store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Jul 22, 2014 5:15 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: false positive - not sure if asl report has the right info.
Unread postPosted: Sun Mar 27, 2011 8:28 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Drupal trying to upload a file.

Code:
[Sun Mar 27 17:18:49 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB" to "/var/asl/data/suspicious/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "4yuNZ0rQxvYAAFA4TxIAAAAG"]
[Sun Mar 27 17:20:40 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-172039-6dBjDkrQxvYAAFCoMscAAAAB-file-OHRqAv" to "/var/asl/data/suspicious/20110327-172039-6dBjDkrQxvYAAFCoMscAAAAB-file-OHRqAv". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "6dBjDkrQxvYAAFCoMscAAAAB"]
[Sun Mar 27 17:20:53 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-172052-6pfPB0rQxvYAACIG-BkAAAAD-file-my8Jf5" to "/var/asl/data/suspicious/20110327-172052-6pfPB0rQxvYAACIG-BkAAAAD-file-my8Jf5". [hostname "xxxxxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "6pfPB0rQxvYAACIG-BkAAAAD"]



Hard to tell if these are the same issues:
Code:
--1ae4cd01-A--
[27/Mar/2011:15:13:41 --0700] I8e7Z0rQxvYAABYUey0AAAAO 67.185.164.235 3692 74.208.198.246 80
 
--1ae4cd01-B--
GET / HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729) SearchToolbar/1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=157772667.124927394.1300919902.1300919902.1301251890.2; __utmz=157772667.1300919902.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=157772667
Pragma: no-cache
Cache-Control: no-cache
 
--1ae4cd01-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html
 
--1ae4cd01-H--
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/generators/mod_autoindex.c"] [line 2274] [level 3] Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/
Stopwatch: 1301264021830503 14518 (2031 9786 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201103262012.
Server: Apache
 
--1ae4cd01-Z--


Any help?


Top
 Profile  
 
 Post subject: Re: false positive - not sure if asl report has the right in
Unread postPosted: Sun Mar 27, 2011 8:34 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3599
Location: Chantilly, VA
Quote:
[Sun Mar 27 17:18:49 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB" to "/var/asl/data/suspicious/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "4yuNZ0rQxvYAAFA4TxIAAAAG"]


Not a false positive, an actual error on your system. Check to see if you have MODSEC_KEEPFILES set to "on" in ASL, if yo do, set that to off.

As an aside, its a bad idea to set it to on anyway, the bad stuff gets uploaded to the server, so generally only a good idea to turn this on if you are debugging something (and we are going to remove this option in a future version of ASL). This can happen with odd non-standard permissions issues, mount changes to /tmp (no exec for example), etc.

Quote:
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/generators/mod_autoindex.c"] [line 2274] [level 3] Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/
Stopwatch: 1301264021830503 14518 (2031 9786 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201103262012.


Also not a false positive, and not generated by ASL. ASL is just reporting that apache is reporting an error, specifically, as above:

Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/

You have your server configured (correctly IMHO) to not allow index access to /projects/. This is not something ASL controls, and is something you configure in Apache, htaccess, etc.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: false positive - not sure if asl report has the right in
Unread postPosted: Sun Mar 27, 2011 9:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
OK, so by setting the KEEPFILES to off it will allow Drupal to upload image files?


Top
 Profile  
 
 Post subject: Re: false positive - not sure if asl report has the right in
Unread postPosted: Mon Mar 28, 2011 9:29 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3599
Location: Chantilly, VA
Quote:
OK, so by setting the KEEPFILES to off it will allow Drupal to upload image files?


Yes, KEEPFILES only configures ASL to Keep a file if its been detected to contain malware. ASL will then put that file in the suspicious folder.

KEEPFILES has no effect on uploading files, it only controls the behavior of ASL if it detects something malicious. You should always have that set to off, you dont want malicious files being uploaded to the server.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group