Messages

1

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 04:51:08 PM »

I had the same problem, was going crazy, thinking it was a wordpress vulnerability, then started seeing processes from one user trying to access other users. This made me notic only 3 of my users are in jail and others aren't, no idea why this behaviour by CWP.

I've ran:

Code: [Select]

find / -type f \( -name "defauit.php" -o -name "nbpafebaef.jpg" \) -exec rm -f {} + 2>/dev/nullto delete all of this 2 files.

I've also renamed filemanager.php

Could any one provide with more insight/what more steps should be done to make sure it's clean?

What do you mean by “my users are in jail”?

Also, make sure to delete two hidden files that may have been used in the attack. They were found in /tmp on my compromised servers:
   •   .tmp_baf
   •   .auto_monitor

These files are part of the script that spreads the malicious payload across all user accounts.

Let us know if you find anything else suspicious, we’re trying to understand the full scope of this breach.

2

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 02:48:12 PM »

Funny, this started as an information sharing thread but then devolved from there -- getting into sour personal attacks. I'm sorry I ever touched this tar baby. My point was, I can appreciate your report and will keep it on the radar because I see that you have a history here and contribute in a meaningful way. But when someone brand new comes on the scene trotting out security buzzwords and offering dubious advice about deleting the filemanager (instead of mitigating the attack vector in a non-destructive way)... well, take that for what it is. I'll go back to monitoring my servers now.

(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)

That’s not accurate. The problem isn’t limited to CentOS 7 — it also affects AlmaLinux 8. The vulnerability lies in filemanager.php, which is written in PHP and is identical across all supported OSes. What changes between CentOS and AlmaLinux is the system environment, not the CWP PHP panel code.

All six of my servers run AlmaLinux 8, and three were compromised due to this exact issue.

I don’t know Doridian personally, but his suggested solution is a good temporary mitigation. Renaming or removing filemanager.php is low-risk, and CWP will restore it once an official patch is released. I’ve renamed it on all my servers, it’s a simple step to reduce exposure.

This is a critical vulnerability, and it is not fixed in the current version, despite what the articles say.

You can check if your server might have been affected by running:
find /home -type f -name "defauit.php" 2>/dev/null

That file (defauit.php with an “i”) appeared across all compromised accounts on my affected servers.

3

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 09, 2025, 08:18:21 AM »

Firstly, I didn't say delete, I said rename a single file that inconveniences your users slightly...

But you did say delete, quoted twice in the previous posts on this thread. I call that dubious advice, as with removing the .php extension -- which won't neuter it -- a file containing PHP code can still be run by a php interpreter.

You are gravely mistaken about this.

This is a critical security issue. I've included two links from official security sources that detail the problem: https://fenrisk.com/rce-centos-webpanel and https://cybersecuritynews.com/linux-centos-web-panel-vulnerability/.

Doridian did an excellent job by adding a temporary fix to prevent more attacks. If you don't believe us, then please stop making unhelpful comments.
Otherwise, give us a domain and user account from one of your servers, and we'll prove you wrong.

4

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 04:39:44 PM »

It is indeed a filemanager issue. I have tested found the vulnerability by testing against my own CWP server (which is up fully up to date, and runs AlmaLinux 8 ).

You can effectively convince the filemanager to perform any operation without being correctly authenticated as any user (so long you know or can guess their username).

Luckily, this does not work against the "root" user, only valid CWP users, so it does not allow for total system compromise.

As for why it makes non-.php files run as code? Possibly a malicious ".htaccess" file or similar could be uploaded to changes the handler directives, or another vulnerability (which I did not discover) allows reconfiguring the webserver.


I tried reporting the issue (privately) using the contact form and have been informed I need a support subscription, and have responded that I will not pay for reporting security issues. If I get another negative response, I might have to put the information into the bug tracker so the engineers actually can see it, but I would really rather avoid sharing any information in public to not cause this to be exploited even more widely than it already seems to be.


The easiest sign of a compromise (or attempt) through this bug are POST calls to "/USERNAME/index.php?module=filemanager&..." with a 302 response code in your logs, especially with non-browser user-agents.

