Author Topic: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.  (Read 204 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
When upgrading CWPpro version: 0.9.8.1236 to CWPpro version: 0.9.8.1239 /root/.ssh was removed!

[root@aaa .ssh]# lsattr
----ia--------e----- ./authorized_keys
----ia--------e----- ./authorized_keys2
--------------e----- ./chave-aaa
--------------e----- ./known_hosts

[root@fairmontrio1 .ssh]# /scripts/update_cwp


=====================================================
============================ CentOS Web Panel Cron ================
=====================================================


##########################
Firewall Flush Daily Blocks
##########################


######################
Update Server Packages
######################
Redirecting to /bin/systemctl restart cwpsrv.service
Redirecting to /bin/systemctl restart cwp-phpfpm.service
Redirecting to /bin/systemctl reload cwpsrv.service
Redirecting to /bin/systemctl reload cwp-phpfpm.service
Redirecting to /bin/systemctl restart cwpsrv.service
Redirecting to /bin/systemctl restart httpd.service
Redirecting to /bin/systemctl reload httpd.service
warning: /var/tmp/rpm-tmp.COg4OK: Header V4 DSA/SHA1 Signature, key ID 914bdf7e: NOKEY
error: Failed dependencies:
perl(Date::Calc) is needed by postfix-2:3.4.8-2.centos.8+p18.0.24.0+t200128.1353.x86_64
Redirecting to /bin/systemctl reload nginx.service
Redirecting to /bin/systemctl reload httpd.service
Redirecting to /bin/systemctl restart httpd.service
sed: cannot rename /root/.ssh/sedR9aMWq: Operation not permitted
chown: changing ownership of '/root/.ssh/authorized_keys': Operation not permitted
chmod: changing permissions of '/root/.ssh/authorized_keys': Operation not permitted
chsh: Shell not changed.
chsh: Shell not changed.
sed: cannot rename /root/.ssh/sedgX6N5j: Operation not permitted
chown: changing ownership of '/root/.ssh/authorized_keys': Operation not permitted
chmod: changing permissions of '/root/.ssh/authorized_keys': Operation not permitted
chsh: Shell not changed.
chsh: Shell not changed.
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

[root@aaa .ssh]# ls -lah
total 0


Be careful when updating! We had a huge loss.
André Bastos
ISBrasil Hospedagem de Site

Offline
*****
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #1 on: July 02, 2026, 05:59:36 AM »
Looks like you are running an EOL OS - aka CentOS 8.

First I would suggest updating/switching the OS to AlmaLinux 8.

Offline
**
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #2 on: July 02, 2026, 06:08:45 AM »
On AlmaLinux 9 and still have the same issue. We thought it was an attack related to https://forum.centos-webpanel.com/centos-webpanel-bugs/i-think-there-is-a-very-serious-security-vulnerability-in-cwp-right-now/. Guess it's a new issues.

Offline
***
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #3 on: July 02, 2026, 07:20:03 AM »
Same here.
Deleted ~/.ssh/ from all of my servers.
I'm using Alma8.
Shocked, because I'm was thinking I was hacked all my servers.

Regards,
Netino

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #4 on: July 02, 2026, 11:10:47 AM »
I can confirm this issue. It happens on Alma Linux 9.8. I'm shocked 😲

There is also a big issue with a broken script from the scripts folder. The content of fix_cwpsrv_logs is truncated.

Please, fix this issue ASAP, it's urgent

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #5 on: July 02, 2026, 11:38:44 AM »
On AlmaLinux 9 and still have the same issue. We thought it was an attack related to https://forum.centos-webpanel.com/centos-webpanel-bugs/i-think-there-is-a-very-serious-security-vulnerability-in-cwp-right-now/. Guess it's a new issues.

It's related with the fix released to mitigate the breach. The script temp_hacker_check is the cause of this issue and it deletes /root/.ssh/ completely.

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #6 on: July 02, 2026, 02:14:09 PM »
Same for me with Rocky8. Problem comes with the user "operator" who have as home directory /root (correct as it has task of maintenance). Script found that "operator" is a hacker ??????????????
You can take out operator from the list in the script but it will probably be updated.
The script set "operator" with a nologin shell (/sbin/nologin in /etc/passwd) but continue to consider it as dangerous (eval echo "~operator" still output /root).
As I don't know if it's safe to remove operator user (some people say yes) I change the home directory for that user: usermod -d /home operator.
Other thing incorrect: if the file /root/.ssh is configured as immutable (+i) then everyday it gets out as unprotected.
It seems to me that the script has been done with urgency for a specific case, but lack few things.
« Last Edit: July 02, 2026, 02:16:10 PM by juanyves »

Offline
*****
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #7 on: July 02, 2026, 03:32:10 PM »
We are not running that 'fix'.

Happened to a couple of our AlmaLinux 9 boxes when we went thru them.

You have to go thru the GUI and File Manager to change SSH to allow passwords.

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #8 on: July 02, 2026, 04:53:49 PM »
To regain access, add a key via the panel:

-> Send shell command

Script:

Code: [Select]
mkdir -p /root/.ssh && chmod 700 /root/.ssh && echo "__PASTE_HERE__" >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys
André Bastos
ISBrasil Hospedagem de Site

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #9 on: July 02, 2026, 07:00:41 PM »
We are not running that 'fix'.

Happened to a couple of our AlmaLinux 9 boxes when we went thru them.

You have to go thru the GUI and File Manager to change SSH to allow passwords.

Thanks a lot for the info. But that is only to recover root access to the system and to restore the access with keys into authorized_keys. But the every day task running temp_hacker_check will destroy it again and again until a new CWP update is released. There is also a big issue with the script named "fix_cwpsrv_logs" as I've said before, because the content is truncated/wrong. Does anyone has the old content of this script or it has been changed for some reason?

Anyway, I wish the best luck to all with the work to recover from this little disaster :) As I've been read there was many hacked servers but now also the ones that avoided the hack, are suffering from a bad patched update.

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #10 on: July 02, 2026, 07:07:17 PM »
To regain access, add a key via the panel:

-> Send shell command

Script:

Code: [Select]
mkdir -p /root/.ssh && chmod 700 /root/.ssh && echo "__PASTE_HERE__" >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys

Great tip to recover inmediately the access without the need to enable password access. Let's hope that a new CWP update will repair ASAP all damage caused by the fear to being hacked. The script used is very aggressive and it's touching too many sensitive parts of the system on servers where no compromise has been detected.
« Last Edit: July 02, 2026, 07:38:46 PM by Longhorn »

Offline
*
Re: The CWPpro version 0.9.8.1239 update destroyed sshd and .ssh.
« Reply #11 on: July 03, 2026, 02:07:27 PM »
Glad to know I am not the only one. I have 3 AlmaLinux 8 VMs with lost public keys. Imagine a disabled PAM.