Recent Posts
11
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by tomkolp on July 07, 2025, 05:01:39 PM »Scary but is it true?
What system does CWP run on?
Please provide the CWP version you are using?
Apache version?
PHP version for the CWP panel?
What web server?
Modsecirutes enabled? If so, in what version?
Roundcube in what version?
I am not affiliated with the creators of CWP, I just want to compare it with my installation. There could be many attack vectors.
What system does CWP run on?
Please provide the CWP version you are using?
Apache version?
PHP version for the CWP panel?
What web server?
Modsecirutes enabled? If so, in what version?
Roundcube in what version?
I am not affiliated with the creators of CWP, I just want to compare it with my installation. There could be many attack vectors.
12
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by overseer on July 07, 2025, 04:57:26 PM »Are you running malware detection scans on your system?
https://basaranturizm.com indeed serves up examples of these trojan files -- oddly that's all the domain serves and it allows file listing, so something is not normal about it. Looks to be PayPal scam related. Perhaps it is even a source domain for the files to be retrieved from. I located some of those files on a backup of a CentOS 7 system VM running Apache. One CentOS 7 system I have in legacy mode is clean -- but it runs Nginx, not Apache. Two newer AlmaLinux servers I have are clean. So my suspicion is that there is a weakness in the default Apache config on CWP or a problem with CentOS 7 systems -- all the more reason to get off of EL7 and get to an EL8 or EL9 foundation.
https://basaranturizm.com indeed serves up examples of these trojan files -- oddly that's all the domain serves and it allows file listing, so something is not normal about it. Looks to be PayPal scam related. Perhaps it is even a source domain for the files to be retrieved from. I located some of those files on a backup of a CentOS 7 system VM running Apache. One CentOS 7 system I have in legacy mode is clean -- but it runs Nginx, not Apache. Two newer AlmaLinux servers I have are clean. So my suspicion is that there is a weakness in the default Apache config on CWP or a problem with CentOS 7 systems -- all the more reason to get off of EL7 and get to an EL8 or EL9 foundation.
13
PHP / New updated on 03 Jul 2025
« Last post by Starburst on July 07, 2025, 03:32:13 PM »Well PHP versions:
8.1.33
8.2.29
8.3.23
8.4.10
8.5.0 Alpha 1
All just got released on 2025-07-03
ionCube has drivers for PHP 8.4.x
But now CWP is 2 versions behind with 8.1, 8.2, 8.3
And no support for 8.4
Any news @studio4host?
Thanks
8.1.33
8.2.29
8.3.23
8.4.10
8.5.0 Alpha 1
All just got released on 2025-07-03
ionCube has drivers for PHP 8.4.x
But now CWP is 2 versions behind with 8.1, 8.2, 8.3
And no support for 8.4
Any news @studio4host?
Thanks
14
CentOS-WebPanel Bugs / [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by kandalf on July 07, 2025, 03:29:52 PM »Im reporting a critical security issue affecting multiple servers running CWP (CentOS Web Panel). During a security review on a Laravel-based website hosted via CWP, I found malicious PHP files in the public/ folder that allowed arbitrary code execution.
🛑 What I Found
On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
nbpafebaef.jpg Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>
defauit.php A PHP script with a misleading name (looks like default.php).
These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.
🔍 Widespread Issue Other Sites Also Affected
After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
https://basaranturizm.com/
https://coutos.pt/
This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me I simply found them through Google search using the filename.
❗ Possible Vectors
Some possibilities include:
Insecure permissions on public/ allowing PHP file uploads or writes
Compromise via CWP File Manager or outdated software
Global vulnerability in CWPs file handling or directory security
⚠️ Request to CWP Team
Please investigate this urgently. Its very likely that:
CWP has a flaw allowing code execution in public folders
Default permissions or services are enabling attackers to inject files across multiple servers
If CWP developers need any of the samples or log details, Im happy to provide them privately.
🛑 What I Found
On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
nbpafebaef.jpg Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>
defauit.php A PHP script with a misleading name (looks like default.php).
These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.
🔍 Widespread Issue Other Sites Also Affected
After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
https://basaranturizm.com/
https://coutos.pt/
This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me I simply found them through Google search using the filename.
