Recent Posts
81
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 12:17:54 PM »Again, the PHP Injection Attack, had nothing to do with CWP.
But happened to older servers that where not updated and their PHP hardened.
PHP Injection Attacks are common by script kiddies. And just don't happen to CWP.
GoDaddy's servers are constantly getting hacked, which are using Amazon AWS. lol
There are several articles out there on has to secure you php.ini config.
That is NOT true.
The issue WAS a vulnerability in CWP. Is NOT fault from the users.
https://fenrisk.com/rce-centos-webpanel
https://gbhackers.com/centos-web-panel-vulnerability/
So not, wasn't the users fault. it WAS a vulnerabilty in CWP.
Yes, but other control panels HAD this problem also, even Chrome did...
As did cPanel:
https://sploitus.com/exploit?id=948E719F-C0C9-518E-969F-C65D0D6FBE65
https://www.reddit.com/r/webhosting/comments/1d1jg3v/help_hacker_keeps_injecting_code_into_my_cpanel/
https://medium.com/@anonymousshetty2003/sql-injection-vulnerability-on-a-security-awareness-website-from-database-dump-to-cpanel-access-4bb3645eef07
https://stackoverflow.com/questions/550879/php-injection-attack-how-to-best-clean-up-the-mess
Look at gbhackers, they list all the vulnerabilities with PHP: https://gbhackers.com/multiple-php-vulnerabilities/
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30062
aaPanel even had the same issue:
https://fenrisk.com/rce-aapanel
PHP even has a comment about it:
https://www.php.net/manual/en/mongodb.security.request_injection.php
Even Chrome had been affected...
https://gbhackers.com/technical-details-and-exploit-released-for-chrome-flaw/
https://cybersecuritynews.com/10-year-old-roundcube-rce-vulnerability/
post-authenticated remote code execution vulnerability that exploits PHP object deserialization.
I could continue on, but don't blame CWP, when they where clearly not the only one who had this.
But systems that has proper PHP security hardening survived the attacks.
Our ModSecurity systems caught the PHP Injection Attacks as well, and blocked them.
No system is 100%, but this was NOT a CWP bug, but rather a PHP common code vulnerability that affect ALL system running PHP.
82
Information / Re: Is CWP still maintained?
« Last post by djprmf on October 09, 2025, 12:00:33 PM »@Starburst You are going offtopic - that is not the point here. I stated that in the previous message exactly to reinforce the point.
The fact that you are providing KB articles, and NOT the CWP team, is the problem here. You are NOT the CWP team...
And you left back the questions: you KNOW what changed in the updates? Do you know anything that is made in every update?
I see that you provided false information in the CWP exploit topic, stating that it wasn't a CWP exploit.... when it was.
This alone shows how little comunication is made from the team.... is a random member in the forum that is providing the information without any "official" knowledge of what is happening.
Is great that you are trying to help anyone around here, and great if you have the back for that as a sysadmin... but you are NOT the CWP team and cannot make sentences for them about the control panel, because is NOT your own creation/development.
The fact that you are providing KB articles, and NOT the CWP team, is the problem here. You are NOT the CWP team...
And you left back the questions: you KNOW what changed in the updates? Do you know anything that is made in every update?
I see that you provided false information in the CWP exploit topic, stating that it wasn't a CWP exploit.... when it was.
This alone shows how little comunication is made from the team.... is a random member in the forum that is providing the information without any "official" knowledge of what is happening.
Is great that you are trying to help anyone around here, and great if you have the back for that as a sysadmin... but you are NOT the CWP team and cannot make sentences for them about the control panel, because is NOT your own creation/development.
83
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by djprmf on October 09, 2025, 11:56:00 AM »It can vary from installation to installation.
In some, the backdoor stays dormant in the server, waiting to be "activated" - the file placed first is just a exploit, to create the webshell file if access with a POST request and specific queries. If the request is done, the file "defaiult.php" is created, and that is the real webshell file.
After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.
Of course, data in the BD and other details, like the WordPress configuration file, are also changed/access. If you have any password or WordPress salt in there, change them. But at this point, the installation in your server should NOT be considered safe.
You can still use it... but at your own risk.
In some, the backdoor stays dormant in the server, waiting to be "activated" - the file placed first is just a exploit, to create the webshell file if access with a POST request and specific queries. If the request is done, the file "defaiult.php" is created, and that is the real webshell file.
After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.
Of course, data in the BD and other details, like the WordPress configuration file, are also changed/access. If you have any password or WordPress salt in there, change them. But at this point, the installation in your server should NOT be considered safe.
You can still use it... but at your own risk.
84
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 11:49:51 AM »
@Starburst
And even more, your guides can help... but do we know you? Who are you exactly?
You are providing guides to make critical changes in our systems, that some people without knowledge follow... and yes, the could work. But your guides provide your own mirrors, with your own code in the mix.
