Possible security issue with Jailed Apache?

[Rodrigo Gomes]

I have seen some error_logs files from my clients and I got scared with this error:

USER2 error_logs file:

[15-Jan-2017 15:14:02] PHP Fatal error: Cannot redeclare wp_get_server_protocol() (previously declared in /home/USER1/public_html/wp-includes/load.php:16) in /home/USER2/public_html/blog/wp-includes/load.php on line 16

I saw this error log inside USER2 account, and many other accounts (USER3, USER5, etc.), all from the "USER1".
This log did not appear on all accounts, and only appeared for customers who have Wordpress installed.

Why is USER1 generating error in others accounts?

I have jailed apache enabled.

Show/Hide: EasyApache 3 - Profile

Apache 2.4
Deflate
Env
Expires
Fileprotect
Headers
MPM Prefork
Mime Magic
Mod RemoteIp
Mod ReqTimeout
Mod SuPHP 0.7.2
Proxy
UniqueId
Version

PHP 5.6
Bcmath
CGI
Calendar
CurlSSL
Exif
FTP
FileInfo
GD
Gettext
Iconv
Imap
Intl
MailHeaders
Mbregex
Mbstring
Mcrypt
MySQL "Improved" extension.
Mysql
Opcache
Openssl
PDO
PDO MySQL
Pear
Phar
Pspell
SOAP
SQLite3
Sockets
TTF (FreeType)
XmlRPC
Zip
Zlib

Additional OptMods
IonCube 4 Loader v4.7.5 for PHP
Mod CloudFlare
Mod Ruid2 0.9.8
Mod Security 2.9.0
Suhosin 0.9.38 for PHP

I checked the USER1 account and it does not appear to be infected.
And I use "Opcache" to cache PHP scripts. This could be opening a breach in the apache jailed protection?

 

[cPanelMichael]

[15-Jan-2017 15:14:02] PHP Fatal error: Cannot redeclare wp_get_server_protocol() (previously declared in /home/USER1/public_html/wp-includes/load.php:16) in /home/USER2/public_html/blog/wp-includes/load.php on line 16

Hello,

Search results suggest this is related to a bad WordPress plugin. There's a WordPress thread where it's discussed at:

Topic: Cannot redeclare wp_get_server_protocol « WordPress.org Forums

Thank you.

 

[Rodrigo Gomes]

Hello Michael,

My concern is that USER1's php scripts affect other accounts on the server.
How would this be possible if I run apache with jailed enabled?

I want to figure out how this happened, because this time it was a plugin, but the next it could be a malicious script.

Thank you!

 

[ThinIce]

That's an interesting error. I notice from your build profile you're using suphp. What are your users shells set to? I don't believe suphp is suggested as the ideal php handler when using mod_ruid2. Michael will correct me if I'm wrong.

 

[Rodrigo Gomes]

That's an interesting error. I notice from your build profile you're using suphp. What are your users shells set to? I don't believe suphp is suggested as the ideal php handler when using mod_ruid2. Michael will correct me if I'm wrong.

Hello ThinIce,

This is my shell configuration:




And you are right!

Do not select suPHP as your PHP handler if you use ModRuid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. " option in the Security tab of WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).

Apache Module: SuPHP - EasyApache - cPanel Documentation

But I have PHP 5 Handler configured with DSO. Anyway I'm going to disable Mod SuPHP.

 

[cPanelMichael]

And I use "Opcache" to cache PHP scripts. This could be opening a breach in the apache jailed protection?

Hello,

In your OPCache configuration, try adding the following entry to see if the issue persists:

opcache.validate_permission=1

It's likely you are facing the same issue discussed on the following thread:

SOLVED - Zend OPcache and PHP-FPM

Thank you.

 

[Rodrigo Gomes]

Hello,

In your OPCache configuration, try adding the following entry to see if the issue persists:

opcache.validate_permission=1

It's likely you are facing the same issue discussed on the following thread:

SOLVED - Zend OPcache and PHP-FPM

Thank you.

Probably that was the problem.

I did not know this configuration. Thank you so much Michael!
You helped me a lot!

This is my current setting:

opcache.enable=1
opcache.memory_consumption=2048
opcache.interned_strings_buffer=24
opcache.max_accelerated_files=130987
opcache.max_file_size=5242880
opcache.enable_file_override=1
opcache.revalidate_freq=2
opcache.fast_shutdown=1
opcache.use_cwd=1
opcache.save_comments=1
opcache.load_comments=1
opcache.validate_permission=1
opcache.restrict_api="/home/hostadm/public_html"