument (BODY): name "submit", value "Upload Image"
[4] Request body no files length: 186
[4] Input filter: Completed receiving request body (length 511).
[4] Starting phase REQUEST_BODY.
[9] This phase consists of 1 rule(s).
[B][4] Recipe: Invoking rule 23f6d20; [file "/etc/modsecurity.d/runav.conf"] [line "11"] [id "950115"].
[5] Rule 23f6d20: SecRule "FILES_TMPNAMES" "@inspectFile /usr/local/bin/runav.pl"[/B]
[COLOR="#FF0000"][4] Rule returned 0.[/COLOR]
[9] No match, not chained -> mode NEXT_RULE.

After setting:
Code:
[9] Multipart: Added part header "Content-Disposition" "form-data; name=\"fileToUpload\"; filename=\"eicar_com.zip\""
[9] Multipart: Added part header "Content-Type" "application/x-zip-compressed"
[9] Multipart: Content-Disposition name: fileToUpload
[9] Multipart: Content-Disposition filename: eicar_com.zip
[4] Multipart: Created temporary file 1 (mode 0600): /tmp/20190626-145250-XRMWQm73z7X7CE8OjSqL1gAAAA8-file-OTlGnD
[9] Multipart: Added file part 7f68b4018920 to the list: name "fileToUpload" file name "eicar_com.zip" (offset 170, length 184)
[9] Multipart: Added part header "Content-Disposition" "form-data; name=\"submit\""
[9] Multipart: Content-Disposition name: submit
[9] Multipart: Added data to variable: Upload Image
[9] Multipart: Added part 7f68b401b520 to the list: name "submit" (offset 450, length 12)
[9] Input filter: Bucket type EOS contains 0 bytes.
[9] Input filter: Bucket type EOS contains 0 bytes.
[5] Adding request argument (BODY): name "submit", value "Upload Image"
[4] Request body no files length: 186
[4] Input filter: Completed receiving request body (length 511).
[4] Starting phase REQUEST_BODY.
[9] This phase consists of 1 rule(s).
[B][4] Recipe: Invoking rule ac70d8; [file "/etc/modsecurity.d/runav.conf"] [line "11"] [id "950115"].
[5] Rule ac70d8: SecRule "FILES_TMPNAMES" "@inspectFile /usr/local/bin/runav.pl" 
[4] Transformation completed in 4 usec.
[4] Executing operator "inspectFile" with param "/usr/local/bin/runav.pl" against FILES_TMPNAMES:fileToUpload.
[COLOR="#FF0000"][9] Target value: "/tmp/20190626-145250-XRMWQm73z7X7CE8OjSqL1gAAAA8-file-OTlGnD"[/COLOR]
[4] Executing /usr/local/bin/runav.pl to inspect /tmp/20190626-145250-XRMWQm73z7X7CE8OjSqL1gAAAA8-file-OTlGnD.
[9] Exec: /usr/local/bin/runav.pl
[4] Exec: First line from script output: "0 clamscan: Eicar-Test-Signature"
[4] Operator completed in 9696 usec.
[9] Setting variable: tx.anomaly_score=+%{tx.critical_anomaly_score}
[9] Recorded original collection variable: tx.anomaly_score = "0"
[9] Relative change: anomaly_score=0+
[9] Set variable "tx.anomaly_score" to "0".
[9] Setting variable: tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}
[9] Resolved macro %{rule.id} to: 950115
[9] Resolved macro %{matched_var_name} to: FILES_TMPNAMES:fileToUpload
[9] Set variable "tx.950115-MALICIOUS_SOFTWARE/VIRUS-FILES_TMPNAMES:fileToUpload" to "".[/B]
[COLOR="#FF0000"][4] Rule returned 1.[/COLOR]
[9] Match, intercepted -> returning.
Thank you
 
Last edited:
ModSec Rules conf update needs

If you have CLAMAV upload yes to custom.conf and face problems with uploads (check modsec_audit.log )


--jSBuwKT3---H--
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `InspectFile' with parameter `/usr/local/bin/runav.pl' against variable `FILES_TMPNAMES:' (Value: `' ) [file "/etc/nginx/nginx-modsecurity.conf"] [line "10"] [id "950115"] [rev ""] [msg "Virus found in uploaded file"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "MALICIOUS_SOFTWARE/VIRUS"] [tag "PCI/5.1"] [hostname "xx.xx.xx"] [uri "/wp-json/wp/v2/media"] [unique_id "15634328928.299801"] [ref "v1204,0"]


If you have nginx or apache-nginx then need to add the following:

/etc/nginx/nginx-modsecurity.conf
# Help to security OPTIONAL
SecUploadFileMode 0644

# Needed to Clamav scan important
SecTmpSaveUploadedFiles on


If is apache only
# /etc/httpd/conf/extra/httpd-modsecurity.conf
# Help to security OPTIONAL
SecUploadFileMode 0644

# Needed to Clamav scan
SecTmpSaveUploadedFiles on


Under
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp

before
# ModSecurity Core Rules Set and Local configuration
Include /etc/modsecurity.d/*.conf.main
Include /etc/modsecurity.d/*.conf

After need build again
./build modsecurity
./build modsecurity_rules
./build rewrite_confs
 
"SecTmpSaveUploadedFiles on" is now the default, thank you!
 
Back
Top