PHP Session write error

php Sessions write error suddenly on website

Step 1

 cd /var/lib/php/
[root@austin php]# ls -la
total 12
drwxr-xr-x  3 root root 4096 Apr  9 19:54 .
drwxr-xr-x 37 root root 4096 Apr 24 23:41 ..
drwx-wx-wt  2 apache apache 4096 Aug  5 20:01 session

Change the permissions and ownership

chmod 1733 /var/lib/php/session
chown root:root /var/lib/php/session

Step 2

Check the yum update log for php updates as this is usually the cause of the permissions change.

[root@austin log]# grep php /var/log/yum.log
Apr 09 19:54:09 Installed: php-5.3.3-27.el6_5.x86_64

This will give you the date and time of the last php update!

Atomic repo php Upgrade error

Servers popping up that are having php failures or issues with php_admin_value or php_admin_flag when apache restarts. This is occurring on servers running PHP 5.3.26. It appears when this update was pushed out, mod_php is no longer being loaded by default.

The symptoms are outlined here:

You should be able to add the following to the top of php.conf file to resolve the issue:

<IfModule prefork.c>
  LoadModule php5_module modules/
<IfModule worker.c>
  LoadModule php5_module modules/


If you come across a managed server that has the atomic repo enabled and has updated to PHP 5.4.x it more than likely killed their sites.

If this is the case and they were on a newer version of 5.3.x from atomic I’ve got the couple of one liners that I used to remove all the install PHP packages and then install the webtatic repo (which installed disabled) and then to install a base set of php modules from their repo.

This command will figure out what php-5.4.x packages are installed from atomic. Just to verify that you won’t be killing off anything other than the offending atomic packages.

rpm -qa | grep php | grep 5.4

This one-liner will remove all packages that match the above criteria even if they refer to multiple packages or are listed more than once.

for i in `rpm -qa | grep php | grep 5.4` ; do rpm -ev --allmatches --nodeps $i; done

Once they are all removed install the webtatic repo

rpm -Uvh

Then you can install the basic set of packages for php 5.3

yum --enablerepo=webtatic install php php-devel php-mysql php-imap php-xml php-pdo php-gd php-soap

PHP Spam Scripts

PHP Spam Scripts

I finally decided this topic deserves its own page.
To find the script sending spam

Ver -11.0

cat /var/www/vhosts/ | grep POST > /tmp/post.log

Ver 11.5+

cat /var/www/vhosts/system/ | grep POST > /tmp/post.log

WHM cPanel

cat /usr/local/apache/domlogs/ | grep POST > /tmp/post.log

View the results

cat /etm/post.log - - [02/Jan/2014:10:51:41 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" - - [02/Jan/2014:10:52:54 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" - - [02/Jan/2014:10:54:13 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" - - [02/Jan/2014:10:55:18 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" - - [02/Jan/2014:10:56:32 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"


This file often appears in /tmp/sysNNNNNNNN.php file
1. /tmp is 777
2. the sysNNNNNNNN.php is usually accompanied by a .zip file
3. .php and .zip are owned by apache

Mcrypt Installation

Note: If you have plesk panel – check the website for the version of php running. If it is a different version than the standard php installation, create a phpinfo page to check if mcrypt is installed for that php version as a simple “php-m” will just report the standard OS php information.

The first step requires downloading some RPM files that contain the additional YUM repository definitions. The instructions below point to the 64-bit versions that work with our Cloud Server instances.
Centos 5.x

sudo rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

Centos 6.x

sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

CentOS 7

# sudo yum install epel-release


The command is as follows to download epel release for CentOS and RHEL 7.x using wget command:

cd /tmp

To install epel-release-7-5.noarch.rpm, type:

# sudo yum install epel-release-latest-7.noarch.rpm

list repos:

# sudo yum repolist

Once installed you should see some additional repo definitions under the /etc/yum.repos.d directory.

$ ls -1 /etc/yum.repos.d/epel* /etc/yum.repos.d/remi.repo

Enable the remi repository

The remi repository provides a variety of up-to-date packages that are useful or are a requirement for many popular web-based services. That means it generally is not a bad idea to enable the remi repositories by default.

First, open the /etc/yum.repos.d/remi.repo repository file using a text editor of your choice:

# sudo vim /etc/yum.repos.d/remi.repo

Edit the [remi] portion of the file so that the enabled option is set to 1. This will enable the remi repository.

name=Les RPM de remi pour Enterprise Linux $releasever - $basearch

You will now have a larger array of yum repositories from which to install.

Now run:

# yum install php-mcrypt

# service httpd restart