Recent Posts
61
CentOS 8 Problems / Re: PHP compiling fails, strange ld / ldconfig behaviour?
« Last post by crouso on July 09, 2025, 07:54:27 PM »Thank you for your reply.
PHP switcher also did not work correctly, i tried it, same error messages in logfile regarding bz2... seems i am stuck at 7.4.33?
My end goal/s would be to (depends on solution/s)
- keep PHP 7.4.33 for compatibility issues as "base version"
- be able to compile (php >8.2 needed) other versions with php selector
- and maybe php-fpm selector too
Or a way how i can add alternate php versions manually?
What is your end goal? Which mode are you going to use -- PHP switcher, suPHP, or php-fpm? Which versions of PHP would you like to have? Each case is a bit different.
PHP switcher also did not work correctly, i tried it, same error messages in logfile regarding bz2... seems i am stuck at 7.4.33?
My end goal/s would be to (depends on solution/s)
- keep PHP 7.4.33 for compatibility issues as "base version"
- be able to compile (php >8.2 needed) other versions with php selector
- and maybe php-fpm selector too
Or a way how i can add alternate php versions manually?
62
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by frussane on July 09, 2025, 06:08:50 PM »Also just to confirm, I am indeed using AlmaLinux 8.10 (Cerulean Leopard)
63
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by frussane on July 09, 2025, 05:01:06 PM »I noticed I had 3 users in /home/jail/ possibly from jailkit. But I never actually made any configs about this, so 3 of my users are using it, and the others aren't. That's just something odd but probably unrelated.
About the hidden files, just deleted them, thanks!
I had first renamed /tmp to /tmp_inf and created a new /tmp but that broke my websites sessions.
I will try to help as I can, I only have medium server experience!
I've noticed some executables and scripts being created and hidden inside wordpress folders, I've cleared them but if more appear I'll share here the names and contents.
About the hidden files, just deleted them, thanks!
I had first renamed /tmp to /tmp_inf and created a new /tmp but that broke my websites sessions.
I will try to help as I can, I only have medium server experience!
I've noticed some executables and scripts being created and hidden inside wordpress folders, I've cleared them but if more appear I'll share here the names and contents.
64
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by kandalf on July 09, 2025, 04:51:08 PM »I had the same problem, was going crazy, thinking it was a wordpress vulnerability, then started seeing processes from one user trying to access other users. This made me notic only 3 of my users are in jail and others aren't, no idea why this behaviour by CWP.
I've ran:Code: [Select]find / -type f \( -name "defauit.php" -o -name "nbpafebaef.jpg" \) -exec rm -f {} + 2>/dev/nullto delete all of this 2 files.
I've also renamed filemanager.php
Could any one provide with more insight/what more steps should be done to make sure it's clean?
What do you mean by “my users are in jail”?
Also, make sure to delete two hidden files that may have been used in the attack. They were found in /tmp on my compromised servers:
• .tmp_baf
• .auto_monitor
These files are part of the script that spreads the malicious payload across all user accounts.
Let us know if you find anything else suspicious, we’re trying to understand the full scope of this breach.
65
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by frussane on July 09, 2025, 04:44:59 PM »I had the same problem, was going crazy, thinking it was a wordpress vulnerability, then started seeing processes from one user trying to access other users. This made me notic only 3 of my users are in jail and others aren't, no idea why this behaviour by CWP.
I've ran:
I've also renamed filemanager.php
Could any one provide with more insight/what more steps should be done to make sure it's clean?
I've ran:
Code: [Select]
find / -type f \( -name "defauit.php" -o -name "nbpafebaef.jpg" \) -exec rm -f {} + 2>/dev/nullto delete all of this 2 files.I've also renamed filemanager.php
Could any one provide with more insight/what more steps should be done to make sure it's clean?
66
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by overseer on July 09, 2025, 03:06:01 PM »Maybe Starburst should answer since his production servers are AL9 -- I run my production servers under AL8 currently and only have a couple of test beds for AL9.
67
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by kandalf on July 09, 2025, 02:48:12 PM »Funny, this started as an information sharing thread but then devolved from there -- getting into sour personal attacks. I'm sorry I ever touched this tar baby. My point was, I can appreciate your report and will keep it on the radar because I see that you have a history here and contribute in a meaningful way. But when someone brand new comes on the scene trotting out security buzzwords and offering dubious advice about deleting the filemanager (instead of mitigating the attack vector in a non-destructive way)... well, take that for what it is. I'll go back to monitoring my servers now.That’s not accurate. The problem isn’t limited to CentOS 7 — it also affects AlmaLinux 8. The vulnerability lies in filemanager.php, which is written in PHP and is identical across all supported OSes. What changes between CentOS and AlmaLinux is the system environment, not the CWP PHP panel code.
(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)
All six of my servers run AlmaLinux 8, and three were compromised due to this exact issue.
I don’t know Doridian personally, but his suggested solution is a good temporary mitigation. Renaming or removing filemanager.php is low-risk, and CWP will restore it once an official patch is released. I’ve renamed it on all my servers, it’s a simple step to reduce exposure.
This is a critical vulnerability, and it is not fixed in the current version, despite what the articles say.
You can check if your server might have been affected by running:
find /home -type f -name "defauit.php" 2>/dev/null
That file (defauit.php with an “i”) appeared across all compromised accounts on my affected servers.
68
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by venty on July 09, 2025, 02:19:39 PM »See Starburst's post here to see his prerequisites on AL9 before installing CWP:
https://forum.centos-webpanel.com/csf-firewall/possible-fix-to-why-csflfd-isn-t-installing/msg51087/#msg51087
Hi,
above under the link in the quote, and here:
https://forum.centos-webpanel.com/installation/server-under-al9/msg50121/#msg50121
in Reply #1 on: January 28, 2025, 01:57:01 AM
the main steps for installing AL 9 and CWP are listed...
My situation is the following - on my server provider has already installed AL 9.5 and CWP (only this...), what should I do and which code should I execute from your instructions above?
Thanks in advance!
BR
Venty
69
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by overseer on July 09, 2025, 12:29:06 PM »Funny, this started as an information sharing thread but then devolved from there -- getting into sour personal attacks. I'm sorry I ever touched this tar baby. My point was, I can appreciate your report and will keep it on the radar because I see that you have a history here and contribute in a meaningful way. But when someone brand new comes on the scene trotting out security buzzwords and offering dubious advice about deleting the filemanager (instead of mitigating the attack vector in a non-destructive way)... well, take that for what it is. I'll go back to monitoring my servers now.
(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)
(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)
70
CentOS 8 Problems / Re: PHP compiling fails, strange ld / ldconfig behaviour?
« Last post by overseer on July 09, 2025, 12:20:11 PM »What is your end goal? Which mode are you going to use -- PHP switcher, suPHP, or php-fpm? Which versions of PHP would you like to have? Each case is a bit different.
