Guys,
I had these problems with an eval($_POST['shell']) type attack in the logs, in the admin area, two years ago (Jun/07/2024).
It was saving an error.php file in an area restricted to the admin, and running it.
In other words, somehow CWP was allowing files to be saved in the admin's restricted area.
I informed the CWP team, but I haven't received any feedback, and I don't know if it was resolved or not.
So, I proposed a temporary solution of restricting access to the admin area with the nginx server password, because the 'cwpsrv' process is actually 'nginx'.
This attack is very similar to the one that happened two years ago, so I have reason to believe that this attack is related to the attack from that time.
But since then, after restricting the admin area, I haven't had any more problems of this type.
So, if you are having problems even after updating to the new version of CWP, and have still suffered attacks, I recommend that you restrict the admin area with the nginx password.
You and your users will still be able to use CWP, as long as you have the specified password.
This doesn't solve the problem, but it brings much more peace of mind to day-to-day use until there is time to discover and fix the real problem.
To restrict the admin area, run this script:
if [[ ! -e /usr/local/cwpsrv/conf/include/security.conf ]]; then
read -p "Install additional authentication layer to CWP? (Y/n): " -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Ss]$ ]]; then
# To create additional password to use cwpsrv
# It will work on the block ports 2031 e 2087:
# Replace XY.XW.XZ.XX with any IP address if you want restrict a IP adresses, or delete 'allow' lines
# Creating the file /usr/local/cwpsrv/conf/include/security.conf with the following content:
echo "Creating additional authentication layer to cwpsrv..."
IP_REMOTO_ATUAL=$(w -i| grep root | cut -d' ' -f10| head -1)
cat << EOT > /usr/local/cwpsrv/conf/include/security.conf
satisfy any;
allow XY.XW.XZ.XX;
allow 127.0.0.1;
deny all;
auth_basic "Protected site";
auth_basic_user_file /usr/local/cwpsrv/conf/htpasswd;
EOT
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!!! Now creating the password to additional authentication layer to CWP server !!!!"
echo " ( You can choose any password you want )"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "root:"$(openssl passwd -apr1) > /usr/local/cwpsrv/conf/htpasswd
if [[ $? -eq 0 ]]; then
echo "Password sucessfully configured!"
else
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!!!!!!!!!!!!!!!!!!!!!.....ALERT.......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "There was some problem, and was not possible to configure the password, you must verify the problem!"
fi
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
fi
fi
read -p "Press [enter] to restart cwpsrv"
/scripts/restart_cwpsrv
You can choose any password you want, but choose wisely.
Regards,
Netino