I’m reporting a critical security issue affecting multiple servers running CWP (CentOS Web Panel). During a security review on a Laravel-based website hosted via CWP, I found malicious PHP files in the public/ folder that allowed arbitrary code execution.
🛑 What I Found
On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
• nbpafebaef.jpg – Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>
• defauit.php – A PHP script with a misleading name (looks like “default.php”).
These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.
🔍 Widespread Issue – Other Sites Also Affected
After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
•
https://basaranturizm.com/ •
https://coutos.pt/This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me — I simply found them through Google search using the filename.
❗ Possible Vectors
Some possibilities include:
• Insecure permissions on public/ allowing PHP file uploads or writes
• Compromise via CWP File Manager or outdated software
• Global vulnerability in CWP’s file handling or directory security
⚠️ Request to CWP Team
Please investigate this urgently. It’s very likely that:
• CWP has a flaw allowing code execution in public folders
• Default permissions or services are enabling attackers to inject files across multiple servers
If CWP developers need any of the samples or log details, I’m happy to provide them privately.