Messages

1

Updates / Re: Is CWP dead? Looking for alternatives

« on: January 13, 2026, 02:38:36 PM »

1. The source of that information is directly from CWP via a support ticket I submitted.
You can doubt whatever you want, but that is the answer I received form them.

Only real problem with the forums is an expired SSL.

2. There are many aspects from HTTP, PHP, ModSecurity, etc., but since you don't know, that shows you probably don't use CWP.

3. Yup. You are just a BS poster, @overseer and myself provide a majority of help here.
And I was talking about offering help to CWP also.

All you seem to be doing is posting hate without knowing how CWP really works via GUI and CLI.

1. The forum is down frequently. I think it's mostly configuration or code issues. Try opening your profile https://forum.centos-webpanel.com/profile/?area=forumprofile - I get an error.

2. CWP automatically generates SSL certificates. How is it acceptable that this forum doesn't even have that configured?

I think we CWP users should demand more. I'd support them if they doubled the Pro version price, I think they should double the price of the Pro version if the problem is lack of money to pay the development team. But they need to show a more active role: update the website, have someone replying on the forum.

CWP is a great panel with lots of options and it's very cheap. But since it's closed source and the team isn't present, it's not evolving like other panels.

I currently have 7 servers running the Pro version of CWP. I don't want to move to another panel. In the past I used VestaCP and CWP was a step forward. I think this conversation is good, but we should stop attacking people for criticizing CWP. Someone from the CWP team should read this and reply. Everyone here wants the best for CWP.

2

Updates / Re: Is CWP dead? Looking for alternatives

« on: January 13, 2026, 09:59:02 AM »

I don't understand why Starburst is being so rude about it.

If we're talking about the elephant in the room, it's because we like CWP, we use CWP, and we care about its future. But in recent years it's really struggling: no new features, a barely working forum, an outdated website, no tips or news about server management. The best tutorials are the ones from Starburst.

I'm actively looking for alternatives. I like CWP because it has many features, I have a good incremental backup system on my servers, the pro version is cheap, and I have custom webserver templates for Laravel and other stacks.

But I'm also testing other panels on a test server because I'm afraid CWP will let me down in the near future. I know there are others in my situation. What are the best alternatives to CWP?

3

Updates / Re: Is CWP dead? Looking for alternatives

« on: January 12, 2026, 03:45:08 PM »

Here we go Again...

CWP is NOT 'dead'.

Last updated came out on 2025-12-29

The last Apache update from them was 2.4.65, and you can manually update to 2.4.66 easily.

You can also upgrade manually to PHP 8.4 and 8.5 using the info at AlphaGNU.

But ionCube doesn't work with PHP 8.5 as of yet, it's still in beta.
https://www.ioncube.com/loaders.php

But by all means move to cPanel...

I've been working with CWP for years. We get some updates but zero communication and no roadmap. Critical security issues aren't communicated.

ionCube already supports PHP 8.4 in production, but CWP doesn't. The forum is frequently down or unresponsive. Many signs point to CWP not being in good shape. For example, "New Backup" has been in beta for at least 4 years.

It's hard to attract new paying customers with this approach.

4

CSF Firewall / Re: Should we update CSF to V15??

« on: January 12, 2026, 03:31:33 PM »

It's NOT a 'workaround', it's an upgrade path.

The original CSF made by Way to the Web Ltd. is dead.
Hence why you haven't been getting updates.

Not sure where you have been, but that was announced and posted all over the place last year.

I'm more of a coder than a sysadmin. I don't remember seeing those announcements, but no problem. I'm finding the best solution now.

Like overseer mentioned, this seems to be the right approach:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/aetherinox-csf-firewall-update-to-v15-08/

But that's for v15 → v15.08. To go from v14 to v15, is this the correct tutorial?
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/csf-firewall-gplv3-release-tweaked-for-cwp/

CWP team should have made this upgrade automatic.

5

Updates / Is CWP dead? Looking for alternatives

« on: January 11, 2026, 11:58:23 AM »

I have several production servers running CWP, but it feels completely abandoned. No relevant updates for years, security issues take forever to fix with zero communication, and the changelog is stagnant.