How do we know that we can trust you and your code?
Some people will follow your guides, without knowing what are they doing.
And you can be a great person, don't get me wrong. You appear to be here to help... but we are in the internet....
I look at your guides, and they are ok - but i would be worry to use code that is in a unknown mirrror. Would be better if CWP team provide those instead? Yes, it will, because at least CWP we know...
I am a very old and warped SysOp.
Our servers have been running CWP since 2019.
We are also a large mirror provider for ELRepo. So if you use that repo, you probably connect to one of our servers around the globe.
As well as a mirror in England for MariaDB.
Which also gave use the unique ability to do what we did for CSF.
Any 'code' we offer is in plain English to say, and you can see exactly what it is doing.
Also any feedback is welcome to make our guides better, as we aim to be more than 'OK'.
As any company the KB has article we used allot, and there are some that are not public, since those usually very company to company with specific settings.
85
Installation / Re: Can't get CWPpro to activate
« Last post by Starburst on October 09, 2025, 11:26:51 AM »Is your server behind a NAT (aka internal IP)?
86
Installation / Re: Can't get CWPpro to activate
« Last post by overseer on October 09, 2025, 10:47:16 AM »Is your server properly addressed and resolving on the net? IPv4 and IPv6?
Code: [Select]
ip aCan you ping other hosts from the server? Do you have essential service ports open on the CSF firewall?87
Installation / Re: Can't get CWPpro to activate
« Last post by erolyil on October 09, 2025, 07:46:55 AM »Hi, I have the same issue and when I ran the update I got the the below response and no more progress. How can I solve it?
######################
Update Server Packages
######################
PHP Warning: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Warning: file_get_contents(http://centos-webpanel.com/webpanel/versions/el7.txt): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Notice: Undefined offset:1 in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
######################
Update Server Packages
######################
PHP Warning: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Warning: file_get_contents(http://centos-webpanel.com/webpanel/versions/el7.txt): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Notice: Undefined offset:1 in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
88
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 08, 2025, 07:46:35 PM »Do you know which wordpress files got infected?
89
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by djprmf on October 08, 2025, 06:55:34 PM »
As far as I could see, this attack was only able to compromise non-sudo accounts. Through trial and error (using combinations of domains related to the server), the attacker only needed to find one valid user. Once that happened, he was able to discover other usernames to exploit additional non-sudo accounts.
The file dropped in the directory was a web shell. The attacker indeed have interest in change the webpages to a pseudo store, but with the webshell, he can have access to any account in the server, and any file on it - including the way of change any system file or configuration.
Yes, the exploit starts with a non-sudo user, but can change any other file on the system. If that happend or not... is complicated to know.
In the worst-case scenario, the attacker was able to explore the server in read-only mode — likely dumping databases, backup files, SQL user credentials, and so on, across the entire system.
Non-sudo accounts should not have read access across the whole system, even the /etc/shadow file is readable with them.
Write access was only possible within the affected users’ home directories, including the /tmp directory.
With the webshell, you can have full access to the system, unless you have some way of mitigate that - like Cloudlinux does. They have a virtual filesystem to every users, so even if the website is exploited with a webshell, the attacker can only see the virtual root filesystem, not the actual system.
CWP doesn't have that. With a webshell, they can see and edit or send any command to the server.
If you use the CWPSecure kernel, i don't know if they have that protection. But i bet most of the servers don't use that.
Regarding WordPress what happened to your websites? Mine were defaced with a fake drop-shipping-style store, and the results got messed up in Google Search. Usually, these deface hacks are triggered when the referrer is Google, but this one didn’t behave that way. I only discovered it's real face by simulating a Googlebot user agent in my browser.
The wordpress code got so messed up that I can't even find where the infected code is. I'll have to reconfigure a brand new installation.
It looked like this:
https://i.imgur.com/zn6ji93.png
Yes, the exploit appears to be target to wordpress websites. The file that actualy deploys the exploit can be dormant in the system for months, and only activated when the attacker sees it. Is a fake JPG file with PHP code in it.
90
CentOS 7 Problems / Re: Clamav database update blocked by CDN
« Last post by overseer on October 08, 2025, 06:44:01 PM »ELevate is not a recommended upgrade path; you will likely introduce issues into the new system (Sandeep [a CWP dev] advises against it). Better to bring up a new AlmaLinux 8 system and use the CWP Migration module to transfer accounts. That's the route I chose and so I have a fresh system with very little cruft moved over from the old system. Fresh 'n shiny!
https://www.alphagnu.com/topic/578-does-it-possible-to-migrating-from-centos7-to-almalinux9-same-server-without-installing-to-new-server/
https://www.alphagnu.com/topic/578-does-it-possible-to-migrating-from-centos7-to-almalinux9-same-server-without-installing-to-new-server/
