Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pedromidiasf

Pages: 1 2 [3] 4 5 ... 8
31
Information / htpasswd on CWP
« on: October 12, 2025, 09:50:14 PM »
Hi,
Is there a way to add .htpasswd and .htaccess (or configure vhosts to do the same) to the main CWP panel?

I tried to add these files there but they got "Operation not permitted". Also tried to chmod the folder and it got refused.
Is there a way to add them inside this folder or where can i find vhosts of the main panel?

32
True.
I always wanted to do my work just as developer. I've always hated servers and networks. Now my days have began!
I use to be a black hat on my teen stupid years. Now I have to pay for the karma :\

But you are right. There's an increase in attacks. This is getting ridiculous.

33
Where did you find those files? Inside /home or anywere else?

I also have this 198.144.182.13 IP in my logs.
Also found out that he also has created wordpress accounts, this is his data:
user: wpadminerlzp
email: wpadmin@volovmart.ru
date: 2020-06-14 00:00:00 (by looking at this 00:00:00, I assume this was SQL inserted)

34
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.

Did you search the access log? Did the attacker exploit the filemanager again?

36
After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.

Location of those changes? Where can i find them?

37
Do you know which wordpress files got infected?

38
So, if you are still in a server that have been compromised, there is no way around to know what have been done. Remove the files can be suficient, sure. But you don't know if anything else was compromised.

As far as I could see, this attack was only able to compromise non-sudo accounts. Through trial and error (using combinations of domains related to the server), the attacker only needed to find one valid user. Once that happened, he was able to discover other usernames to exploit additional non-sudo accounts.

In the worst-case scenario, the attacker was able to explore the server in read-only mode — likely dumping databases, backup files, SQL user credentials, and so on, across the entire system.
Non-sudo accounts should not have read access across the whole system, even the /etc/shadow file is readable with them.
Write access was only possible within the affected users’ home directories, including the /tmp directory.

Regarding WordPress what happened to your websites? Mine were defaced with a fake drop-shipping-style store, and the results got messed up in Google Search. Usually, these deface hacks are triggered when the referrer is Google, but this one didn’t behave that way. I only discovered it's real face by simulating a Googlebot user agent in my browser.
The wordpress code got so messed up that I can't even find where the infected code is. I'll have to reconfigure a brand new installation.

It looked like this:
https://i.imgur.com/zn6ji93.png

39
Since I don't need the user panel, I removed ports 2082 and 2083 from the firewall configuration file. This prevents access to the user panel.

To do this: log in to the admin panel, go to Firewall, and configure the "Opened TCP/UDP Ports". This will open the configuration file in edit mode. Remove ports 2082 and 2083 (you can find them under "Allow outgoing TCP ports" and "Allow incoming TCP ports") and then restart the firewall.

You will still be able to access the user panel if you need to perform actions that cannot be done through the admin panel, because when you log in as an admin in the admin panel, your IP is unrestricted by the firewall. Other users will experience connection timeouts.

I also recommend changing your users’ passwords, as the generated passwords are quite weak. Why the concern?
I discovered that long time ago I had created a username incorrectly by swapping two characters, then deleted it and created another one. Later, I removed that second user as well since it was not needed. Although these users are removed and non-operational, they still appear in the system, specifically in the "/etc/shells" file.
After checking the access logs, I saw that these two users had been exploited by the attacker. So I assume the attacker was able to read many files including "/etc/shells".
For testing, I logged in as a non-sudo user and confirmed that I could access and modify content in many parts of the server. So by the SSH access, you are not restricted only to the /home folder, you can explore almost all directories and content of the server. So It is also possible to extract password hashes for cracking. Or maybe your server can be ordered to brute force passwords and send it to the attacker.

Additionally, last night I turned off my httpd service, but by the morning it was running again. It was restarted at 4 AM. I am not sure what caused it to turn back on, but this behavior looks weird.

I do not intend to use my server for shared hosting, so I am not particularly concerned. However, granting this kind of shell access to regular users does not seem appropriate.

