Recent Posts

81

Information / Re: Is CWP still maintained?

« Last post by Starburst on October 09, 2025, 11:49:51 AM »

@Starburst

And even more, your guides can help... but do we know you? Who are you exactly?
You are providing guides to make critical changes in our systems, that some people without knowledge follow... and yes, the could work. But your guides provide your own mirrors, with your own code in the mix.
How do we know that we can trust you and your code?

Some people will follow your guides, without knowing what are they doing.
And you can be a great person, don't get me wrong. You appear to be here to help... but we are in the internet....

I look at your guides, and they are ok - but i would be worry to use code that is in a unknown mirrror. Would be better if CWP team provide those instead? Yes, it will, because at least CWP we know...

I am a very old and warped SysOp. 

Our servers have been running CWP since 2019.
We are also a large mirror provider for ELRepo. So if you use that repo, you probably connect to one of our servers around the globe.
As well as a mirror in England for MariaDB.

Which also gave use the unique ability to do what we did for CSF.

Any 'code' we offer is in plain English to say, and you can see exactly what it is doing.
Also any feedback is welcome to make our guides better, as we aim to be more than 'OK'.

As any company the KB has article we used allot, and there are some that are not public, since those usually very company to company with specific settings.

82

Installation / Re: Can't get CWPpro to activate

« Last post by Starburst on October 09, 2025, 11:26:51 AM »

Is your server behind a NAT (aka internal IP)?

83

Installation / Re: Can't get CWPpro to activate

« Last post by overseer on October 09, 2025, 10:47:16 AM »

Is your server properly addressed and resolving on the net? IPv4 and IPv6?

Code: [Select]

ip aCan you ping other hosts from the server? Do you have essential service ports open on the CSF firewall?

84

Installation / Re: Can't get CWPpro to activate

« Last post by erolyil on October 09, 2025, 07:46:55 AM »

Hi, I have the same issue and when I ran the update I got the the below response and no more progress. How can I solve it?

######################
Update Server Packages
######################
PHP Warning:  file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Warning:  file_get_contents(http://centos-webpanel.com/webpanel/versions/el7.txt): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0
PHP Notice:  Undefined offset:1 in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php on line 0

85

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 08, 2025, 07:46:35 PM »

Do you know which wordpress files got infected?

86

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by djprmf on October 08, 2025, 06:55:34 PM »

As far as I could see, this attack was only able to compromise non-sudo accounts. Through trial and error (using combinations of domains related to the server), the attacker only needed to find one valid user. Once that happened, he was able to discover other usernames to exploit additional non-sudo accounts.

The file dropped in the directory was a web shell. The attacker indeed have interest in change the webpages to a pseudo store, but with the webshell, he can have access to any account in the server, and any file on it - including the way of change any system file or configuration.

Yes, the exploit starts with a non-sudo user, but can change any other file on the system. If that happend or not... is complicated to know.

In the worst-case scenario, the attacker was able to explore the server in read-only mode — likely dumping databases, backup files, SQL user credentials, and so on, across the entire system.
Non-sudo accounts should not have read access across the whole system, even the /etc/shadow file is readable with them.
Write access was only possible within the affected users’ home directories, including the /tmp directory.

With the webshell, you can have full access to the system, unless you have some way of mitigate that - like Cloudlinux does. They have a virtual filesystem to every users, so even if the website is exploited with a webshell, the attacker can only see the virtual root filesystem, not the actual system.

CWP doesn't have that. With a webshell, they can see and edit or send any command to the server.
If you use the CWPSecure kernel, i don't know if they have that protection. But i bet most of the servers don't use that.

Regarding WordPress what happened to your websites? Mine were defaced with a fake drop-shipping-style store, and the results got messed up in Google Search. Usually, these deface hacks are triggered when the referrer is Google, but this one didn’t behave that way. I only discovered it's real face by simulating a Googlebot user agent in my browser.
The wordpress code got so messed up that I can't even find where the infected code is. I'll have to reconfigure a brand new installation.

It looked like this:
https://i.imgur.com/zn6ji93.png

Yes, the exploit appears to be target to wordpress websites. The file that actualy deploys the exploit can be dormant in the system for months, and only activated when the attacker sees it. Is a fake JPG file with PHP code in it.

87

CentOS 7 Problems / Re: Clamav database update blocked by CDN

« Last post by overseer on October 08, 2025, 06:44:01 PM »

ELevate is not a recommended upgrade path; you will likely introduce issues into the new system (Sandeep [a CWP dev] advises against it). Better to bring up a new AlmaLinux 8 system and use the CWP Migration module to transfer accounts. That's the route I chose and so I have a fresh system with very little cruft moved over from the old system. Fresh 'n shiny!
https://www.alphagnu.com/topic/578-does-it-possible-to-migrating-from-centos7-to-almalinux9-same-server-without-installing-to-new-server/

88

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 08, 2025, 06:35:05 PM »

So, if you are still in a server that have been compromised, there is no way around to know what have been done. Remove the files can be suficient, sure. But you don't know if anything else was compromised.

As far as I could see, this attack was only able to compromise non-sudo accounts. Through trial and error (using combinations of domains related to the server), the attacker only needed to find one valid user. Once that happened, he was able to discover other usernames to exploit additional non-sudo accounts.

In the worst-case scenario, the attacker was able to explore the server in read-only mode — likely dumping databases, backup files, SQL user credentials, and so on, across the entire system.
Non-sudo accounts should not have read access across the whole system, even the /etc/shadow file is readable with them.
Write access was only possible within the affected users’ home directories, including the /tmp directory.

Regarding WordPress what happened to your websites? Mine were defaced with a fake drop-shipping-style store, and the results got messed up in Google Search. Usually, these deface hacks are triggered when the referrer is Google, but this one didn’t behave that way. I only discovered it's real face by simulating a Googlebot user agent in my browser.
The wordpress code got so messed up that I can't even find where the infected code is. I'll have to reconfigure a brand new installation.

It looked like this:
https://i.imgur.com/zn6ji93.png

89

CentOS 7 Problems / Re: Clamav database update blocked by CDN

« Last post by Painkiller88 on October 08, 2025, 04:06:37 PM »

AL9 shows the same 1.4.3 version as AL8:

Code: [Select]

# clamd --version
ClamAV 1.4.3/27778/Tue Sep 30 08:29:52 2025
And @oversser is correct, there are No, None, Zilch, Zero, Nadda more updates for CentOS 7 since it's past EOL, and has been moved to the archive vault.

You need to update the server to AL8, if you want updates.

Ok thanks, yes i wanted to switch over to AL8 using this Elevate script but never did it till now.

I think it is really time to do it, i was worried if everything will work but now as a lot time passed by and you said it is working flawless i think it is the time to update.

Thanks a lot

90

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by djprmf on October 08, 2025, 02:48:13 PM »

Since this WAS a vulnerability in CWP, there is no point in considered that if a server was affected, there is no backdoor still installed.

The report is here: https://fenrisk.com/rce-centos-webpanel

So, if you are still in a server that have been compromised, there is no way around to know what have been done. Remove the files can be suficient, sure. But you don't know if anything else was compromised.

The information that this is a fault from PHP, WordPress or some script in the user server are not true. If you see the files stated in the first message in your accounts, your server was exploited due to the CWP vulnerability.

Also: we are still waiting for any information related to this by the CWP team.