Recent Posts

Pages: 1 [2] 3 4 ... 10
11
Installation / Re: Cannot login into the admin panel anymore
« Last post by overseer on October 11, 2025, 11:52:49 PM »
Sorry, that advice was if you had changed the MariaDB root password. You mean the system user root password! Are you on an EL9 distribution (AlmaLinux 9, Rocky Linux 9)?

If so open /etc/login.defs
Find:
SHA_CRYPT_MAX_ROUNDS 10000
Replace with:
#SHA_CRYPT_MAX_ROUNDS 10000

Reboot. Now re-set the root's password and it will login successfully.
12
PostgreSQL / Re: Error starting postgres
« Last post by overseer on October 11, 2025, 11:47:08 PM »
Did you install postgres via yum/dnf or via the CWP web admin panel? If via the panel, you would need to call it via the version number you installed. For example, with version 17:
Code: [Select]
systemctl unmask postgresql-17
systemctl start postgresql-17
systemctl enable postgresql-17
(I do not run pgSQL on my servers, so I did a test installation via the CWP GUI to discover this little nuance.)
13
PostgreSQL / Re: Error starting postgres
« Last post by gilliard on October 11, 2025, 02:31:57 PM »
Now after the remove command, even after reinstalling postgres, it no longer appears to start along with the other services.
14
PostgreSQL / Re: Error starting postgres
« Last post by gilliard on October 11, 2025, 02:24:46 PM »
yes...

[root@cwp ~]# rm -f /usr/lib/systemd/system/postgresql.service
[root@cwp ~]# systemctl enable postgresql.service
Failed to enable unit: Unit file postgresql.service does not exist.
[root@cwp ~]# systemctl start postgresql.service
Failed to start postgresql.service: Unit postgresql.service not found.
[root@cwp ~]#
15
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by Starburst on October 11, 2025, 02:01:54 PM »
@overseer

Please reframe posting any of our help or articles in the furture when 'djprmf' is helping in a thread, that user made it clear our help and knowledge is not wanted by other users...
16
Installation / Re: Cannot login into the admin panel anymore
« Last post by Nagataka on October 11, 2025, 02:01:40 PM »
When changing the root password outside of CWP, make sure to update these two files so they agree with the current PW:
/usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php
/root/.my.cnf


Thanks for your reply, i can try that, but i didn't change the password of the database.
Or doesn't that have todo with this? Cause these files are for the database connection right?
17
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.

Did you search the access log? Did the attacker exploit the filemanager again?

Yes, with a  "python-requests/2.31.0" signature at the end. Disabling the filemanager wouldnt cut it. Because they also drop backdoor scripts. Some of them:
defauit.php
defauIt.php
backup.c
licelic.c
.c(yes, just .c)
Also there are some .png looking files which they are actually php scripts. So this mess is really time consuming to clean.
And the funny thing is that ModSecurity actually logs those attempts and says its blocked while it is clearly not blocked.



Other examples:
-Attacker disguising as Google, sends id=1 as GET and a POST request: (198.144.182.13 - - [31/Jul/2025:17:08:34 +0300] "POST /defauit.php?id=1 HTTP/1.1" 200 227 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36")

-Attacker can run code via any php file: 162.248.79.101 - - [30/Sep/2025:06:33:32 +0300] "GET /shop.php?l=&ck=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&p=&u=&no=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&ac=del&path=%2Fhome%2FSENSITIVEDATA%2Fpublic_html%2Fdefauit.php HTTP/1.1" 200 6389 "https://website.com/shop.php?l=&p=&ck=ab5o9BIxWNIxAcVthNjxfAPTh-a-QRgWy3XLNzjjCF01zWEVaQ5xS8rA-s--s-&no=&did=8&tid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36"

-Another one, but sends POST only:  207.154.240.68 - - [30/Sep/2025:14:17:21 +0300] "POST /defauit.php HTTP/1.1" 200 60 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
18
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.

Did you search the access log? Did the attacker exploit the filemanager again?
19
If only CWP team had inform us about... Anything... 🤷‍♂️
20
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by overseer on October 10, 2025, 06:27:28 PM »
How did you install AlmaLinux? Starburst's guide for AlmaLinux 9 is almost the same for 8 -- substitute 8 for 9 where appropriate. Did you install the EPEL and ELrepo repositories? Do you have all the prerequisites (including perl modules)?
You can't have any services installed before installing CWP.

So if Apache is working 'out of the box', you are installing AlmaLinux 9.4 LAMP.
That won't work.

Reimage with the bare AlmaLinux 9.4 (DVD)

Setup your networking, hostname, timzone.

Then:

Code: [Select]
dnf install dnf-plugins-core
Code: [Select]
dnf install elrepo-release epel-release -y
Code: [Select]
/usr/bin/crb enable
Code: [Select]
dnf --refresh update
Code: [Select]
dnf install nano wget ipset ebtables iptables uuid uuid-devel libuuid-devel m4 pcre pcre-devel zlib-devel perl-DBD-MySQL perl-IPC-Cmd perl-Pod-Html perl-Sys-Hostname perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph libtool s-nail htop sysstat python3-perf ImageMagick ImageMagick-devel -y
Code: [Select]
dnf --refresh update
Code: [Select]
dnf install clamav* clamd
Code: [Select]
dnf clean all
Code: [Select]
cd /usr/local/src
Code: [Select]
wget http://centos-webpanel.com/cwp-el9-latest
Code: [Select]
sh cwp-el9-latest
Code: [Select]
dnf install spamassassin amavis
To updated MariaDB follow:
https://www.alphagnu.com/topic/23-upgrade-mariadb-1011-in-cwp-centos-7-centos-8-stream-almalinux-78-rockylinux-78/

Reboot

Configure & Start CSF
Pages: 1 [2] 3 4 ... 10