0

I have an Ubuntu Linux server (20.04) running Apache2 version 2.4.41

$ apachectl -v
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2024-04-10T17:46:26

with PHP8 enabled in /etc/apache2/mods-enabled:

$ ls -l /etc/apache2/mods-enabled/php8*
lrwxrwxrwx 1 root root 39 Apr 29 14:17 /etc/apache2/mods-enabled/php8.0.conf -> /etc/apache2/mods-available/php8.0.conf
lrwxrwxrwx 1 root root 39 Apr 29 14:17 /etc/apache2/mods-enabled/php8.0.load -> /etc/apache2/mods-available/php8.0.load

It was running like this for months, and now somehow PHP keeps getting disabled. I become aware of it when my PHP application suddenly stops working, and when I look in /etc/apache2/mods-enabled I find the two entries for PHP8 are missing. If I reenable it, it will run for a few days, then the same thing happens again.

I can't see anything in the logs to indicate that it has been disabled, and I am (I hope) the only person with root access to the machine.

Does anyone know how I can track down what is disabling this and why? Is there some kind of logging I can enable to get more information?

1
  • My first idea is to make those files immutable (chattr +i file) so that even root cannot delete them. Perhaps you can find logging of the failed deletion attempt. Otherwise I have no clue right now.
    – Tommiie
    Commented Apr 30 at 2:06

1 Answer 1

2

Personally, I’d set up auditing: Install the auditd package to track system changes:

sudo apt-get install auditd

Configure auditing to monitor the /etc/apache2/mods-enabled directory:

sudo auditctl -w /etc/apache2/mods-enabled/ -p wx -k apache_mods

This will log any changes to the mods-enabled directory. You can check the audit logs with:

sudo ausearch -k apache_mods

Also verify PHP installation; double-check that PHP is correctly installed and configured:

sudo php -v
sudo ls /etc/apache2/mods-available/php8.0.*

If you find any issues, please share the outcome.

1
  • That's exactly what I was looking for. I've now updated PHP to 8.2 and this hasn't happened since, so I'm thinking maybe some kind of white-hat web crawler was using some security vulnerability in PHP 8.0 and disabling it on my behalf. I am going to drop back to 8.0 temporarily and install auditd as you suggested, and see if it happens again Commented May 1 at 15:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .