After updating to **CWP 0.9.8.1239**, a new script was deployed at:
`/usr/local/cwpsrv/htdocs/resources/scripts/temp_hacker_check`
I believe this script is responsible for an issue that several users have reported.
The script automatically removes MySQL users based on rules that assume they are suspicious, for example:
* Users with `Host='%'` (remote access).
* Users with names such as `app`, `admin`, `sys`, `dbadmin`, etc.
While these checks may be useful on a server that has already been compromised, they are **not appropriate for many production environments**. It is very common for applications and hosting servers to legitimately use accounts like:
```sql
'app'@'%'
'api'@'%'
'admin'@'%'
```
The script executes `DROP USER` on these accounts, which breaks applications because the MySQL users are deleted.
This happened to me again today after the update. To verify my suspicion, I have **temporarily removed the `temp_hacker_check` script** from the server. I want to see if the issue stops occurring, but at this point I'm **99% confident that this script is the cause**, since its behavior matches exactly what I'm experiencing.
If anyone else is seeing MySQL users with `Host='%'` or users named `app`, `admin`, etc. disappearing after the update, please check whether this script is running on your server as well.
I think this script should either:
* avoid deleting legitimate MySQL users by default,
* use a whitelist,
* or make this behavior optional instead of automatically dropping database users.