"ALERT - canary mismatch on efree()..."ERROR, plea

First - some quick details about my setup:

Ubuntu 8.04 (Latest Legacy (2.6.18.8-linode22))

Apache version 2.2.8

PHP version: 5.2.4-2ubuntu5.23

MySQL version: 5.0.51a

phpMyAdmin - 2.11.3deb1ubuntu1.3

Second - the full error:

ALERT - canary mismatch on efree() - heap overflow detected (attacker 'xx.xxx.xxx.xxx', file '……………../template-functions.php', line 4570

Third - I've searched here which helped me enable logging to find the actual error and which pointed me to finding and trying a few things I will link to below…

Now on to the specific details of the issue…

I'm a Linux/web server NOOB so my friend helped me set everything up - and overall it was straightforward…been going great for several years now. I'm currently hosting 9 websites, several of which are my person sites.

So I was having this issue with my personal site where it wouldn't load. (Old version of the site was just a blank page - new version is just a "The connection was reset" error - more details on this below)

If I browse directly to an image - the image will load. I can also FTP and SSH in no problems…everything is there. Once I restart apache the site is fine again - nothing is lost and it was like nothing ever happened. When this happens, it only happens to my personal site…and ONLY to the "www" domain - all sub-domains always work fine (more on that later) No other sites on my server have this issue either. Several of them use the same CMS also. I've also checked server load when this happens via "screen" and nothing abnormal there either.

It's a fairly large site with tons of pics and vids and content so I just thought something was going wacky with the database or the CMS I was using. As such, I started to build a new site. I got everything going in a new sub-domain (dev). Latest version of the CMS, new database and everything. I didn't want to import any old content just in case something was screwy with the database.

Fast forward several weeks - I now have a working beta site that's completely designed and I am now loading content. It's a fully functional site though. Well, I get this issue with my main site (www) not loading once again. Now that I have a beta site I decide to see what's going on with that…well it loads fine. No issues. And again no issues with the other sites on the server either.

Again if I restart apache all is fine.

Fast forward to going live with the new version of my site. Everything goes well and I'm up and running in no time. The old site now resides under the "dev" sub-domain just in case I missed something or need to revert back for whatever reason. Again all is well. Fast forward again a month or so and now the NEW site isn't loading…this time the error is slightly different - it's a "The connection was reset" error compared to just a blank empty page like before. I can still browse to display an image and also a standard html page loads fine…

NOW, here's the strange thing…when I browse to the old site (that was originally giving me issues and now resides in the "dev" sub-directory) it loads perfectly fine! No issues. And once again all the other sites on the server load fine. I've since added another subdomain to my site for my wifes recipes and that loads fine too. And once again restarting apache gets the site back up instantly…

We've tried a few things like checking log files and stuff but nothing stands out. It's hard to determine exactly when it goes "down" but I usually check it several times a day just to make sure. It seems to be ONLY affecting the "www" area of my personal site…no other sub-domains within that domain are affected nor are any other sites on the server. I'm hoping someone with fresh eyes can help with this issue. My Virtual Host file for the problem site is the exact same as all the others - other than the site specific stuff of course. There is nothing special with this site that the other sites/sub-domains don't have either. Additionally, there are other sites that get much more traffic than my site so I can't imagine it's traffic related either. We've got the server locked down pretty good so I don't think it's a hack…as I said once I restart apache all is well - nothing is lost or weird after the restart…

Finally what I've tried already - as mentioned after searching here…

1st thing I tried was this:

"Decomment" the line "mssql.datetimeconvert = On" and change it to "mssql.datetimeconvert = Off"

https://bugs.php.net/bug.php?id=47877

2nd - I tried this when the above didn't work:

Put suhosin.session.encrypt=off to php.ini

http://www.suspekt.org/2008/10/12/suhos … -detected/">http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/

Now, the above text was not in the php.ini file at all…I simply added it, saved and restarted Apache…was there a different method I should have followed?

Also, my php.ini file doesn't reside in /etc/php.ini. It's located at /etc/php5/apache2/php.ini. Not sure if this makes a difference or not but just thought I'd note it.

Again I'm fairly new at this stuff so bare with me - feel free to ask for more specs or questions…

Much appreciated,

Mike