On multiple independent VPS servers running CWP, I have detected a suspicious file named defauit.php (note: obfuscated by replacing lowercase “L” with uppercase “i”) located in the root directories of websites.
Upon inspection, it was found to be a backdoor file capable of remote code execution, making use of functions like file_put_contents, __call, unlink, and __destruct.
File Details:
Filename: defauit.php
Creation Date: July 4th, 2025
The file appears to prepare a payload to be executed remotely.
Log Evidence:
The file was accessed multiple times from the following IP address:
IP: 198.144.182.13
Timestamps: July 28th, 2025 – 09:03 and 09:12
July 31st, 2025 – 13:33
Requests to defauit.php triggered multiple ModSecurity Warnings.
Despite these, some PHP-level operations (like unlink() and touch()) appear to have executed based on error logs.
Evaluation:
The file was injected on July 4th, and remained dormant for about 3 weeks.
Exploitation attempts were made on July 28th and 31st.
This pattern fits a delayed activation backdoor scenario.
No such files or behavior were observed on my other servers using DirectAdmin.
Request to CWP Team:
To better understand if this issue is related to CWP itself or its environment, I kindly request the CWP developers to:
Investigate potential security vectors or vulnerabilities,
Release appropriate patches or mitigation steps,
And share an official security advisory with the community.
If needed, I can also provide the full content of the defauit.php file for analysis.
NOTE : I use cwp pro (CWPpro version: 0.9.8.1210)
You never answered what distro you are running CWP on...
And now you pointed out it was a PHP Injection Attack, and nothing to do with CWP.
What PHP Version are you running?
Did you secure your php.ini?
First of all, thank you for your response.
My intention was never to blame or criticize CWP. On the contrary, I’m writing to you because I’ve been using it for years and truly appreciate the platform.
However, I must clearly state that I have only encountered this issue on servers running CWP.
On other servers managed with different control panels, such as DirectAdmin, I have never seen this kind of behavior.
That’s why I felt the need to investigate the matter further and share my findings in a detailed and constructive way. This was done solely to contribute to the security of the system we all use and rely on.
Yes, it might be a PHP-level vulnerability or some kind of injection technique. But the fact that this happened only on CWP-managed servers is something worth reflecting on and investigating more deeply.
Let me emphasize once again: if there is a vulnerability, identifying and addressing it early is essential to prevent a larger security issue in the future.
I already mentioned the distribution details in one of my earlier messages — you can check above.
To clarify:
One of my servers is running CentOS 7
Four of my servers are running AlmaLinux 9.5
And all of them were affected by the issue.
If the problem had only occurred on the CentOS 7 server, I would’ve accepted it as my own fault — CentOS 7 is EOL and no longer receives security updates.
But since I experienced the exact same issues on AlmaLinux 9.5 servers, I took the situation seriously.
Thank you again for your time and attention.