Possible security issue with Jailed Apache?

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
I have seen some error_logs files from my clients and I got scared with this error:

USER2 error_logs file:
[15-Jan-2017 15:14:02] PHP Fatal error: Cannot redeclare wp_get_server_protocol() (previously declared in /home/USER1/public_html/wp-includes/load.php:16) in /home/USER2/public_html/blog/wp-includes/load.php on line 16
I saw this error log inside USER2 account, and many other accounts (USER3, USER5, etc.), all from the "USER1".
This log did not appear on all accounts, and only appeared for customers who have Wordpress installed.

Why is USER1 generating error in others accounts?

I have jailed apache enabled.

Apache 2.4
Deflate
Env
Expires
Fileprotect
Headers
MPM Prefork
Mime Magic
Mod RemoteIp
Mod ReqTimeout
Mod SuPHP 0.7.2
Proxy
UniqueId
Version

PHP 5.6
Bcmath
CGI
Calendar
CurlSSL
Exif
FTP
FileInfo
GD
Gettext
Iconv
Imap
Intl
MailHeaders
Mbregex
Mbstring
Mcrypt
MySQL "Improved" extension.
Mysql
Opcache
Openssl
PDO
PDO MySQL
Pear
Phar
Pspell
SOAP
SQLite3
Sockets
TTF (FreeType)
XmlRPC
Zip
Zlib

Additional OptMods
IonCube 4 Loader v4.7.5 for PHP
Mod CloudFlare
Mod Ruid2 0.9.8
Mod Security 2.9.0
Suhosin 0.9.38 for PHP

I checked the USER1 account and it does not appear to be infected.
And I use "Opcache" to cache PHP scripts. This could be opening a breach in the apache jailed protection?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
[15-Jan-2017 15:14:02] PHP Fatal error: Cannot redeclare wp_get_server_protocol() (previously declared in /home/USER1/public_html/wp-includes/load.php:16) in /home/USER2/public_html/blog/wp-includes/load.php on line 16
Hello,

Search results suggest this is related to a bad WordPress plugin. There's a WordPress thread where it's discussed at:

Topic: Cannot redeclare wp_get_server_protocol « WordPress.org Forums

Thank you.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael,

My concern is that USER1's php scripts affect other accounts on the server.
How would this be possible if I run apache with jailed enabled?

I want to figure out how this happened, because this time it was a plugin, but the next it could be a malicious script.

Thank you!
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
That's an interesting error. I notice from your build profile you're using suphp. What are your users shells set to? I don't believe suphp is suggested as the ideal php handler when using mod_ruid2. Michael will correct me if I'm wrong.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
That's an interesting error. I notice from your build profile you're using suphp. What are your users shells set to? I don't believe suphp is suggested as the ideal php handler when using mod_ruid2. Michael will correct me if I'm wrong.
Hello ThinIce,

This is my shell configuration:
print.png

print2.png

And you are right!
Do not select suPHP as your PHP handler if you use ModRuid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. " option in the Security tab of WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).
Apache Module: SuPHP - EasyApache - cPanel Documentation

But I have PHP 5 Handler configured with DSO. Anyway I'm going to disable Mod SuPHP.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
And I use "Opcache" to cache PHP scripts. This could be opening a breach in the apache jailed protection?
Hello,

In your OPCache configuration, try adding the following entry to see if the issue persists:

Code:
opcache.validate_permission=1
It's likely you are facing the same issue discussed on the following thread:

SOLVED - Zend OPcache and PHP-FPM

Thank you.
 
  • Like
Reactions: Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello,

In your OPCache configuration, try adding the following entry to see if the issue persists:

Code:
opcache.validate_permission=1
It's likely you are facing the same issue discussed on the following thread:

SOLVED - Zend OPcache and PHP-FPM

Thank you.
Probably that was the problem.

I did not know this configuration. Thank you so much Michael!
You helped me a lot!

This is my current setting:
Code:
opcache.enable=1
opcache.memory_consumption=2048
opcache.interned_strings_buffer=24
opcache.max_accelerated_files=130987
opcache.max_file_size=5242880
opcache.enable_file_override=1
opcache.revalidate_freq=2
opcache.fast_shutdown=1
opcache.use_cwd=1
opcache.save_comments=1
opcache.load_comments=1
opcache.validate_permission=1
opcache.restrict_api="/home/hostadm/public_html"
 
  • Like
Reactions: cPanelMichael