My Approach to Stopping the CWP File‑Manager Exploit- 1. Scan & Identify Malware
• Searched for obfuscated PHP payloads
grep -rniE "(eval\s*\(|base64_decode|gzinflate|str_rot13|shell_exec|proc_open|passthru|system)" \
/home/*/public_html/
• Caught the classic pair in every account:
nbpafebaef.jpg (PHP in disguise)
defauit.php (web‑shell)
• Found tmp propagators reported in the forum thread:
/tmp/.auto_monitor and
/tmp/.tmp_baf[/li]
[li]
2. Clean & Quarantine mkdir /root/quarantine
mv /home/*/public_html/{nbpafebaef.jpg,defauit.php} /root/quarantine 2>/dev/null
mv /tmp/.auto_monitor /tmp/.tmp_baf /root/quarantine
• Manually opened every recently‑modified
functions.php; all were clean, so no theme replacement required.[/li]
[li]
3. Global Block via ModSecurity (NOT .htaccess) Added to
/usr/local/apache/modsecurity-cwaf/custom_user.conf:
# Put your custom ModSecurity directives here
# Please don't remove this file
# Block CWP filemanager exploit attempts (CVE-2025-48703)
SecRule REQUEST_URI "@contains /user/index.php" \
"id:4870301,phase:2,deny,status:403,log,msg:'[CWP Exploit Block] Block access to module=filemanager&acc=findFiles',\
chain"
SecRule ARGS:module "@streq filemanager" \
"chain"
SecRule ARGS:acc "@streq findFiles"
Restart Apache:
systemctl restart httpd[/li]
[li]
4. Verification (cURL) curl -X POST "https://your-domain.com/user/index.php?module=filemanager&acc=findFiles" \
-A "Mozilla" -I
# Expected: HTTP/1.1 403 Forbidden
403 confirms ModSecurity now blocks the exploit endpoint for every vHost.[/li]
Result: Infection removed, endpoint sealed, and logfile shows only blocked attempts.
Hope this helps anyone still cleaning up from the same CVE!
Topic: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ (Read 719 times)
