I am running mod_security on a Plesk box with the gotroot.com rule set (except for the badip and blacklist rules). I have just now noticed some hacker-related files showing up in my /tmp folder. I am guessing these must be related to mod_security. They all look something like this:
20070309-012705-12.34.56.78-request_body-sazTGj

The 12.34.56.78 is an IP address, it's different for each file. I have several of these, and the contents are different, some contain "Hacked by..." type messages, some are empty, some contain e-mail messages. When I scan the audit_log for the IP address, it always comes back as being triggered by a "PUT " request method, and the user agent is always "Microsoft Data Access Internet Publishing Provider DAV 1.1".

Can someone verify these are created by mod_security? I did a lot of Web searching and I'm having trouble verifying that this is the case. If they are, why are they only created by a specific type of trigger (the "PUT" request with the specific user agent)?

Yep, if you're using our rules/configs thats expected behavior. Pretty cool huh?

Originally posted by atomicturtle
Yep, if you're using our rules/configs thats expected behavior. Pretty cool huh?
Ya it's cool now that I know what it is, but it gave me a little jolt when I first saw the contents of the files. I was pretty sure it had to be mod_security related based on the file names, so thanks for confirming.

If I decide in the future I don't want those files stored in my tmp how do I turn that feature off?

Its a setting that escapes me at the moment, in 00mod_security.conf. Upload something or another.

I have this line in my modsecurity.conf, if I uncomment it will that do the trick?

#SecUploadKeepFiles Off

Yep, that looks like it. As a side note, I've never actually turned it off myself, since I collect those files to create rules from. If thats not it, you might want to check the mod_security docs.