11
CSF Firewall / Re: Configserver down?
« Last post by setecabanas on October 16, 2025, 05:25:51 PM »12
CSF Firewall / Re: Firewall off in cwp panel
« Last post by setecabanas on October 16, 2025, 04:33:44 PM »So, is very strange.
- lfd process is running
- cwp license pro is ok
- csf is enabled
However in cwp panel CSF is not enabled
i donīt know what happened
- lfd process is running
Code: [Select]
[root@s3 home]# ps -ef |grep lfd
root 1701 1 0 11:15 ? 00:00:26 lfd - sleeping
- cwp license pro is ok
- csf is enabled
However in cwp panel CSF is not enabled
i donīt know what happened

13
CSF Firewall / Re: Firewall off in cwp panel
« Last post by overseer on October 16, 2025, 11:43:53 AM »It checks your IP address as registered in their system -- so your server connects to their licensing server to confirm that it is activated as CWP Pro.
Running /scripts/update_cwp will trigger the check daily.
And for good measure, here's their wiki article about CSF/LFD configuration:
https://wiki.centos-webpanel.com/csflfd-firewall-configuration
Running /scripts/update_cwp will trigger the check daily.
And for good measure, here's their wiki article about CSF/LFD configuration:
https://wiki.centos-webpanel.com/csflfd-firewall-configuration
14
CSF Firewall / Re: Firewall off in cwp panel
« Last post by setecabanas on October 16, 2025, 11:10:44 AM »No, I had already restarted several times 
I have no idea what's going on.
Do you know what the CWP checks to make it appear as activated?

I have no idea what's going on.
Do you know what the CWP checks to make it appear as activated?
15
CentOS Configuration / Re: How to setup user quotas ?
« Last post by anandmys on October 16, 2025, 07:55:29 AM »Fresh AL 8 installation
etc/fstab
What should be done here?
etc/fstab
Quote
#
# /etc/fstab
# Created by anaconda on Mon Aug 19 17:42:13 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(, mount(
and/or blkid(
for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/sda4 / xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
UUID=37e38df4-28dc-4d9c-acb5-1a2fd7e6130b /boot xfs defaults 0 0
UUID=3F31-DBA5 /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2
What should be done here?
16
Mod_Security / Re: OWASP Latest
« Last post by Starburst on October 15, 2025, 09:59:39 PM »Ok. Same for Almalinux 8? I just saw the Alma9 in the link.Yes, it is the same for AL8.
17
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 15, 2025, 09:37:31 PM »You dont need a script to remove them. This will remove all of the malicious code except for index.php.Code: [Select]find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;
Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.
I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.
18
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by ConcernedCitizen on October 15, 2025, 09:12:51 PM »I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.
As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.
Oh i found one image file from a backup.
How did you mass remove them? Do you have a script that you could share?
You dont need a script to remove them. This will remove all of the malicious code except for index.php.
Code: [Select]
find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;
Edit: You can remove "-f" if you need to check which file is being removed.If you have two examples of infected index.php file, i can try to make a script that will auto remove them.
19
Mod_Security / Re: OWASP Latest
« Last post by rustylh on October 15, 2025, 08:51:04 PM »Ok. Same for Almalinux 8? I just saw the Alma9 in the link.
20
Mod_Security / Re: OWASP Latest
« Last post by Starburst on October 15, 2025, 08:24:40 PM »@overseer post the 2 links you need to follow.
It's mostly cut & paste in the CLI.
It's mostly cut & paste in the CLI.