PHP is at 8.5 but we're stuck on 8.3. Roundcube, Nginx, Apache versions are all outdated and never updated.

What do you recommend? I'm seriously considering moving to cPanel despite the cost. I like CWP's features (PHP, Node.js, backups, mail server), but everything feels dated. Support is terrible, no blog or notifications about critical updates.

What alternatives exist? Is anyone else feeling this way? What other panels have similar tools but a more active community?

6

CSF Firewall / Should we update CSF to V15??

« on: January 11, 2026, 11:48:59 AM »

CSF updates stopped in August. What's the recommended approach: update to V15 or use the workaround from https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/csf-firewall-error-oops-unable-to-download-no-host-option-provided/ to keep v14.24?

I need some opinions, I have multiple servers and I want to go to a secure approach

7

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 22, 2025, 12:28:39 PM »

@pedromidiasf, but did you manage to find the vector of the attack?

The file manager issue was some time ago, but yesterday some of my websites were changed, and they weren't even WordPress sites. Some files were injected, and I really need to find out what caused that. I only found out because they were development websites and someone tried to add them to Google Search Console, which notified me.

PS. I'm also Portuguese

8

How to / Re: How to get rid of this showing up in websites?

« on: July 26, 2025, 07:58:43 AM »

The previous advice is more of a band-aid than a real solution. I had the same error in the past, but only with ImageMagick. What solved it for me was recompiling all PHP versions, that fixed the issue. I also updated everything to the latest version.

In the CWP panel, go to PHP Selector, PHP-FPM Selector, and even PHP Version Switcher, then rebuild each PHP version you have installed. You can also update everything to the latest versions. Do it one by one and check if the error is resolved after each step.

Before doing that, connect via SSH and run the PHP version directly in the console to see if the error appears, it usually does. Then update and try again.
You can use a command like:
/opt/alt/php83/usr/bin/php --version

9

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 13, 2025, 02:07:43 PM »

Can someone test the latest version to see if the exploit still works?

10

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 13, 2025, 11:52:27 AM »

I saw that a new version was released 0.9.8.1207, did this update fix the filemanager exploit?

CWP team is doing a really bad job, no official reply no information, completely unreal.

11

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 04:51:08 PM »

I had the same problem, was going crazy, thinking it was a wordpress vulnerability, then started seeing processes from one user trying to access other users. This made me notic only 3 of my users are in jail and others aren't, no idea why this behaviour by CWP.

I've ran:

Code: [Select]

find / -type f \( -name "defauit.php" -o -name "nbpafebaef.jpg" \) -exec rm -f {} + 2>/dev/nullto delete all of this 2 files.

I've also renamed filemanager.php

Could any one provide with more insight/what more steps should be done to make sure it's clean?

What do you mean by “my users are in jail”?

Also, make sure to delete two hidden files that may have been used in the attack. They were found in /tmp on my compromised servers:
   •   .tmp_baf
   •   .auto_monitor

These files are part of the script that spreads the malicious payload across all user accounts.

Let us know if you find anything else suspicious, we’re trying to understand the full scope of this breach.

12

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 02:48:12 PM »

Funny, this started as an information sharing thread but then devolved from there -- getting into sour personal attacks. I'm sorry I ever touched this tar baby. My point was, I can appreciate your report and will keep it on the radar because I see that you have a history here and contribute in a meaningful way. But when someone brand new comes on the scene trotting out security buzzwords and offering dubious advice about deleting the filemanager (instead of mitigating the attack vector in a non-destructive way)... well, take that for what it is. I'll go back to monitoring my servers now.

(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)

That’s not accurate. The problem isn’t limited to CentOS 7 — it also affects AlmaLinux 8. The vulnerability lies in filemanager.php, which is written in PHP and is identical across all supported OSes. What changes between CentOS and AlmaLinux is the system environment, not the CWP PHP panel code.

