Control Web Panel

WebPanel => CentOS-WebPanel Bugs => Topic started by: gbyteinfotech on September 23, 2025, 07:47:52 PM

Title: Server Somehow Got Hacked
Post by: gbyteinfotech on September 23, 2025, 07:47:52 PM: When I'm open any website it's working file and looking all ok. but if I change the user agent to google bot then it shows a spam betting app page.
i deleted all the files from the public_html directory but still it display the same page when I set the useragent as google bot.. but if open normally it shows forbidden as it should be..

Any idea where could the the issue is? I'm facing this issue after I did setup the new server on 6th sep. I installed nothing extra on the server from third party website except csf firewall from the github repo.
Title: Re: Server Somehow Got Hacked
Post by: overseer on September 23, 2025, 09:18:46 PM: If you want to PM me the connection details, I could take a look on your behalf.
Title: Re: Server Somehow Got Hacked
Post by: Starburst on September 25, 2025, 06:38:34 AM: I'm trying to track these PHP Injection attacks.

Please advise the following:

What distro are you running CWP on?
What PHP version?

If you don't want it public, you can PM me also.

Thanks
Title: Re: Server Somehow Got Hacked
Post by: gbyteinfotech on September 25, 2025, 12:55:33 PM: Quote from: Starburst on September 25, 2025, 06:38:34 AM
I'm trying to track these PHP Injection attacks.

Please advise the following:

What distro are you running CWP on?
What PHP version?

If you don't want it public, you can PM me also.

Thanks

Almalinux 8
PHP Version: Default PHP version: 5.6.37 (Forced PHP-FPM: 8.3)
Title: Re: Server Somehow Got Hacked
Post by: gbyteinfotech on September 25, 2025, 12:58:40 PM: Quote from: overseer on September 23, 2025, 09:18:46 PM
If you want to PM me the connection details, I could take a look on your behalf.

please do not mind.. it's hard to share these details. hope you understood..

Thank you
Title: Re: Server Somehow Got Hacked
Post by: djprmf on September 25, 2025, 01:33:00 PM: Are you talking about the server itself or just a account?
if is just a account, probably is related with THAT account or website in it.
Title: Re: Server Somehow Got Hacked
Post by: overseer on September 25, 2025, 03:57:03 PM: Do you want to PM the domain name in question so we can see the page, look at the code -- or have you already done that?
Title: Re: Server Somehow Got Hacked
Post by: gbyteinfotech on September 25, 2025, 04:09:18 PM: all of the website in the server is same.. it's not for perticuler domain.. even If I delete all the files from a purticuler domain.. still showing spam page
example

for example.com I deleted all the files inside public_html/* complete blank public_html directory.. but if I view the website as google bot it'll show me the spam page.. but if I open it normally it's show forbidden as it should be..
Title: Re: Server Somehow Got Hacked
Post by: gbyteinfotech on September 25, 2025, 04:11:16 PM: Quote from: overseer on September 25, 2025, 03:57:03 PM
Do you want to PM the domain name in question so we can see the page, look at the code -- or have you already done that?

my question is how could even a blank directory can show a web page when I change the user agent to googlebot (via browser developer tool)

BTW it has been fixed now by the CWP support team.. still I would like to know how it happen...
Title: Re: Server Somehow Got Hacked
Post by: gbyteinfotech on September 25, 2025, 07:52:41 PM: CWP Support found malware in the Apache server due to an old version.
Title: Re: Server Somehow Got Hacked
Post by: overseer on September 25, 2025, 09:18:18 PM: Starburst has a guide for updating to Apache 2.4.65 on AlmaLinux 8/9:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-65-in-cwp-on-almalinux-8-9/