Recent Posts
1
Updates / Re: AL 9.6, I have info about 240 updates
« Last post by Starburst on November 23, 2025, 11:34:42 PM »It's an encrypted file, so I can see how/what is being run. 
I have contact higher powers...
I have contact higher powers...
2
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by Starburst on November 23, 2025, 10:54:55 PM »CWP 0.9.8.1218 has this original bug fixed for a long time with the File Manager.
What you posted in a WordPress path.
Simple fix, don't use WordPress, or use a security plugin.
Also secure you PHP.ini under disable_functions =
If your not sure how to secure a server or clean one after an attack, you might want to think about hiring a sys admin.
What you posted in a WordPress path.
Simple fix, don't use WordPress, or use a security plugin.
Also secure you PHP.ini under disable_functions =
If your not sure how to secure a server or clean one after an attack, you might want to think about hiring a sys admin.
3
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by derak29 on November 23, 2025, 02:48:54 PM »My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect only WordPress CMS. Im using CWP pro.Hello,
We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?
Do you have any informations about when end what version of the patch/update ?
Best regards,I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.
First thing to do is renaming /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php as /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disabled
Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.
What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.
If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.
Hi friend im still fighting for fix it. Disabling filemanager temporarily solution. My sites traffic growing. I deleted all infected files. Enabled Mo sec rules. Scanned all wordpress websites with wordfence. But still upload available over POST i see in logi every 2 days/ My index files on my webpages replacing to hacker files. I found folders with permission 777 in my server. Sadly CWP havent reinstall or uninstall solution for such as case for fix hacked files.
4
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by derak29 on November 23, 2025, 02:05:45 PM »Even CWPpro version: 0.9.8.1218 version still 3/Nov/2025:13:12:40 +0400] "POST /uploads/leads/1/index.php? working for hack. I enable all security tools. But still not luck.
5
Updates / Re: AL 9.6, I have info about 240 updates
« Last post by Wonder on November 23, 2025, 12:42:43 PM »Indeed, I don't use CBPolicyD, and that's how I proceeded. I ran both commands, the uninstaller and the installer, and AL9 updated without issue.
However, I later saw the following message in my Anacron email, and I'm not sure if it's relevant:
Currently, I only have the databases included with CWP9, but that last line indicates that it needs perl(DBD::mysql) >= 1.0, precisely the one we replaced. I don't know if it's all related to the replacement.
However, I later saw the following message in my Anacron email, and I'm not sure if it's relevant:
Code: [Select]
###############################################
Daily MySQL Backup starting
###############################################
(Sorry, I can't post the paths. Notice: the "forbidden" forum is giving an error.)
PHP Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
Database Backup: mysql --> /backup/mysql/daily//mysql.sql.gz
PHP Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
Database Backup: oauthv2 --> /backup/mysql/daily//oauthv2.sql.gz
PHP Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
...
Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
Database Backup: root_cwp --> /backup/mysql/daily//root_cwp.sql.gz
PHP Notice: Trying to access array offset on value of type null in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php on line 0
...
perl(DBD::mysql) >= 1.0 is needed by percona-toolkit-2.2.16-1.noarchCurrently, I only have the databases included with CWP9, but that last line indicates that it needs perl(DBD::mysql) >= 1.0, precisely the one we replaced. I don't know if it's all related to the replacement.
6
Updates / Re: AL 9.6, I have info about 240 updates
« Last post by Starburst on November 23, 2025, 02:11:41 AM »We had the same problem with that message when running dnf --refresh update
If you are not running CBPolicyD, you don't need to edit any files, and just run those 2 commands above before upgrading.
If you are not running CBPolicyD, you don't need to edit any files, and just run those 2 commands above before upgrading.
7
Information / Re: I can't access my post history in this forum...
« Last post by Wonder on November 22, 2025, 08:56:45 PM »Unfortunately, we lost those features a long time ago. Besides, it no longer notifies you by email when someone replies to one of your posts, and when you click "publish," a "form not secure" message appears.
Hopefully, some of these features will return; for me, they were important...
Hopefully, some of these features will return; for me, they were important...
8
Updates / Re: AL 9.6, I have info about 240 updates
« Last post by Wonder on November 22, 2025, 08:49:53 PM »To fix the conflict:Code: [Select]dnf remove perl-DBD-MySQL -yCode: [Select]dnf install perl-DBD-MariaDB -y
Finish the upgrade to AlmaLinux 9.7:Code: [Select]dnf --refresh update
Hello.
I was just coming here because of this same problem. I have AL 9.6 + CWP 9 (to do testing) installed thanks to...
And I've run into the same problem. When I try to update (I think there's an update from 9.6 to 9.7), I get several lines with:
Code: [Select]
Error: Transaction test error:
file /usr/share/mysql/charsets/Index.xml from install of mysql-common-8.0.43-1.el9_6.x86_64 conflicts with file from package MariaDB-common-10.11.15-1.el9.x86_64
file /usr/share/mysql/charsets/armscii8.xml from install of mysql-common-8.0.43-1.el9_6.x86_64 conflicts with file from package MariaDB-common-10.11.15-1.el9.x86_64Basically, the same problem is described in this post:
https://forum.centos-webpanel.com/centos-webpanel-bugs/can-t-update-linux-os-because-of-mysql-common/msg52726
I've done some research and saw what you mentioned, Starburts, as a solution.
The link they mention here:
They talk about modifying a file to make the mail server work. I haven't done it (due to lack of time, I haven't yet done the necessary migration tests from AL8 to this server with AL9 to configure mail), so I deduce that it's not necessary.
As always, thank you for being here, on the front lines, helping out.
9
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by ~Q~ on November 22, 2025, 06:36:57 PM »This wave of malware was nasty.
Maldetect / CalmAv failed big time.
I would find the issues (wordpress sites) fix the directories permissions and delete hijacked files.
MU plugin folder was constantly being populated with *php
Following the instructions here and all over the web (LOL) I finally beat it.
The plugin Wordfence is bloated for daily use on each and every site but I did in stall it on the two sites I was having the hardest time taming and it did find the last few (4-5) files that I missed. I should have installed it sooner. In any event it found the last few suspicious files and I manually nuked them, then uninstalled it.
Maldetect / CalmAv failed big time.
I would find the issues (wordpress sites) fix the directories permissions and delete hijacked files.
MU plugin folder was constantly being populated with *php
Following the instructions here and all over the web (LOL) I finally beat it.
The plugin Wordfence is bloated for daily use on each and every site but I did in stall it on the two sites I was having the hardest time taming and it did find the last few (4-5) files that I missed. I should have installed it sooner. In any event it found the last few suspicious files and I manually nuked them, then uninstalled it.
10