All six of my servers run AlmaLinux 8, and three were compromised due to this exact issue.

I don’t know Doridian personally, but his suggested solution is a good temporary mitigation. Renaming or removing filemanager.php is low-risk, and CWP will restore it once an official patch is released. I’ve renamed it on all my servers, it’s a simple step to reduce exposure.

This is a critical vulnerability, and it is not fixed in the current version, despite what the articles say.

You can check if your server might have been affected by running:
find /home -type f -name "defauit.php" 2>/dev/null

That file (defauit.php with an “i”) appeared across all compromised accounts on my affected servers.

13

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 08:18:21 AM »

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly...

But you did say delete, quoted twice in the previous posts on this thread. I call that dubious advice, as with removing the .php extension -- which won't neuter it -- a file containing PHP code can still be run by a php interpreter.

You are gravely mistaken about this.

This is a critical security issue. I've included two links from official security sources that detail the problem: https://fenrisk.com/rce-centos-webpanel and https://cybersecuritynews.com/linux-centos-web-panel-vulnerability/.

Doridian did an excellent job by adding a temporary fix to prevent more attacks. If you don't believe us, then please stop making unhelpful comments.
Otherwise, give us a domain and user account from one of your servers, and we'll prove you wrong.

14

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 04:39:44 PM »

It is indeed a filemanager issue. I have tested found the vulnerability by testing against my own CWP server (which is up fully up to date, and runs AlmaLinux 8 ).

You can effectively convince the filemanager to perform any operation without being correctly authenticated as any user (so long you know or can guess their username).

Luckily, this does not work against the "root" user, only valid CWP users, so it does not allow for total system compromise.

As for why it makes non-.php files run as code? Possibly a malicious ".htaccess" file or similar could be uploaded to changes the handler directives, or another vulnerability (which I did not discover) allows reconfiguring the webserver.


I tried reporting the issue (privately) using the contact form and have been informed I need a support subscription, and have responded that I will not pay for reporting security issues. If I get another negative response, I might have to put the information into the bug tracker so the engineers actually can see it, but I would really rather avoid sharing any information in public to not cause this to be exploited even more widely than it already seems to be.


The easiest sign of a compromise (or attempt) through this bug are POST calls to "/USERNAME/index.php?module=filemanager&..." with a 302 response code in your logs, especially with non-browser user-agents.

I am also not sure what the discussion of "execution" here is, PHP does not care if a file is chmod 644 or 755 or anything else, so long as it can read the file, it can (and will) run the file when accessed via a browser through the webserver.

There might well be more security issues present in CWP, given the one I found was not too difficult to discover, that allow actually running arbitrary commands or things of that nature, but checking is hard as all of CWP is encoded with ionCube, and therefor I have to try random things to see what happens, I can't just read the code.

I will look for more issues in the filemanager code myself as well, just for completeness sake.

And again, if anyone knows of a way to (privately) report this to CWP without telling potential "bad guys" the exact exploit path, please tell me.

If anyone needs verification of this bug, feel free to create me a test user on a CWP installation of your choice and I can upload a (harmless!) file using the exploit.

It’s completely unacceptable that no one from the CWP team has replied to us. This issue was identified as early as June 22nd and was supposedly fixed, yet it continues to occur.

15

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 03:03:33 PM »

So according to the 2 vulnerability reports you mentioned, it's limited to EOL CentOS 7 systems -- for which support ended over a year ago. Not too surprising, really. The longer those systems are on the internet, the more of sitting ducks they become. Time to migrate to AlmaLinux!

Can you confirm that you both are running CentOS 7 systems?

Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:

Code: [Select]

[root@alma]# grep "module=filemanager" /usr/local/cwpsrv/logs/access_log
91.124.30.69 - - [08/Jul/2025:04:50:00 -0500] "POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1" 404 147 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:134.0) Gecko/20100101 Firefox/134.0"

No is not, this is a panel issue (Im in version 0.9.8.1206), I use AlmaLinux 8 not CentOS 7. This is is a Filemanager issue, is better to remove the filemananger for now.