The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible security issue with Jailed Apache?

Discussion in 'Security' started by Rodrigo Gomes, Jan 26, 2017.

Tags:
  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    I have seen some error_logs files from my clients and I got scared with this error:

    USER2 error_logs file:
    I saw this error log inside USER2 account, and many other accounts (USER3, USER5, etc.), all from the "USER1".
    This log did not appear on all accounts, and only appeared for customers who have Wordpress installed.

    Why is USER1 generating error in others accounts?

    I have jailed apache enabled.

    Apache 2.4
    Deflate
    Env
    Expires
    Fileprotect
    Headers
    MPM Prefork
    Mime Magic
    Mod RemoteIp
    Mod ReqTimeout
    Mod SuPHP 0.7.2
    Proxy
    UniqueId
    Version

    PHP 5.6
    Bcmath
    CGI
    Calendar
    CurlSSL
    Exif
    FTP
    FileInfo
    GD
    Gettext
    Iconv
    Imap
    Intl
    MailHeaders
    Mbregex
    Mbstring
    Mcrypt
    MySQL "Improved" extension.
    Mysql
    Opcache
    Openssl
    PDO
    PDO MySQL
    Pear
    Phar
    Pspell
    SOAP
    SQLite3
    Sockets
    TTF (FreeType)
    XmlRPC
    Zip
    Zlib

    Additional OptMods
    IonCube 4 Loader v4.7.5 for PHP
    Mod CloudFlare
    Mod Ruid2 0.9.8
    Mod Security 2.9.0
    Suhosin 0.9.38 for PHP

    I checked the USER1 account and it does not appear to be infected.
    And I use "Opcache" to cache PHP scripts. This could be opening a breach in the apache jailed protection?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Search results suggest this is related to a bad WordPress plugin. There's a WordPress thread where it's discussed at:

    Topic: Cannot redeclare wp_get_server_protocol « WordPress.org Forums

    Thank you.
     
  3. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    My concern is that USER1's php scripts affect other accounts on the server.
    How would this be possible if I run apache with jailed enabled?

    I want to figure out how this happened, because this time it was a plugin, but the next it could be a malicious script.

    Thank you!
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    That's an interesting error. I notice from your build profile you're using suphp. What are your users shells set to? I don't believe suphp is suggested as the ideal php handler when using mod_ruid2. Michael will correct me if I'm wrong.
     
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello ThinIce,

    This is my shell configuration:
    print.png

    print2.png

    And you are right!
    Apache Module: SuPHP - EasyApache - cPanel Documentation

    But I have PHP 5 Handler configured with DSO. Anyway I'm going to disable Mod SuPHP.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    In your OPCache configuration, try adding the following entry to see if the issue persists:

    Code:
    opcache.validate_permission=1
    It's likely you are facing the same issue discussed on the following thread:

    SOLVED - Zend OPcache and PHP-FPM

    Thank you.
     
    Rodrigo Gomes likes this.
  7. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Probably that was the problem.

    I did not know this configuration. Thank you so much Michael!
    You helped me a lot!

    This is my current setting:
    Code:
    opcache.enable=1
    opcache.memory_consumption=2048
    opcache.interned_strings_buffer=24
    opcache.max_accelerated_files=130987
    opcache.max_file_size=5242880
    opcache.enable_file_override=1
    opcache.revalidate_freq=2
    opcache.fast_shutdown=1
    opcache.use_cwd=1
    opcache.save_comments=1
    opcache.load_comments=1
    opcache.validate_permission=1
    opcache.restrict_api="/home/hostadm/public_html"
     
    cPanelMichael likes this.
Loading...

Share This Page