Tweet
My company web server has been hacked pretty severely and replaced Atomicorp Server Intrusion with the trial version of Imunify360. PHP FPM would not restart after install causing all sites to go down for about 14 hours before a level 3 sys admin determined the below to get sites to display again. A few sites are showing the following warning concerning JIT memory that is related to what he had to do to get sites to display again. Hearing this is case for all sites, but only affecting a few for homepage display.
Warning: preg_match(): Allocation of JIT memory failed, PCRE JIT will be disabled. This is likely caused by security restrictions. Either grant PHP permission to allocate executable memory, or set pcre.jit=0 in /home/rjsassocs/public_html/wp-includes/load.php on line 1700
Pasted below is probably cause from my sys admin:
First Email:
This email serves as a follow up to let you know that I am actively working on your server at this time. Reviewing the logs, I now have evidence that that the issues are caused by Imunify360. Please see the error log below.
Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1006]: segfault at bfce88 ip 000003b78aaf61f0 sp 000003fc42470ba0 error 7 in i360.so[3b78aac5000+be000] Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1007]: segfault at bfce88 ip 000003cfe0ef61f0 sp 000003f051445710 error 7 in i360.so[3cfe0ec5000+be000] Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1008]: segfault at bfce88 ip 00000326352f61f0 sp 0000038ba1a3f720 error 7 in i360.so[326352c5000+be000
The i360.so above is for Imunify360 which is causing segfaults/crashes for PHP-CGI processes. I will be following up with another email in the next hour or so. I really appreciate your patience regarding this ticket.
Second Follow Up Email:
This email serves as a follow up to let you know that issues regarding sites being down on the server have been resolved and all sites are now back up and running. The issue was caused by an Imunify360 PHP module that was apparently injected into PHP modules for all PHP versions on the server called i360.so. The location of this file was /opt/cpanel/ea-php##/root/usr/lib64/php/modules/i360.so where ea-php## was ea-php74 or ea-php80 or ea-php81.
To resolve this issue, I had to rename these files to i360.so_ and restart apache and PHP-FPM. All sites on the server are currently set to use PHP 7.4 and are operational at this time.
Imunify seems to be working now for most part - Firewall good and running malware scans. However, the JIT memory issue my sys admins can't get past without feedback. I think this is also compromising Imunify's effectiveness.
I'm not a paying client yet giving the trial a shot. Looking to become one, but could use a little help with this to fully analyze the software before purchasing.
I tried going through support ticket, but doesn't send verify email to get it to submit, so trying this route.
Look forward to someone's response to be able to effectively follow through, get my hack issues straight and use your product going forward.
Warning: preg_match(): Allocation of JIT memory failed, PCRE JIT will be disabled. This is likely caused by security restrictions. Either grant PHP permission to allocate executable memory, or set pcre.jit=0 in /home/rjsassocs/public_html/wp-includes/load.php on line 1700
Pasted below is probably cause from my sys admin:
First Email:
This email serves as a follow up to let you know that I am actively working on your server at this time. Reviewing the logs, I now have evidence that that the issues are caused by Imunify360. Please see the error log below.
Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1006]: segfault at bfce88 ip 000003b78aaf61f0 sp 000003fc42470ba0 error 7 in i360.so[3b78aac5000+be000] Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1007]: segfault at bfce88 ip 000003cfe0ef61f0 sp 000003f051445710 error 7 in i360.so[3cfe0ec5000+be000] Dec 08 07:39:47 server.graphicmemory.com kernel: php-cgi[1008]: segfault at bfce88 ip 00000326352f61f0 sp 0000038ba1a3f720 error 7 in i360.so[326352c5000+be000
The i360.so above is for Imunify360 which is causing segfaults/crashes for PHP-CGI processes. I will be following up with another email in the next hour or so. I really appreciate your patience regarding this ticket.
Second Follow Up Email:
This email serves as a follow up to let you know that issues regarding sites being down on the server have been resolved and all sites are now back up and running. The issue was caused by an Imunify360 PHP module that was apparently injected into PHP modules for all PHP versions on the server called i360.so. The location of this file was /opt/cpanel/ea-php##/root/usr/lib64/php/modules/i360.so where ea-php## was ea-php74 or ea-php80 or ea-php81.
To resolve this issue, I had to rename these files to i360.so_ and restart apache and PHP-FPM. All sites on the server are currently set to use PHP 7.4 and are operational at this time.
Imunify seems to be working now for most part - Firewall good and running malware scans. However, the JIT memory issue my sys admins can't get past without feedback. I think this is also compromising Imunify's effectiveness.
I'm not a paying client yet giving the trial a shot. Looking to become one, but could use a little help with this to fully analyze the software before purchasing.
I tried going through support ticket, but doesn't send verify email to get it to submit, so trying this route.
Look forward to someone's response to be able to effectively follow through, get my hack issues straight and use your product going forward.
Comment