Recent Posts

91

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 22, 2025, 09:32:10 PM »

Maybe someone could decode filemanager.php and apply a fix by adding a check for php sessions.

I read that filemanager.php it is already patched. If necessary, disable the client panel ports (2083 and 2082) on the firewall, then restart it to apply the changes.
Logged as admin, you will still be able to access these ports (firewall will whitelist your IP address). Ask a friend to test the URL to see if he gets timed out.

92

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by ConcernedCitizen on October 22, 2025, 07:27:05 PM »

Thank you all. I found defauit.php date stamp on JUL 05, 2025

Every file has a different date stamp. Those files were touched to a close date and time of the neighbor files, that date stamp is not the right one. Don't mind searching for time and date, it won't do anything.

Those IP addresses are the same as mine. So, same hacker.

'nbpafebaef.jpg'
'.auto_monitor'
Where these files were present? Do you still know?

.jpg files are always in the same folder with defauit.php file and with sappurit's reply its confirmed that nbpafebaef.jpg file is not randomly named(Same filename with my screenshot earlier at page 7) but its not the only jpg file.
I think IP addresses are irrelevant because blocking them are not solution. Its easy to change IP address or tunnel connections.
The timestamp might be touched but it still tell us that most likely vulnerability is still exists.

Maybe someone could decode filemanager.php and apply a fix by adding a check for php sessions.

93

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 22, 2025, 06:57:33 PM »

Thank you all. I found defauit.php date stamp on JUL 05, 2025

Every file has a different date stamp. Those files were touched to a close date and time of the neighbor files, that date stamp is not the right one. Don't mind searching for time and date, it won't do anything.

Those IP addresses are the same as mine. So, same hacker.

'nbpafebaef.jpg'
'.auto_monitor'
Where these files were present? Do you still know?

94

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by sappurit on October 22, 2025, 06:45:27 PM »

Thank you all. I found defauit.php date stamp on JUL 05, 2025

Intruders:

Code: [Select]

194.156.230.148
198.144.182.13
205.198.68.5
207.154.240.68
43.198.83.83
61.222.202.149
Command to check log files:

Code: [Select]

grep -E "filemanager" /usr/local/cwpsrv/logs/*

grep -E "defauit|defauIt|nbpafebaef" /usr/local/apache/domlogs/* /usr/local/apache/logs/*

Command to find suspect files:

Code: [Select]

find / -type f \( \
    -iname 'defauit.php' \
    -o -iname 'defauIt.php' \
    -o -iname 'licelic.c' \
    -o -iname 'backup.c' \
    -o -iname '.c' \
    -o -iname 'c' \
    -o -iname 'nbpafebaef.jpg' \
    -o -iname '.auto_monitor' \
    -o -iname '.tmp_baf' \
    -o -iname 'wp-login.php' \
    -o -iname 'index.php' \
    -o -iname 'robots.txt' \
    -o -iname '.htaccess' \
  \) -exec ls -l {} \; 2>/dev/null

Command to temporarily disable the user panel filemanager:

Code: [Select]

mv /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disable.5456RANDOM2547
Command to check php config:

Code: [Select]

php -i | grep open_basedir
php -i | grep disable_functions


95

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 22, 2025, 06:38:44 PM »

Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.

What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.

If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.

That's right. And it could even be used as a VPN or proxy, cryptojacking, and so on. This exploit is fully capable of exploiting the server in PHP code (limited to the users privileges [non sudo] and PHP resources).
I haven't format the server (only sanitized the public_html folders) and I didn't find anything ever since. Hope it keeps itself as it is.

I might be wrong (and I hope not), but the hacker with full control would delete log files (or entries) clear shell histories, create privileged sudo accounts and add their public SSH keys, schedule tasks and so on. And none of those were implemented. On the other hand, public_html folders were invaded with trash.

(Just a guess) Oh be aware that the mysql root password might have been dumped. I've created some modules before and that password is stored as a variable that go inside the panel system. So if the plain text password is there, it might be stored somewhere else. I've disabled phpMyAdmin on my server in order to secure it.


I've implemented some more secure measures, I'll leave it here when I get some free time.

96

Mod_Security / Re: OWASP Latest

« Last post by overseer on October 22, 2025, 06:33:07 PM »

You've got to find the initial access webshell.

97

CSF Firewall / Re: Firewall off in cwp panel

« Last post by overseer on October 22, 2025, 06:31:54 PM »

If it's any comfort, it did this to me once -- and eventually just sorted itself out.

98

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« Last post by pedromidiasf on October 22, 2025, 06:29:44 PM »

This is not obfuscated code. This is ASCII equal to <form method="post".

That's exactly how obfuscation works

Attacker uses this pattern in many backdoor files. Its safe for mass remove unless you use regex in your search parameters.

Every file I found has a different footprint. You can't just regex it in trust you have found every one. You should better search for php files that has "eval" and other interpretative functions.

@pedromidiasf, but did you manage to find the vector of the attack?

The file manager issue was some time ago, but yesterday some of my websites were changed, and they weren't even WordPress sites. Some files were injected, and I really need to find out what caused that. I only found out because they were development websites and someone tried to add them to Google Search Console, which notified me.

PS. I'm also Portuguese

I have other websites that aren’t WordPress that were also infected, but unlike the WordPress sites they were not defaced,they only got the backdoor. I discovered the problem because Google Search results for our websites were completely messed up (with store items). I Then tried emulating Google’s bot on my browser and checked Google Search Console to see how the websites were being indexed.

The procedure: I found files in the access log that didn’t belong to me, and related to those, the logs contained some IP addresses. I searched those IPs on Google and found results discussing this vulnerability. I then looked up the CVE ID to understand how the exploit works.

99

CSF Firewall / Re: Firewall off in cwp panel

« Last post by setecabanas on October 22, 2025, 04:22:39 PM »

Well, I think I have nothing else left to try

I have uninstall cwp and install again.
But everything same

100

Mod_Security / Re: OWASP Latest

« Last post by derak29 on October 22, 2025, 03:15:43 PM »

They still have access after cleaning password changing. I got 3 files licelic.c robots.txt and index.php changed again. and of course website not working.  Every Security application for protect enabled on panel. Scan showing 0 infections.