Author Topic: update 0.9.8.1239 remove all users database + postfix acc  (Read 248 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
update 0.9.8.1239 remove all users database + postfix acc
« on: July 01, 2026, 02:42:43 PM »
After this update, all my nodejs applications was down and i've some erros on my cwp

Warning: mysqli_connect(): (HY000/1045): Access denied for user 'postfix'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php on line 0 Warning: mysqli_connect(): (HY000/1045): Access denied for user 'postfix'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0

when i check with ssh terminal on my mysql, the user postfix was removed.

after, i created and restart all services was fixed

But, i check my mysql manager, and see.... All users from my database are removed

I created all users and grant access, and all apps works

if you're having this problem, i can fix making this

Offline
*****
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #1 on: July 01, 2026, 03:09:30 PM »
All users (including postfix) are intact on my servers after the update.
Do you backup your MySQL (MariaDB) DB regularly?

Offline
*
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #2 on: July 01, 2026, 03:14:36 PM »
Yes, i've dayli backups activated

I've two cwp servers, and have some problem in any

CWP A: postfix user removed + all database user removed (with same password) + all nodejs apps by node manager down
CWP B: all database user removed (with same password) + all nodejs apps by node manager down


Offline
*****
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #3 on: July 01, 2026, 10:51:39 PM »
Thanks for the minor heart attack when I saw these 2 threads today.

Checked all of our servers and all the users and system accounts are still there.

Offline
*****
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #4 on: July 02, 2026, 12:01:44 AM »
Of course I'm tracking the reports of an issue like this. All my servers are working fine, as is another one I am working on for someone else. All are running AlmaLinux 8 with no issues related to this to report.

Offline
*
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #5 on: July 02, 2026, 01:38:17 AM »
Some of my clients having the same issue. The privilege users are gone and need to be readd.

Offline
*
Re: update 0.9.8.1239 remove all users database + postfix acc
« Reply #6 on: July 02, 2026, 09:17:03 PM »
After updating to **CWP 0.9.8.1239**, a new script was deployed at:

`/usr/local/cwpsrv/htdocs/resources/scripts/temp_hacker_check`

I believe this script is responsible for an issue that several users have reported.

The script automatically removes MySQL users based on rules that assume they are suspicious, for example:

* Users with `Host='%'` (remote access).
* Users with names such as `app`, `admin`, `sys`, `dbadmin`, etc.

While these checks may be useful on a server that has already been compromised, they are **not appropriate for many production environments**. It is very common for applications and hosting servers to legitimately use accounts like:

```sql
'app'@'%'
'api'@'%'
'admin'@'%'
```

The script executes `DROP USER` on these accounts, which breaks applications because the MySQL users are deleted.

This happened to me again today after the update. To verify my suspicion, I have **temporarily removed the `temp_hacker_check` script** from the server. I want to see if the issue stops occurring, but at this point I'm **99% confident that this script is the cause**, since its behavior matches exactly what I'm experiencing.

If anyone else is seeing MySQL users with `Host='%'` or users named `app`, `admin`, etc. disappearing after the update, please check whether this script is running on your server as well.

I think this script should either:

* avoid deleting legitimate MySQL users by default,
* use a whitelist,
* or make this behavior optional instead of automatically dropping database users.