strange /tmp files - put attacks

    I have found 2 files in /tmp > owner www-data, looks like adobe stuff inside ...
    Does anyone know what that is or where it comes from?


    fcgid.tmp.p9XutA
    20150917-101130-Vfp1r1UZxqQAAHreKvEAAABT-request_body-yyEL4I



    renamed as .txt because of restrictions


    imagemagick was installed but www-data should store the files in user /phptmp or what do you think?

    it will not stop .. if I delete both files in /tmp it takes 2 seconds and I get 2 new files
    some output from these files:


    Code
    1. Content-Disposition: form-data; name="putfile"; filename="club-senior_01-2012_web.pdf";
    2. Content-Type: application/octet-stream
    5. %PDF-1.7


    how can I stop that?

    not quite sure yet, but it seems that mod_security places some uploaded files into /tmp
    could be a windows websitebuilder software ... we will see



    ### EDIT ###
    I got it :)
    a customer is using siquando

    Edited once, last by fulltilt ().