I am also not sure what the discussion of "execution" here is, PHP does not care if a file is chmod 644 or 755 or anything else, so long as it can read the file, it can (and will) run the file when accessed via a browser through the webserver.

There might well be more security issues present in CWP, given the one I found was not too difficult to discover, that allow actually running arbitrary commands or things of that nature, but checking is hard as all of CWP is encoded with ionCube, and therefor I have to try random things to see what happens, I can't just read the code.

I will look for more issues in the filemanager code myself as well, just for completeness sake.

And again, if anyone knows of a way to (privately) report this to CWP without telling potential "bad guys" the exact exploit path, please tell me.

If anyone needs verification of this bug, feel free to create me a test user on a CWP installation of your choice and I can upload a (harmless!) file using the exploit.

It’s completely unacceptable that no one from the CWP team has replied to us. This issue was identified as early as June 22nd and was supposedly fixed, yet it continues to occur.

5

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 03:03:33 PM »

So according to the 2 vulnerability reports you mentioned, it's limited to EOL CentOS 7 systems -- for which support ended over a year ago. Not too surprising, really. The longer those systems are on the internet, the more of sitting ducks they become. Time to migrate to AlmaLinux!

Can you confirm that you both are running CentOS 7 systems?

Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:

Code: [Select]

[root@alma]# grep "module=filemanager" /usr/local/cwpsrv/logs/access_log
91.124.30.69 - - [08/Jul/2025:04:50:00 -0500] "POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1" 404 147 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:134.0) Gecko/20100101 Firefox/134.0"

No is not, this is a panel issue (Im in version 0.9.8.1206), I use AlmaLinux 8 not CentOS 7. This is is a Filemanager issue, is better to remove the filemananger for now.

6

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 01:30:24 PM »

New update this security issue is already public on https://fenrisk.com/rce-centos-webpanel and https://cybersecuritynews.com/linux-centos-web-panel-vulnerability/, with code CVE-2025-48703.
This articles tell that this is already fixed on 0.9.8.1205 but Im on 0.9.8.1206 and I have the problem.

Please we need some update from someone on the CWP Team

7

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 08, 2025, 10:47:30 AM »

You’re absolutely right to be concerned — and I believe we may be dealing with two distinct but related security issues.

Issue 1: File Manager Vulnerability (Confirmed)
As already pointed out, the filemanager.php module in CWP seems to allow arbitrary file upload to any user account, as long as the attacker can guess the username. This is a critical flaw in access control and should be treated as a top-priority zero-day vulnerability.

This alone explains how attackers managed to inject malicious files like defauit.php or nbpafebaef.jpg across multiple accounts.

➡️ Temporary mitigation: Disable or rename the file:
/usr/local/cwpsrv/var/services/user_files/modules/filemanager.php
I’ve renamed it to filemanager.php.disabled to block access while waiting for an official fix.

 Issue 2: Lateral File Injection via /tmp (Needs confirmation)
What’s particularly concerning is that on my server, all user accounts had identical malicious files — including accounts with no websites or activity.
I found two suspicious scripts in /tmp/:
   •   /tmp/.auto_monitor: Contains code to iterate over all user accounts and drop malicious files
   •   /tmp/.tmp_baf: A payload later renamed per user as defauit.php

The auto_monitor script appears to loop through /home/*/public_html/ and replicate the payload across accounts.

Now, here’s the key problem:
Even if filemanager.php was used to inject a file into one account, it doesn’t explain how the malware was then able to write to other accounts — unless:
   1.   The injected script gained elevated privileges or exploited a weak configuration
   2.   Some CWP service or cron is running PHP scripts from /tmp under a shared or root context
   3.   There’s a misconfigured global process that allows cross-account write access from within user space

This part needs deeper analysis. But the implications are very serious:
Even a single compromised account could lead to full lateral infection.

8

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 07, 2025, 06:27:44 PM »

My server have AlmaLinux 8, everything was updated and in the last version I have more servers only one was affected.
But all client accounts on the server have the same 2 files.
In the logs I found this
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:38 +0100] "POST /user1/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:39 +0100] "POST /user2/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:40 +0100] "POST /user3/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:41 +0100] "POST /user4/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:41 +0100] "POST /user5/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:42 +0100] "POST /user6/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"

This is at the same time that defauit.php was created the nbpafebaef.jpg was created some days after.

