httpd down due to enabling php zip extension

Ash3T

Will enabling php zip extension cause a server (System: Centos 7, Apache server) http down?
That’s what happened the other day.

phenomlab

@ash3t only if the extension isn’t in the specified path within the conf file. Does it start if you remark the extension in PHP.ini ?

Ash3T

@phenomlab It would? By enabling, I mean, the cPanel admin install the php zip extensions on, like on this.

After installing, I am able to see it got enabled on php_info.php.

the httpd down is the whole server, like 50 website is down. The reason why I am asking is:

• The is no specific error message/report/logs about why the httpd is down. It says, “connection issue” when accessing the websites.

• things are running normal before, and after uninstalled ZIP & reboot the httpd.

Do you know what may potentially cause this and impact the whole server? I thought, for example, if flarum needs one extension, simply turn on the extension by using the easyApache 4, and it won’t cause any damages. And each cPanel users will be able to use the extension, with no need to do anything in the conf file. Thanks for your help.

phenomlab

@ash3t if you’ve enabled the extension by cPanel then this should work without issue, and certainly won’t cause websites to go down as a result. However, what may be the case is a change of PHP version.

Sometimes, inadvertently selecting this can mean the default PHP extensions are enabled and not the ones that you require for your website to function. I’ve seen this happen several times in cPanel and it’s a known problem.

Ash3T

@phenomlab Thanks for sharing your past experience. Do you mean that change the PHP version would cause one website to go down? However, it won’t cause the whole server’s httpd to go down, right?

The things is that since after installing the ZIP extension, the httpd was down, and without finding the cause, it is a bit worrisome to enabled the ZIP again. Since it is not just causing one website to go down, but all the websites that sharing the same IP.

phenomlab

@ash3t said in httpd down due to enabling php zip extension:

Do you mean that change the PHP version would cause one website to go down? However, it won’t cause the whole server’s httpd to go down, right?

Potentially, but this depends on what each website relies on in terms of topology. Can you provide more detail as to what technologies (such as WordPress etc) are running on these sites ?

@ash3t said in httpd down due to enabling php zip extension:

The things is that since after installing the ZIP extension, the httpd was down, and without finding the cause, it is a bit worrisome to enabled the ZIP again. Since it is not just causing one website to go down, but all the websites that sharing the same IP.

So does the issue resolve itself when you remove the zip PHP extension ?

Ash3T

@phenomlab Unfortunately, I cannot provide more details. It my friend’s server, and as I know, it has run many small website. I image most of them would be using WordPress, if not, then just static html.

“So does the issue resolve itself when you remove the zip PHP extension ?”
As far as I know, since there is no error messages, we don’t know the issue yet. I believe the server is up and running now.

My friend suspected that some malware stored in zip were pushed into our server and extracted afterwards. The situation is : The symptoms were the server ran so fast due to high CPU load and busy to deal with heavy connections.

Is there a way to run any security checks for this situation?

phenomlab

@ash3t that doesn’t sound symptomatic of malware, but is heavily aligned to DDoS (Distributed Denial of Service) which is where the target machine receives thousands of connection requests per second and it’s overwhelmed meaning real visitors and sites cannot be served.

Without any specific monitoring in place, it’s going to be very difficult to determine the exact cause. There are numerous tools that can scan for malicious activity - although much of this depends on the back end technology being used (cPanel, Plesk etc). One of the best products around for protection is imunify360.

https://bobcares.com/blog/install-imunify360-cpanel/

It’s not free, but worth every penny.

Ash3T

@phenomlab Thanks, that’s a relief. I have checked with my friend, the server already has ddos protection.

For now, it seems that we cannot find a clue about it. What would you suggest that we should keep an eye on as we are thinking about enabling the zip extension again.

phenomlab

@ash3t my personal preference here would be to have some form of monitoring - something like SNMP counters using a product such as cacti, LibreNMS, or observium (I have extensive experience with these).

Taking this route in terms of monitoring means you can draw some form of parallel with a specific time and function. In terms of malware protection, imunify360 really is difficult to beat.

The only real issue with SNMP is that the community needs to be secured adequately to prevent abuse from external sources. For example, it’s possible to execute commands on a read and write community with a weak community string. For this reason, you’d close read only and restrict the accessing hosts to trusted IP addresses only.

Ash3T

@phenomlab Thanks for your suggestion! As far as I know, my friend got a monitoring system now.

phenomlab

@ash3t Good news. Thanks.

phenomlab

@ash3t I’m going to mark this as solved for the time being. Let me know if this isn’t the case, or if you need any further help.