Control Web Panel
WebPanel => Installation => Topic started by: robsonwr on July 11, 2025, 08:41:48 PM
-
Where can I download the ISO?
Is this the best option?
-
Please use AlmaLinux 8 or 9 as the foundation for a production-ready server. A beta quality or EOL (end of life) OS is not really suitable for a server.
-
My Approach to Stopping the CWP File‑Manager Exploit
- 1. Scan & Identify Malware
• Searched for obfuscated PHP payloads
grep -rniE "(eval\s*\(|base64_decode|gzinflate|str_rot13|shell_exec|proc_open|passthru|system)" \
/home/*/public_html/
• Caught the classic pair in every account:
nbpafebaef.jpg (PHP in disguise)
defauit.php (web‑shell)
• Found tmp propagators reported in the forum thread:
/tmp/.auto_monitor and /tmp/.tmp_baf[/li]
[li]2. Clean & Quarantine
mkdir /root/quarantine
mv /home/*/public_html/{nbpafebaef.jpg,defauit.php} /root/quarantine 2>/dev/null
mv /tmp/.auto_monitor /tmp/.tmp_baf /root/quarantine
• Manually opened every recently‑modified functions.php; all were clean, so no theme replacement required.[/li]
[li]3. Global Block via ModSecurity (NOT .htaccess)
Added to /usr/local/apache/modsecurity-cwaf/custom_user.conf:
# Put your custom ModSecurity directives here
# Please don't remove this file
# Block CWP filemanager exploit attempts (CVE-2025-48703)
SecRule REQUEST_URI "@contains /user/index.php" \
"id:4870301,phase:2,deny,status:403,log,msg:'[CWP Exploit Block] Block access to module=filemanager&acc=findFiles',\
chain"
SecRule ARGS:module "@streq filemanager" \
"chain"
SecRule ARGS:acc "@streq findFiles"
Restart Apache:
systemctl restart httpd[/li]
[li]4. Verification (cURL)
curl -X POST "https://your-domain.com/user/index.php?module=filemanager&acc=findFiles" \
-A "Mozilla" -I
# Expected: HTTP/1.1 403 Forbidden
403 confirms ModSecurity now blocks the exploit endpoint for every vHost.[/li]
Result: Infection removed, endpoint sealed, and logfile shows only blocked attempts.
Hope this helps anyone still cleaning up from the same CVE!