I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.
I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.
Configure your vhosts (or add an .htaccess configuration to your websites).
If you don't need, disable these php functions:
Command execution: exec, system, passthru, shell_exec, proc_open, popen, pcntl_exec
File and folder permissions: chmod, chown, chgrp
Date time manipulation of files: touch
Code evaluation: eval, create_function, assert
Make sure that in your php.ini you have this configuration:
allow_url_include = Off
Then change your file permissions so no one can change the content. Only allow file changes in uploaded folders and don't allow then to execute files.
At the moment, your vulnerabilities are just within PHP.
Topic: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ (Read 8812 times)