On root /tmp folder I found to suspect files:
/tmp/.auto_monitor and /tmp/.tmp_baf

.auto_monitor was the file tht have the code to duplicate the .tmp_baf on each account and rename it to efauit.php

9

CentOS-WebPanel Bugs / [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: July 07, 2025, 03:29:52 PM »

I’m reporting a critical security issue affecting multiple servers running CWP (CentOS Web Panel). During a security review on a Laravel-based website hosted via CWP, I found malicious PHP files in the public/ folder that allowed arbitrary code execution.

🛑 What I Found

On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
   •   nbpafebaef.jpg – Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>

   •   defauit.php – A PHP script with a misleading name (looks like “default.php”).

These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.

🔍 Widespread Issue – Other Sites Also Affected

After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
   •   https://basaranturizm.com/
   •   https://coutos.pt/

This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me — I simply found them through Google search using the filename.

❗ Possible Vectors

Some possibilities include:
   •   Insecure permissions on public/ allowing PHP file uploads or writes
   •   Compromise via CWP File Manager or outdated software
   •   Global vulnerability in CWP’s file handling or directory security

⚠️ Request to CWP Team

Please investigate this urgently. It’s very likely that:
   •   CWP has a flaw allowing code execution in public folders
   •   Default permissions or services are enabling attackers to inject files across multiple servers

If CWP developers need any of the samples or log details, I’m happy to provide them privately.

10

Other / Add Supervisor support to CWP for managing long-lived processes

« on: April 11, 2025, 08:10:56 AM »

I'd like to suggest adding support for Supervisor in CWP. While I personally use it mostly for managing Laravel queue workers, there are many other use cases where Supervisor is essential, like handling background jobs, WebSocket servers, scheduled tasks, or any long-running process that needs to stay alive and restart automatically if it fails.

It would be great if CWP could:
   •   Include Supervisor by default or offer a one-click install option from the panel;
   •   Optionally provide a basic GUI to manage .ini files and control/restart processes;
   •   Show the status of running Supervisor-managed processes from within the interface.

This would make CWP even more powerful for developers and sysadmins running modern web applications that rely on persistent background processes.

Thanks again, and I hope this can be considered for a future release!

11

PHP Selector / Support for PHP 8.4

« on: January 17, 2025, 04:09:45 PM »

When do we will get support for PHP 8.4, it was releases some months ago and we should have it available as soon as possible

12

SSL / How to create wildcard Certificate?

« on: September 18, 2024, 01:21:35 PM »

I have a new website that have multi tenancy, a user can create a subdomain on the fly and I need to create a wildcard certificate for this domain.
Any way of doing that on CWP?

13

Updates / Re: CWP-CentOS-Stream-AppStream.repo Is down

« on: June 28, 2024, 07:35:31 AM »

I already have a server with AlmaLinux 8 but this old servers still with Centos 8 Stream, but now I cannot update because this CWP repos stop working without any note about it.

Can we update from Centos 8 Stream to Almalinux 8?
I have afraid of do it I probably will create a new server and migrate the websites, but that will be harder since I will need to change the ips on the dns.

14

Updates / Re: CWP-CentOS-Stream-AppStream.repo Is down

« on: June 27, 2024, 07:28:05 AM »

Switch to AlmaLinux 8.

This are production servers I will change but probably will create some new server and move each account to there.

I have afraid of upgrade to almaLinux 8 my current vps

15

Updates / CWP-CentOS-Stream-AppStream.repo Is down

« on: June 26, 2024, 09:33:26 AM »

I have servers with Centos 8 Delayed and cannot run yum update, it return this error:

Code: [Select]

yum update
CentOS-Stream - AppStream                                                                                                                                                                                     520  B/s | 257  B     00:00
Errors during downloading metadata for repository 'Stream-AppStream':
  - Status code: 404 for http://repo.centos-webpanel.com/8-cwp-stream/stable/AppStream/x86_64/os/repodata/repomd.xml (IP: 198.27.104.39)
Error: Failed to download metadata for repo 'Stream-AppStream': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
How can I solve this?