Messages

1

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 26, 2025, 09:44:01 AM »

I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.

I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.

Configure your vhosts (or add an .htaccess configuration to your websites).

If you don't need, disable these php functions:
Command execution: exec, system, passthru, shell_exec, proc_open, popen, pcntl_exec
File and folder permissions: chmod, chown, chgrp
Date time manipulation of files: touch
Code evaluation: eval, create_function, assert

Make sure that in your php.ini you have this configuration:
allow_url_include = Off

Then change your file permissions so no one can change the content. Only allow file changes in uploaded folders and don't allow then to execute files.

At the moment, your vulnerabilities are just within PHP.

2

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 22, 2025, 09:32:10 PM »

Maybe someone could decode filemanager.php and apply a fix by adding a check for php sessions.

I read that filemanager.php it is already patched. If necessary, disable the client panel ports (2083 and 2082) on the firewall, then restart it to apply the changes.
Logged as admin, you will still be able to access these ports (firewall will whitelist your IP address). Ask a friend to test the URL to see if he gets timed out.

3

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 22, 2025, 06:57:33 PM »

Thank you all. I found defauit.php date stamp on JUL 05, 2025

Every file has a different date stamp. Those files were touched to a close date and time of the neighbor files, that date stamp is not the right one. Don't mind searching for time and date, it won't do anything.

Those IP addresses are the same as mine. So, same hacker.

'nbpafebaef.jpg'
'.auto_monitor'
Where these files were present? Do you still know?

4

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 22, 2025, 06:38:44 PM »

Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.

What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.

If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.

That's right. And it could even be used as a VPN or proxy, cryptojacking, and so on. This exploit is fully capable of exploiting the server in PHP code (limited to the users privileges [non sudo] and PHP resources).
I haven't format the server (only sanitized the public_html folders) and I didn't find anything ever since. Hope it keeps itself as it is.

I might be wrong (and I hope not), but the hacker with full control would delete log files (or entries) clear shell histories, create privileged sudo accounts and add their public SSH keys, schedule tasks and so on. And none of those were implemented. On the other hand, public_html folders were invaded with trash.

(Just a guess) Oh be aware that the mysql root password might have been dumped. I've created some modules before and that password is stored as a variable that go inside the panel system. So if the plain text password is there, it might be stored somewhere else. I've disabled phpMyAdmin on my server in order to secure it.


I've implemented some more secure measures, I'll leave it here when I get some free time.

5

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 22, 2025, 06:29:44 PM »

This is not obfuscated code. This is ASCII equal to <form method="post".

That's exactly how obfuscation works

Attacker uses this pattern in many backdoor files. Its safe for mass remove unless you use regex in your search parameters.

Every file I found has a different footprint. You can't just regex it in trust you have found every one. You should better search for php files that has "eval" and other interpretative functions.

@pedromidiasf, but did you manage to find the vector of the attack?

The file manager issue was some time ago, but yesterday some of my websites were changed, and they weren't even WordPress sites. Some files were injected, and I really need to find out what caused that. I only found out because they were development websites and someone tried to add them to Google Search Console, which notified me.

PS. I'm also Portuguese

I have other websites that aren’t WordPress that were also infected, but unlike the WordPress sites they were not defaced,they only got the backdoor. I discovered the problem because Google Search results for our websites were completely messed up (with store items). I Then tried emulating Google’s bot on my browser and checked Google Search Console to see how the websites were being indexed.

The procedure: I found files in the access log that didn’t belong to me, and related to those, the logs contained some IP addresses. I searched those IPs on Google and found results discussing this vulnerability. I then looked up the CVE ID to understand how the exploit works.

6

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 19, 2025, 07:51:40 PM »

o scan à porta é bloqueado pela Firewall, no entanto se forem vários bots a fazer bruteforce já não serve de nada a firewall. Ainda assim é melhor do que manter a porta como está.
Entende que o teu servidor é 1 em 1 bilião. Se a porta não tiver disponível já não interessa para scanear. Normalmente este povo faz scans de IPs em vez de portas. Quando há uma vulnerabilidade zero day, as portas são sempre as mesmas para scanear.

Sobre a porta SSH coloca uma porta perto do final do range. Também podes usar chave ssh se tiveres receio de teres só 1 password.

Posso estar enganado mas o bloqueio de email não serve de muito se for feito pelo próprio php.

Os scanners de malware são inúteis. Fiz scan com eles e não valeu de nada.

Não tens soluções gratis tão completas. Mesmo o cpanel tem sofrido ataques ao mesmo nível. Vais pagar para continuar no mesmo. Possivelmente vais migrar os sites e vão ficar minados novamente.
Considera bloquear as páginas mais sensíveis com "Basic access authentication".


EN version:

The port scan is blocked by the firewall, however, if multiple bots perform a brute-force attack, the firewall becomes useless. Still, it’s better than leaving the port as it is.
Understand that your server is one in a billion. If the port isn’t available, it’s no longer useful to scan. Usually, these guys scan for IPs rather than ports. When there’s a zero-day vulnerability, the ports are always the same to scan.

About the SSH port, choose a port near the end of the range. You can also use an SSH key if you’re worried about relying on just one password.

I could be wrong, but blocking email doesn’t help much if it’s done via PHP itself.

Malware scanners are useless. I ran scans with them, and they were worthless.

You won’t find free solutions that are this comprehensive. Even cPanel has suffered attacks at the same level. You’ll end up paying to remain in the same situation. Most likely, you’ll migrate the sites, and they will be compromised again.
Consider protecting the most sensitive pages with “Basic Access Authentication.”