❗ Possible Vectors
Some possibilities include:
Insecure permissions on public/ allowing PHP file uploads or writes
Compromise via CWP File Manager or outdated software
Global vulnerability in CWPs file handling or directory security
⚠️ Request to CWP Team
Please investigate this urgently. Its very likely that:
CWP has a flaw allowing code execution in public folders
Default permissions or services are enabling attackers to inject files across multiple servers
If CWP developers need any of the samples or log details, Im happy to provide them privately.
15
Apache / Re: WARNING! You are not running CWP Apache
« Last post by Starburst on July 07, 2025, 03:26:54 PM »Not sure how, but it looks like you installed the AL version of Apache.
Follow what @studio4host posted, and that should restore everything.
And just a note, when reading how-to's on other sites that are not for CWP, remember it might not work with/or corrupt CWP.
Which is why making a snapshot or backup that you can restore is great.
Follow what @studio4host posted, and that should restore everything.
And just a note, when reading how-to's on other sites that are not for CWP, remember it might not work with/or corrupt CWP.
Which is why making a snapshot or backup that you can restore is great.
16
Problems on other RedHat linux servers / Re: AlmaLinux 8 by default folder website user go into root folder
« Last post by overseer on July 07, 2025, 01:02:19 PM »I don't care for AlmaLinux's choice to give a separate LV to /home -- and it surprised me the first time I installed it. Usually on a CWP system, the big culprits are /var/vmail /home and /backup. On many of my systems, users packrat mail and so often times the mail folder is 2:1 to their home dir! So I need the full space available on the root filesystem (also to accommodate the growing backups).
Basic procedure is to to move contents of /home to a temporary location (even /home2 if you like). Edit / etc /fstab and comment out the /home line. Reboot.
Basic procedure is to to move contents of /home to a temporary location (even /home2 if you like). Edit / etc /fstab and comment out the /home line. Reboot.
Code: [Select]
lvextend -l +100%FREE /dev/mapper/almalinux-root
xfs_growfs /dev/mapper/almalinux-root
mv /home2/* /home17
Problems on other RedHat linux servers / AlmaLinux 8 by default folder website user go into root folder
« Last post by KurJay on July 07, 2025, 05:59:27 AM »Hi Thanks for this great comunity
I install with OS AlmaLinux 8 by default partition, after installation finish, I figure out that AlmaLinux 8 put all the domain or user website into the root folder not at home folder
Only 2 User and already use 52% Disk Space
How we fixed this move all the hosting user file into home folder
Thanks for all your help
Regards
KurJay
I install with OS AlmaLinux 8 by default partition, after installation finish, I figure out that AlmaLinux 8 put all the domain or user website into the root folder not at home folder
Only 2 User and already use 52% Disk Space
How we fixed this move all the hosting user file into home folder
Thanks for all your help
Regards
KurJay
18
Apache / Re: WARNING! You are not running CWP Apache
« Last post by overseer on July 06, 2025, 01:02:00 PM »Be aware of what you installing/updating. What OS are you running?
19
Apache / Re: WARNING! You are not running CWP Apache
« Last post by DeveloperMcD on July 06, 2025, 06:42:30 AM »This happens every time I do a major upgrade of software packages (yum update)
This time, I didn't click the red button to "fix it", but just did a reboot.
But now none of my sites work! Why is this?
I didn't install or do anything. I just updated the packages yum wanted to update. That's it.
This time, I didn't click the red button to "fix it", but just did a reboot.
But now none of my sites work! Why is this?
I didn't install or do anything. I just updated the packages yum wanted to update. That's it.
20
PHP / Re: PHP Warning: PHP Startup: Unable to load dynamic library 'intl'
« Last post by Starburst on July 05, 2025, 02:15:36 PM »Yup, and for EL9 it is:
Package libicu-67.1-9.el9.x86_64 is already installed.
Package libicu-devel-67.1-9.el9.x86_64 is already installed.
It's weird it's only 1 this server, which doesn't matter to much, it doesn't have clients on it. It's a mirror.
Package libicu-67.1-9.el9.x86_64 is already installed.
Package libicu-devel-67.1-9.el9.x86_64 is already installed.
It's weird it's only 1 this server, which doesn't matter to much, it doesn't have clients on it. It's a mirror.
