Recent Posts

21

CentOS 8 Problems / PHP compiling fails, strange ld / ldconfig behaviour?

« Last post by crouso on July 09, 2025, 11:04:46 AM »

Hello,
since i am trying to fix my troubles with recompiling different php versions in CWPpro, i maybe found some strange things.

I always get error-messages in the php build logs like "bz2" not found.

So i tried to "ld -libbz2 --verbose" and see

Code: [Select]

attempt to open //usr/lib64/libibbz2.so
So libibbz2.so is definiteley not installed, because there is no libibbz2 lib, right?

I tested with other libs like librt, and found out, that ld is also searching for the libIBrt.so file? Where is this coming from and
how to fix that?

Code: [Select]

attempt to open //usr/lib64/libibrt.so failed
OS: AlmaLinux 8


Update:
The output of ldconfig is correct...

Code: [Select]

[root@s1 ~]# ldconfig -p | grep bz2
        libbz2.so.1 (libc6,x86-64) => /usr/lib64/libbz2.so.1
        libbz2.so (libc6,x86-64) => /usr/lib64/libbz2.so

Thank you very much,
regards

22

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by kandalf on July 09, 2025, 08:18:21 AM »

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly...

But you did say delete, quoted twice in the previous posts on this thread. I call that dubious advice, as with removing the .php extension -- which won't neuter it -- a file containing PHP code can still be run by a php interpreter.

You are gravely mistaken about this.

This is a critical security issue. I've included two links from official security sources that detail the problem: https://fenrisk.com/rce-centos-webpanel and https://cybersecuritynews.com/linux-centos-web-panel-vulnerability/.

Doridian did an excellent job by adding a temporary fix to prevent more attacks. If you don't believe us, then please stop making unhelpful comments.
Otherwise, give us a domain and user account from one of your servers, and we'll prove you wrong.

23

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by 6Sense on July 09, 2025, 06:43:12 AM »

I can find attempts to use the exploit too but thus far they are having no luck & I can find no introduced files in home or tmp directories. I run Alma 8.

[06/Jul/2025:01:21:48 +1000] "POST /user/index.php?module=filemanager&acc=findFiles HTTP/1.0" 403 199 - Was from a ColoCrossing IP (no surprises there).

Have renamed file manager for security and shall actively watch.

24

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by Doridian on July 09, 2025, 02:11:38 AM »

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly...

But you did say delete, quoted twice in the previous posts on this thread. I call that dubious advice, as with removing the .php extension -- which won't neuter it -- a file containing PHP code can still be run by a php interpreter.

Yes, but the loader of CWP will not find the file, and therefor not load it. That is what matters here. The file being loaded by the index.php in some way, and if it is renamed, that won't happen.

Also the file is literally part of the CWP distribution, so even if you delete it and want it back, it isn't like it is hand written custom code. It takes 5 minutes to get back at the most.



People like you really make me think twice about trying to help others out. Talking with such upmost confidence of things you obviously haven't tried.

25

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by overseer on July 09, 2025, 01:28:21 AM »

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly...

But you did say delete, quoted twice in the previous posts on this thread. I call that dubious advice, as with removing the .php extension -- which won't neuter it -- a file containing PHP code can still be run by a php interpreter.

26

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by Doridian on July 09, 2025, 12:51:45 AM »

You want to delete /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php (or rename it to like filemanager.php.disabled, make sure it no longer has .php extension at the end)

For now, however, I would like to repeat: Make sure no one can access your filemanager by deleting the file /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php (or renaming it to filemanager.php.disabled).

Exactly, delete OR rename. I don't see your point.

27

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by overseer on July 08, 2025, 11:55:16 PM »

You want to delete /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php (or rename it to like filemanager.php.disabled, make sure it no longer has .php extension at the end)

For now, however, I would like to repeat: Make sure no one can access your filemanager by deleting the file /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php (or renaming it to filemanager.php.disabled).

28

PHP / Re: FYI - ionCube Release new loaders 13.3.0

« Last post by Starburst on July 08, 2025, 11:03:25 PM »

The current version of the ionCube Loaders is current at 14.4.1.

And yes, it's better to be safe than sorry.

29

Mod_Security / ModSecurity updated to 2.9.11

« Last post by Starburst on July 08, 2025, 11:01:47 PM »

If you already have updated your ModSecurity from the stock 2.9.1, to e.g. 2.9.8, this article will show you how to update to 2.9.11.

And if you want, there is also a script you can download & run.

https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-to-2-9-11-running-cwp-and-apache-on-almalinux-8-9/

30

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by Doridian on July 08, 2025, 10:51:12 PM »

Might need some more street cred here than just the 4 posts on this thread before people listen to the advice and go deleting (!) their filemanagers... A Chicken Little response doesn't usually end up well.

But, the file manager always has struck me as a sore thumb, bolted on to CWP -- and it looks to be an implementation of the Vue library, with treeVue and other JS integrated. Probably overdue for some attention & modernization. It hasn't changed much at all over the last 5+ years. Probably plenty of fleas...

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly (they now have to use SFTP or FTP to change files, rather than a WebUI), not a core feature of CWP in the first place. You could always install a WebFTP plugin to temporarily stopgap the functionality, too.

Further, I can't force people to listen, nor do I intend to try. I'm doing my best to keep people safe. And, as stated, am willing to prove the exploit is real if that helps people feel better about it (without giving it away of course, since not wanting it to spread).
What people do with the information I provide is up to them.

Lastly, I have gotten a response from CWP support they'll have a developer look at my report, so let's hope something good comes out of that before more people get their websites turned into malware.