7

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 19, 2025, 06:20:06 PM »

Yes, I am portuguese.
As far as I can see, I don't have folders with just a single letter. That's probably from a previous hack?

Two users were created on the WordPress sites, but these users are not visible in the WordPress admin panel. To see these users, you have to use PHPmyadmin.

Oh ok, i didn't know that. I haven't checked the users in the WordPress admin panel, I only saw them in the database like you did.
If you simulate the Googlebot user agent in your browser you'll be able to see the changes on your website. The defacement probably only activates for certain countries (I'm just guessing), because there is no other way to view it without simulating the Googlebot agent.
Make sure you remove usermeta data as well (from the database).

In wp-content folders dont find any php file.

had a few PHP files inside /wp-content/uploads and they were malicious (and by the look, they are from the same creator).

I renamed /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php, but the cwpanel filemanager still works. Is this normal?

With that change, Filemanager inside admin panel it still works, but in the user panel it doesn't work anymore.
Change your CWP panel port and add “Simple Authentication” to it - It has to be done manually.
That will help prevent future damage.

8

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 19, 2025, 04:45:13 PM »

I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.

Hi, read all the thread, your problem is 100% related to this topic. Our servers were exploited to show an online store. Not sure what the hacker did to gain anything with this because the webpages were not defaced. Usually they get the google refer to deface the webpage.
Take into consideration that your server has a lot of backdoors installed. But, as I said, read the thread.

I believe your websites are in wordpress. So start by removing the new user the hacker added to your websites. Then install a fresh wordpress and start all over

Make sure you remove all .php files from "wp-content\uploads".

9

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 18, 2025, 09:58:49 AM »

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

I've studied the vulnerability and I don't expect it to be able to exploit anything else. The attacker only had access as a low privileges users. If he had so much access, he wouldn't be mass exploiting every website of your server.
I recommend you to change your admin and client ports. This way, automated systems won't be able to find it right away.
If you want to be extra serious about it, format it. Don't take my word too serious but I see no reason to format. Never the less, always keep a clean backup.
I've added "HTTP Basic access authentication" to admin and client panels. I've also added this to wordpress login url's. This will block every public access and it creates a new layer of protection. I saw that my firewall got less blockage because there were no possibility for hackers to make requests. Every page, request or URL have been blocked with this. It works like a master password on sensible areas that is requested before opening or requesting anything.

My wordpress websites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

I believe Wordpress database was infected by external code execution. I also had this user and same email.
You should rebuild your wordpress from scratch. Best way is to firstly remove that user (with the wordpress panel). You can also execute queries to remove the user and the content he has created (if present).
Then import only this tables:
wp_users
wp_usermeta
wp_terms
wp_term_taxonomy
wp_posts
wp_postmeta

If your wordpress has user comments, also import:
wp_comments
wp_commentmeta

Then install all plugins from the installation menu (don´t import from the infected website). Everything has to be built again. Wordpress plugins creates a lot of tables that are not even needed. But be aware and test your website afterwards.

If you had made changes to your template before, install the template from the installation menu and take a deep look on each file you had modified. If done right, you probably you have a child folder for that theme. Take a deep look on each line of code of those modified files to see if something was injected. I did that manually and then i asked chatgpt if there were any malicious line of code just to confirm it.
If you have custom plugins, you have to take a deep look on each line of code as well.

10

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 17, 2025, 01:10:28 PM »

You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

Don't trust to find this sequence. All injected files, even if they do the same, all of them have different obfuscation codes even with different sequence of code.
Best way is to search for index files within the folders and check your main index file.
Also consider to disable php execution inside folders that are not needed. Also disable direct execution of php files that don't need to be called directly from URL. This can be done with folder permissions and .htacess files.

11

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 15, 2025, 09:37:31 PM »

You dont need a script to remove them. This will remove all of the malicious code except for index.php.

Code: [Select]

find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.

12

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 15, 2025, 08:02:40 PM »

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

13

How to / Safe method to reset SQL system related passwords without service disruption

« on: October 14, 2025, 09:50:11 PM »

Is there a safe way to change the passwords for these SQL users without disrupting the system?
mysql
postfix
root
roundcube

I can see that all of them (except roundcube) have their own Linux user accounts, but it seems they don’t have passwords set. So I assume changing (or adding) the system password won’t have much effect.

I could use phpMyAdmin to change their passwords, but that might risk disabling services I rely on.
I see that I'm able to change these passwords by the admin panel, but I'm afraid to do it without knowing how it will end up! Is it safe for these users to change their password?

Is there an internal script available to safely reset these passwords?

14

DKIM / Re: I'm a bit lost

« on: October 14, 2025, 09:36:32 PM »

Thank you

15

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 14, 2025, 08:55:25 PM »

robots.txt (revaluation)
Many of my websites contain robots.txt files that appear to be used to expose compromised websites (when you open it, it notifies the attacker). These files include a reference to a “sitemap” that actually points to an exploited file (index.php). If Googlebot or another search-bot fetches that sitemap, it could automatically reveal the infected website to the attacker. The attacker have put search bots in work for him (smart, I must say).

Every index.php file referenced by these robots.txt files appears to be infected at the top. Below the infection lies your original code (but double check it!!!).
Note that simply deleting the robots.txt files is not enough! You also must carefully inspect and clean every affected index.php file. Make sure to thoroughly check each robots.txt file, as the infection may vary between them and you might end up losing the infected index.php file.

An infected index.php file is still useful to the attacker! The robots.txt is just a complement.

SSH command to search all robots.txt files:

find /home -type f -name "robots.txt"