Recent Posts

71

CentOS 9 Problems / Re: monit with AL9

« Last post by overseer on October 18, 2025, 11:55:40 AM »

Do you find the functionality beneficial? I installed it originally but then disabled it (so now I don't get the CWP nag warning).

72

Installation / Re: install cwp panel rocky linux

« Last post by overseer on October 18, 2025, 11:54:18 AM »

AlmaLinux 8 is the best foundation for a new server. AL9 is beta quality, mostly ready for production (with just a few known bugs -- such as CWP Migration does not work). Rocky Linux is more of a "rocky" experience -- incompatibilities, missing libraries, etc.

73

Installation / install cwp panel rocky linux

« Last post by RDouro on October 18, 2025, 11:22:13 AM »

hi all wich best vervion rocky linux to install cwp panel ?

becouse i try the last version rocky have  a problem in php

74

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 18, 2025, 09:58:49 AM »

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

I've studied the vulnerability and I don't expect it to be able to exploit anything else. The attacker only had access as a low privileges users. If he had so much access, he wouldn't be mass exploiting every website of your server.
I recommend you to change your admin and client ports. This way, automated systems won't be able to find it right away.
If you want to be extra serious about it, format it. Don't take my word too serious but I see no reason to format. Never the less, always keep a clean backup.
I've added "HTTP Basic access authentication" to admin and client panels. I've also added this to wordpress login url's. This will block every public access and it creates a new layer of protection. I saw that my firewall got less blockage because there were no possibility for hackers to make requests. Every page, request or URL have been blocked with this. It works like a master password on sensible areas that is requested before opening or requesting anything.

My wordpress websites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

I believe Wordpress database was infected by external code execution. I also had this user and same email.
You should rebuild your wordpress from scratch. Best way is to firstly remove that user (with the wordpress panel). You can also execute queries to remove the user and the content he has created (if present).
Then import only this tables:
wp_users
wp_usermeta
wp_terms
wp_term_taxonomy
wp_posts
wp_postmeta

If your wordpress has user comments, also import:
wp_comments
wp_commentmeta

Then install all plugins from the installation menu (don´t import from the infected website). Everything has to be built again. Wordpress plugins creates a lot of tables that are not even needed. But be aware and test your website afterwards.

If you had made changes to your template before, install the template from the installation menu and take a deep look on each file you had modified. If done right, you probably you have a child folder for that theme. Take a deep look on each line of code of those modified files to see if something was injected. I did that manually and then i asked chatgpt if there were any malicious line of code just to confirm it.
If you have custom plugins, you have to take a deep look on each line of code as well.

75

Other / Re: Nginx Varnish Apache php-fpm 403 Forbidden

« Last post by setecabanas on October 18, 2025, 08:02:02 AM »

I have same problem in a fresh intall of CWP with AL9

76

CentOS 9 Problems / monit with AL9

« Last post by setecabanas on October 18, 2025, 07:35:06 AM »

Hi,

Has anyone been able to configure Monit correctly in a server with Almalinux 9?

77

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 17, 2025, 01:10:28 PM »

You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

Don't trust to find this sequence. All injected files, even if they do the same, all of them have different obfuscation codes even with different sequence of code.
Best way is to search for index files within the folders and check your main index file.
Also consider to disable php execution inside folders that are not needed. Also disable direct execution of php files that don't need to be called directly from URL. This can be done with folder permissions and .htacess files.

78

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by ouitec on October 17, 2025, 12:24:57 PM »

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

79

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by derak29 on October 17, 2025, 10:14:41 AM »

My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

80

CSF Firewall / Re: Configserver down?

« Last post by setecabanas on October 17, 2025, 07:00:34 AM »

Thanks for all