Hello,
The main symptoms are:
- `eval(base64_decode( ...` - in index files. This infection most likely redirects users to various websites from the mobile version, sends all user session information to third parties, and so on.
- Creates `/var/lib/mysql/.ssh` with keys, and accordingly, provides the /bin/bash shell with mysql in passwd
- Adds a malicious script to the directory `/tmp/.cwp_script.sh`
- Creates users. Random letters or something similar, such as __user, user__, login, imunify. Check—there is a .ssh directory inside.
- Creates SSH keys in the root directory. ` ~/.ssh/authorized_keys `
That's what I've noticed.
___
How can this be addressed?
The source of the problem is most likely an outdated version of Roundcube. This issue is described in `CVE‑2025‑49113`
https://censys.com/advisory/cve-2025-49113/This issue occurs on systems running outdated operating systems, such as CentOS 7.
I have created a script that performs the following actions:
- Pre-configuration: Interactively prompts whether to install ImunifyAV, change the SSH port, and generate a new secure password for root.
- Backdoor cleanup: Checks for malicious files in `/var/lib/mysql/.ssh` and `/tmp/.cwp_script.sh` (deletes them) and displays the date of the last modification of the root SSH keys (authorized_keys).
- Panel and Mail Updates: Installs the latest version from the 1.5.x branch.
- Network protection (CSF): Closes vulnerable CWP ports (2030, 2031, 2082, 2083, 2086, 2087, 2095, 2096) and configures a new SSH port.
Important for working with the client: Since the control panel ports are closed to everyone, be sure to ask the client to provide their IP address so it can be added to the whitelist
```
Please provide your IP address so we can add it to the firewall whitelist.
You can find your IP address at:
https://2ip.io```
- Service audit: Restarts the necessary services and displays a list of those that failed to start using `systemctl --failed`.
- Antivirus protection: Installs ImunifyAV with the user’s consent, generates an access configuration, and automatically enables background scanning of the /home directory.
- Report generation: At the end, it outputs a ready-to-use, formatted text with new access rules and a list of tasks that can be easily copied to the client.
Backups and logging:
The script modifies the firewall configuration, so a backup is saved in `/etc/csf/csf.conf.bak.<year_month_day_time>`.
The entire process and the output of the update commands are logged in: `/var/log/cwp_maintenance.log`.
You can download and use the script with the following command:
bash -c "$(curl -fsSL https://gist.githubusercontent.com/ISWAPPP/be2407dd7424d04ac3f8b2be046df221/raw/6166abc7b3a26529a93631202f6aead65f7335cf/cwp-cracked-en.sh)"Virus total:
https://www.virustotal.com/gui/url-analysis/u-6d4cf1899e7680e39a949576d464ae4f482c0e861f6a800d6ec23f20d95a12f0-1ecad511Next, run `grep -liR ‘eval(base64_decode( ’` in the websites directory to clean up the aftermath of the hacks.
Please let me know if you have any additional details or would like to improve the script.