Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - mabdala68

Pages: [1] 2
1
I have 3 servers running Alma 8 with CWP Pro updated as of today. I install updates every day as they are released.
In addition to all CWP security features being active, I use Fail2ban, but clearly nothing stopped the malware injection, since an exploit in the file manager was used.

On some sites, I found both files (defauit.php and the .jpg), and in the /home directories where there were no hosted files, only defauit.php was present. I manually deleted the files from each home directory one by one, then searched across all servers for any remaining ones using this command, and double-checked by reviewing the logs — keeping in mind that if an account has subdomains, it's also necessary to search and delete defauit.php and the .jpg from those folders too.

COMMON DATA:
The Attacker’s IP
Initial Date: July 4th

grep "defauit.php" /usr/local/apache/logs/access_log*

and it will show us ::

198.144.182.13 - - [06/Jul/2025:12:27:39 -0300] "POST /defauit.php?id=1 HTTP/1.0" 200 34
198.144.182.13 - - [06/Jul/2025:12:50:56 -0300] "GET /defauit.php?id=1 HTTP/1.0" 200 1
198.144.182.13 - - [06/Jul/2025:12:50:56 -0300] "POST /defauit.php?id=1 HTTP/1.0" 200 34
198.144.182.13 - - [06/Jul/2025:13:00:05 -0300] "POST /defauit.php?id=1 HTTP/1.0" 200 34
198.144.182.13 - - [06/Jul/2025:14:36:03 -0300] "POST /defauit.php?id=1 HTTP/1.0" 200 34
198.144.182.13 - - [06/Jul/2025:15:59:39 -0300] "POST /defauit.php?id=1 HTTP/1.0" 301 255

I didn't find the files .auto_monitor and/or .tmp_baf on any server

find /home/*/tmp -type f -name ".auto_monitor" 2>/dev/null

find /home/*/tmp -type f -name ".auto_monitor" -exec ls -l {} \; 2>/dev/nul

As an additional measure, I added the source IP (198.144.182.13) to the blocked IPs in CSF, since I see it's the same for all cases. I also inserted the mentioned rule in ModSecurity, correcting the last line (the \ was missing)

/usr/local/apache/modsecurity-cwaf/custom_user.conf:
# Block CWP filemanager exploit attempts (CVE-2025-48703)
SecRule REQUEST_URI "@contains /user/index.php" \
    "id:4870301,phase:2,deny,status:403,log,msg:'[CWP Exploit Block] Block access to module=filemanager&acc=findFiles',chain"
    SecRule ARGS:module "@streq filemanager" \
        "chain"
        SecRule ARGS:acc "@streq findFiles" \

I also made sure everything was up to date using dnf --refresh update.

Remember to check the subdomains and make sure this doesn't happen again!




2
Hello community,

I’m using a server with CentOS Web Panel (CWP) and I would like to know how to enforce strong password policies when creating email accounts (e.g., at least 12 characters, including uppercase, lowercase, numbers, and special characters).

I’ve seen references to a file called `mail_add.php` in older guides, but I can’t find it in my current installation. I’ve checked the directories `/usr/local/cwpsrv/htdocs/admin/` and `/usr/local/cwpsrv/var/services/users/`, but I couldn’t locate the script where password validation is handled during email account creation.

Is there an official or recommended way to implement strong password requirements for email creation in the user or root panel?

Thanks in advance for any guidance.

3
Installation / Laravel in CWP Panel
« on: April 11, 2025, 06:18:42 PM »
Has anyone set up Laravel to work within CWP for a single user and/or for all users securely? As a user, I tried installing it from the Addons/Script section, but it doesn't work, even though it says it's installed in the specified path."

4
Updates / Problem Yesterday Update (19Dic)
« on: December 20, 2024, 04:58:15 AM »
Yesterday, I perfomed an important update from the CWP root panel. After completing the update,  the created subdomains stopped working and started returning a 500Error. Any Ideas or Scripts to resolve this issue ?

5
CentOS 8 Problems / Re: New Account Failed
« on: December 06, 2024, 01:50:25 PM »
hank you for your suggestion. I haven’t tried what you mentioned about creating a test user from root in the shell or checking what happens in the /home directory. I also haven’t verified if the root user is functioning normally on the system. I’ll follow your steps to perform these tests and let you know the results.

Regarding MySQL, I can access the MySQL root user successfully using mysql -u root -p. Is there anything specific I should check in this context?"**










6
CentOS 8 Problems / Re: New Account Failed
« on: December 04, 2024, 04:42:04 PM »
"The user and the folder are not created. The error appears when trying to create a new user, but nothing is created. It only shows that message."
It's as if the root user had lost the privilege to create new users, but even from a Reseller account, new users cannot be created either

7
CentOS 8 Problems / Re: New Account Failed
« on: December 04, 2024, 03:01:04 PM »
2024-12-04 02:12:33 CreateAccount_FAILED HOMEDIR_EXISTS:qwerty:qwerty.com    /// but the account not created !!

8
CentOS 8 Problems / Re: New Account Failed
« on: December 03, 2024, 10:33:27 PM »
Yes I create a Package for this user.. I proof with the old package (active in other users), not work too

9
CentOS 8 Problems / New Account Failed
« on: December 03, 2024, 04:59:17 PM »
Have an idea ???  when I create a new account, this message appear ::::  Warning! User Account XXXXX not added !!!

using Almalinux 8


10
CentOS 7 Problems / NEW ACCOUNT Failed
« on: December 03, 2024, 04:57:47 PM »
Have an idea ???  when I create a new account, this message appear ::::  Warning! User Account XXXXX not added !!!

11
MySQL / Re: MySQL Manager in CWP not working
« on: October 28, 2024, 08:07:27 PM »
 mysql_upgrade --force
Reading datadir from the MariaDB server failed. Got the following error when executing the 'mysql' command line client
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
FATAL ERROR: Upgrade failed

12
MySQL / Re: MySQL Manager in CWP not working
« on: October 28, 2024, 07:23:47 PM »
mysql -V
mysql  Ver 15.1 Distrib 10.11.9-MariaDB, for Linux (x86_64) using readline 5.1

13
MySQL / Re: MySQL Manager in CWP not working
« on: October 28, 2024, 06:29:36 PM »
Now, my MySQL config is empty. When I insert the previous configuration, the system shows the following error ::::


Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php on line 0

Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0

Trying to start mysql server, please wait!
Try to restart Control Web Panel with command: sh /scripts/restart_cwpsrv

**Check your MySQL root password in: /usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php and /root/.my.cnf
You can reset the MySQL root password fast with this command: /scripts/mysql_pwd_reset -q


Warning: mysqli_error() expects exactly 1 parameter, 0 given in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0
Could not connect:

14
MySQL / Re: MySQL Manager in CWP not working
« on: October 28, 2024, 06:18:56 PM »
I don't know where else to check, whether to delete the MySQL configuration, review a MySQL database, I can't think of how to proceed.

15
MySQL / Re: MySQL Manager in CWP not working
« on: October 28, 2024, 06:12:43 PM »
I restore my image disk, and the problem solved, But I still haven't solved the MySQL Manager issue

Pages: [1] 2