Issue
While checking the scan results, there is a warning stating that the scanner was unable to cleanup malware located in /tmp.
Environment
- Imunify360.
Solution
Files in this directory from uploads are not considered in the server, as the folder has restricted permissions and it is used for temporary tasks.
In a nutshell, when an upload attempt is requested, the files are uploaded to this directory and then moved to their final destination by PHP or the language used for the upload task, however, since our Web Application Firewall scan uploaded files, if it is malicious, the upload process gets interrupted and the files are left for the system to naturally remove them.
In the example below, we can see how our Web Application Firewall keeps track of the upload and then interrupts it, blocking the upload.php script from moving the file:
2025-01-13T18:21:41.336Z INFO Manager SensorIncident([{Rule:33331 Retries:1 Severity:2 Name:IM360 WAF: Attempt to upload malware Message:IM360 WAF: Attempt to upload malware||Scan duration:3450565||Sizes:68||Combined size:68||User:imunifyupload||WPU:||Filename:eicar.com.txt||Scanned:/tmp//20250113-182137-Z4VZseuts5ObZnwxrawcwwAAAAI-file-wHi24F||SC:/home/imunifyupload/public_html/upload.php||RSV:6.62||T:APACHE|| AttackersIP:10.106.1.77 Domain:imunifyupload.com PluginID:modsec TransactionID:Z4VZseuts5ObZnwxrawcwwAAAAI AccessDenied:true Tag:[service_i360] ModsecVersion:2.9.7 StatusCode:403 EngineMode:ENABLED Timestamp:1736792501 Advanced:{Headers:[[Connection keep-alive] [Content-Length 255] [Content-Type multipart/form-data; boundary=----WebKitFormBoundaryMtqokrptnjqxACPC] [Upgrade-Insecure-Requests 1] [Accept-Encoding gzip, deflate] [Accept-Language en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,gl;q=0.6] [Host imunifyupload.com] [Cache-Control max-age=0] [Origin http://imunifyupload.com] [User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36] [Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] [Referer http://imunifyupload.com/] [Cookie timezone=[chr]{7}/[chr]{5}_[chr]{7}]] Uri:/upload.php HttpMethod:POST}} {Rule:33329 Retries:1 Severity:7 Name:IPRec: G: P: F:file=eicar.com.txt& Message:IPRec: G: P: F:file=eicar.com.txt&||RSV:6.62||T:APACHE||R:403 AttackersIP:10.106.1.77 Domain:imunifyupload.com PluginID:modsec TransactionID:Z4VZseuts5ObZnwxrawcwwAAAAI AccessDenied:true Tag:[service_i360 noshow] ModsecVersion:2.9.7 StatusCode:403 EngineMode:ENABLED Timestamp:1736792501 Advanced:{Headers:[[Host imunifyupload.com] [Cache-Control max-age=0] [Origin http://imunifyupload.com] [User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36] [Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] [Referer http://imunifyupload.com/] [Accept-Encoding gzip, deflate] [Accept-Language en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,gl;q=0.6] [Cookie timezone=[chr]{7}/[chr]{5}_[chr]{7}] [Connection keep-alive] [Content-Length 255] [Content-Type multipart/form-data; boundary=----WebKitFormBoundaryMtqokrptnjqxACPC] [Upgrade-Insecure-Requests 1]] Uri:/upload.php HttpMethod:POST}} {Rule:88317957 Retries:1 Severity:5 Name:IM360 WAF: File upload Message:IM360 WAF: File upload||File:eicar.com.txt||Size:68||Combined:68||User:imunifyupload||SC:/home/imunifyupload/public_html/upload.php||WPU:||Py time:||Lua time:||RSV:6.62||T:APACHE|| AttackersIP:10.106.1.77Domain:imunifyupload.com PluginID:modsec TransactionID:Z4VZseuts5ObZnwxrawcwwAAAAI AccessDenied:true Tag:[service_im360 noshow] ModsecVersion:2.9.7 StatusCode:403 EngineMode:ENABLED Timestamp:1736792501 Advanced:{Headers:[[Referer http://imunifyupload.com/] [Accept-Encoding gzip, deflate] [Accept-Language en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,gl;q=0.6] [Host imunifyupload.com] [Cache-Control max-age=0] [Origin http://imunifyupload.com] [User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36] [Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] [Cookie timezone=[chr]{7}/[chr]{5}_[chr]{7}] [Connection keep-alive] [Content-Length 255] [Content-Type multipart/form-data; boundary=----WebKitFormBoundaryMtqokrptnjqxACPC] [Upgrade-Insecure-Requests 1]] Uri:/upload.php HttpMethod:POST}}]) processed
As suggested, the scanned "Temporary file" was:
Scanned:/tmp//20250113-182137-Z4VZseuts5ObZnwxrawcwwAAAAI-file-wHi24F
Similar to the ones found in the failed cleanup attempts. These temporary names are assigned during the HTTP POST requests and replaced by PHP if the upload is successful.
An example code for a PHP upload that shows this in detail:
// Move the uploaded file to the target directory
if (move_uploaded_file($_FILES['file']['tmp_name'], $targetFilePath)) {
echo "File uploaded successfully: " . htmlspecialchars($fileName);
} else {
echo "Error: Could not move the uploaded file.";
}
} else {
echo "Error: " . $_FILES['file']['error'];
}
The reason why the cleanup failed is likely because the files were already removed by the system when the scanner attempted to clean them, but also because the /tmp directory is owned by root and our scanner won't perform changes on it.
Please check if the files are still present in the directory and if they are, contact support for further investigation.
Cause
The /tmp directory is cleaned by the system.
Useful links
Comments
0 comments
Article is closed for comments.