40
PHP Selector / Re: CWP PHP Selector [CWPpro required]
« on: October 14, 2019, 11:46:51 AM »

41
PHP Selector / [Tutorial] Fix PHP-FPM file permission denial
« on: October 14, 2019, 11:46:15 AM »
As you might already know PHP-FPM "trial" has ended and now you have to pay to use it.

To continue using PHP/PHP-FPM Selector you need to have CWPpro.

If you have activated it and don't want to keep using it (since you have to pay for it), you have to disable it, otherwise your websites will be down after a couple of time (even if you fix the file permissions that the service requests).
This issue is due to a file permission change on file "/opt/alt/php-fpm72/usr/sbin/php-fpm" by something on the server that is taking down this pay-to-use-service, since you haven't paid to use it, you don't have the right to use it, which is fair enough.

[Proceed bellow at your own risck - this is how I've done it, follow along by your own choice]

Before you doing this, i highly recommend you to backup this folder, since this process will rebuild your vhosts and you might need to fix some configurations later:
/usr/local/apache/conf.d/vhosts

So to disable it, you need to go to the side menu called "WebServer Settings" - "WebServers Domain Conf" and select one of your users (you need to do this to every user you have)


After you select the user, select domains tab, check all your checkboxes you have on all your domains that you have on this user you have selected and then click on "Custom config all selected"


Then select apache->php-cgi. On "Apache Configuration" group options, leave it as default and make sure you select the option to rebuild webservers


Don't forget to do the same to your sub-domains, and domains of all users you have:


Then to test this, connect via SSH and send out these commands:
Code: [Select]
service httpd reload
service httpd restart
service php-fpm72 stop

And take a look if your websites are now working again.
If you have "Internal Server Error" you might need to fix your new vhosts, based on your backup files.
Some other problems might occur, be ready to fix them :) i just needed to do this.

42
PHP Selector / Re: CWP PHP Selector [CWPpro required]
« on: October 14, 2019, 10:19:48 AM »
If you take a look at /var/log/cwp/webservers.log you will see a lot of entries trying to stop the service, like these:
2019-10-13 11:10:24 PHP-FPM php-fpm72: stop
2019-10-14 02:10:13 PHP-FPM php-fpm72: stop
2019-10-14 03:10:01 PHP-FPM php-fpm72: stop
2019-10-14 07:10:02 PHP-FPM php-fpm72: stop

Something is forcing this service to stop and to change "/opt/alt/php-fpm72/usr/sbin/php-fpm" file permissions as well.

How can i disable "PHP-FPM Selector" to get back to apache only? Is there a way from the panel?

43
Apache / Re: Internal Server Error
« on: March 17, 2019, 02:48:29 AM »
Go to "CWP->Log Viewer" on the panel, select "error log" and then the domain that is causing you trouble, if you see something like this:
Code: [Select]
bla bla bla date, time whatever (.....) public_html/websites/.htaccess: Option FollowSymlinks not allowed here
Then do this:
Go to each single vHost file contained in "/usr/local/apache/conf.d/vhosts" and allow "FollowSymLinks", by adding it to the "AllowOverride" section, like in the following example:

<Directory "/home/-------------/public_html/websites">
   Options -Indexes  FollowSymLinks <-delete here
   AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks  <-add here
</Directory>

Restart apache
And it will work
But try at first to do this to a domain that is not working for you, if it does the job do the same for all of them

44
SSL / Re: SSL certicate on add on domain error
« on: April 25, 2018, 11:01:54 PM »
You can also edit your "/usr/local/apache/conf.d/vhosts-ssl.conf" and on the first lines you'll find this:

Here where you have your server IP, for example "1.1.1.1"
<VirtualHost 1.1.1.1:443>

You just need to replace it by *, like this:
<VirtualHost *:443>

And it will work

45
Information / Re: CWP files?
« on: January 02, 2018, 01:04:03 AM »
CWP "website" files that are responsible for the webpanel are encrypted because this is a close project.
So you'll not be able to see what's from behind.

Pages: 1 2 [3] 4 5 ... 8