« previous next »
Pages: 1 2 3 [4]

Author Topic: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ  (Read 3681 times)

0 Members and 3 Guests are viewing this topic.

Offline
Starburst
*****
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #45 on: August 23, 2025, 03:28:46 PM »
This is NOT a CWP bug.

PHP Injection Attacks will happen whenever.

You need to have your php.ini secured, and run ModSecurity with the latest OWASP CRS ruleset.
Along with running the latest PHP version you choose, 8.1, 8.2, 8.3 or 8.4

You'll also need to configured the OWASP base rules for services you run on that server.

NOTE: The CWAF ruleset is dead, and the last update was over a year ago.
Which is sad, this was a great ruleset.

For the PHP Injection Attack that has been going around, there has been fixes here how to clean up your PHP-FPM.
« Last Edit: August 23, 2025, 03:31:36 PM by Starburst »
Logged
Offline
eyong
*
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #46 on: September 01, 2025, 06:22:19 PM »
Same problem here, someone fixed it?
Logged
Offline
Starburst
*****
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #47 on: September 01, 2025, 07:38:53 PM »
You can Google the fix, it's a standard PHP Injection Attack due to an insure PHP configuration.
It also only affects people still using the EOL CentOS 7 OS.

But I think someone posted the fix here in one of the threads as well.
« Last Edit: September 01, 2025, 07:40:47 PM by Starburst »
Logged
Offline
zeejdeej
*
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #48 on: September 05, 2025, 08:32:37 AM »
Quote from: kandalf on July 07, 2025, 03:29:52 PM
🛑 What I Found

On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
   •   nbpafebaef.jpg – Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>

   •   defauit.php – A PHP script with a misleading name (looks like “default.php”).


i also found these two files in my public_html folder, what should i do with them should i deleted them both? how to make sure there is no other similar exploit?
Logged
Offline
overseer
*****
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #49 on: September 05, 2025, 12:57:59 PM »
Starburst already gave the answer above:
Quote from: Starburst on August 23, 2025, 03:28:46 PM
You need to have your php.ini secured, and run ModSecurity with the latest OWASP CRS ruleset.
Along with running the latest PHP version you choose, 8.1, 8.2, 8.3 or 8.4
And he has guides for updating ModSecurity and the OWASP CRS ruleset (tested on both AlmaLinux 8 and 9):
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-to-2-9-12-running-cwp-and-apache-on-almalinux-9/
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-owasp-crs-ruleset-running-cwp-and-apache-on-almalinux-9/
Logged
Offline
zeejdeej
*
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #50 on: September 05, 2025, 01:04:17 PM »
i understand that is for the future prevention but what to do with the current infection . should i delete the below two file manually from all sites public_html directories ?

defauit.php
nbpafebaef.jpg
Logged
Offline
overseer
*****
Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Reply #51 on: September 05, 2025, 01:28:11 PM »
Oh for sure -- I thought you had already done that as a first step. They are likely what gives the attacker persistence on your server.
Logged
Pages: 1 2 3 [4]
« previous next »