Recent Posts
21
PostgreSQL / Re: Error starting postgres
« Last post by gilliard on October 10, 2025, 04:58:55 PM »just one postgresql.service
22
PostgreSQL / Re: Error starting postgres
« Last post by gilliard on October 10, 2025, 04:58:12 PM »
23
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by ConcernedCitizen on October 10, 2025, 03:52:46 PM »After that, anything can be changed realy. I notice some plugins changed, and theme files. Also there is a mu-plugin that is created to the redirect.
Location of those changes? Where can i find them?
The attacker have access to every file in your system. It could change anything...
I cannot provide you a "list" of what was changed in your case. Could be just the theme files, or nothing at all - some servers may still have the backdoor placed due to the exploitation of this vulnerability in CWP, but not "activated" - are there just waiting to a request that activates the malicious payload.
The WAF rules provided here can help, but don't fix the problem if your server is already affected.
The good news is that CWP already "silently patched" this vulnerability, so you should be safe from be attacked again if you use CWP.
I didn't check all the WAF rules provided here, but the request is activated with a specific query in a POST request made to the files placed in your server. If you simply access the files, they do nothing.
It should be a request like "domain.xxxx/defaiult.php?t=XXXXXXXXXX" - where XXXXXXXXXX is a specific query.
I did decode the files, and they install a webshell - thats it. What they do after that is from the attacker point of interest.
Unfortunately, if you have been affected by this, you have two options:
- Try to see the files that have been recently changed in your system. Not just the account that is affected, but ALL the system. After that, see if something was malicious changed.
- Don't consider the server safe. Try to deploy your accounts in a fresh new server - and make sure that every single website is also clean. Use something like WordFence, or more abroad, something like CPGuard to scan the accounts.
We are not safe at all. Just today our websites affected again.
This exploit was there since 2021, We've checked all the files and found out some unused websites had defauit.php, backup.c and licelic.c files with timestamp showing 2021. And infected websites will always have robots.txt file.
I thought maybe I could fix it myself by editing filemanager but its an obfuscated file. So we decided to move our customers to another panel.
24
Installation / Re: Cannot login into the admin panel anymore
« Last post by overseer on October 10, 2025, 03:06:24 PM »When changing the root password outside of CWP, make sure to update these two files so they agree with the current PW:
/usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php
/root/.my.cnf
/usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php
/root/.my.cnf
25
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by setecabanas on October 10, 2025, 02:51:32 PM »Code: [Select]
[root@server yum.repos.d]# ll
total 88
-rw-r--r-- 1 root root 822 Oct 10 03:26 CentOS-Base.repo
-rw-r--r--. 1 root root 943 May 22 2024 almalinux-ha.repo
-rw-r--r--. 1 root root 905 May 22 2024 almalinux-nfv.repo
-rw-r--r--. 1 root root 885 May 22 2024 almalinux-plus.repo
-rw-r--r--. 1 root root 963 Sep 30 12:51 almalinux-powertools.repo
-rw-r--r--. 1 root root 1041 May 22 2024 almalinux-resilientstorage.repo
-rw-r--r--. 1 root root 871 May 22 2024 almalinux-rt.repo
-rw-r--r--. 1 root root 873 May 22 2024 almalinux-sap.repo
-rw-r--r--. 1 root root 928 May 22 2024 almalinux-saphana.repo
-rw-r--r--. 1 root root 2666 May 22 2024 almalinux.repo
-rw-r--r--. 1 root root 146 Sep 27 20:34 cwp.repo
-rw-r--r-- 1 root root 1680 Apr 22 17:22 epel-modular.repo
-rw-r--r-- 1 root root 1779 Apr 22 17:22 epel-testing-modular.repo
-rw-r--r-- 1 root root 1431 Apr 22 17:22 epel-testing.repo
-rw-r--r-- 1 root root 1392 Oct 2 17:20 epel.repo
-rw-r--r-- 1 root root 1332 Apr 22 17:22 epel.repo.rpmnew
-rw-r--r-- 1 root root 2485 Oct 6 09:22 getpagespeed-extras.repo.rpmsave
-rw-r--r-- 1 root root 180 Sep 30 20:07 mariadb.repo
-rw-r--r-- 1 root root 180 Sep 30 18:45 mariadb.repo.bak
-rw-r--r-- 1 root root 579 Sep 30 20:21 nginx-alpn_mainline.repo
-rw-r----- 1 root root 109 Oct 10 03:26 nginx.repo
-rw-r--r-- 1 root root 603 Sep 30 13:10 varnishcache_varnish64.repo26
Installation / Cannot login into the admin panel anymore
« Last post by Nagataka on October 10, 2025, 02:26:43 PM »Hi all,
Sorry if i post this question in the wrong section.
For a while i am running CWP without any problems.
Last week, i decided to change the root password on the server itself, so not through the controlpanel.
After that, i cannot login into the admin panel anymore.
Also, all the packages i created, cannot login to the client area.
To be honest i was thinking, those passwords would be the same as in /etc/passwd, but i guess i am wrong.
Is there anyway i can retrieve access again to the admin area?
Sorry if i post this question in the wrong section.
For a while i am running CWP without any problems.
Last week, i decided to change the root password on the server itself, so not through the controlpanel.
After that, i cannot login into the admin panel anymore.
Also, all the packages i created, cannot login to the client area.
To be honest i was thinking, those passwords would be the same as in /etc/passwd, but i guess i am wrong.
Is there anyway i can retrieve access again to the admin area?
27
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by djprmf on October 10, 2025, 01:30:26 PM »Check:
ls /etc/yum.repos.d/
See if you have duplicated repos there or show here
The issue appears to be with amavis package.
ls /etc/yum.repos.d/
See if you have duplicated repos there or show here
The issue appears to be with amavis package.
28
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by setecabanas on October 10, 2025, 01:06:28 PM »same problem 
Code: [Select]
Repository extras is listed more than once in the configuration
Last metadata expiration check: 0:00:27 ago on Fri Oct 10 13:04:30 2025.
Error:
Problem: package amavis-2.13.1-1.el8.noarch from @System requires perl(Amavis), but none of the providers can be installed
- package amavis-2.13.1-1.el8.noarch from @System requires perl(Amavis::Boot), but none of the providers can be installed
- package amavis-2.13.1-1.el8.noarch from @System requires perl(Amavis::Util), but none of the providers can be installed
- package amavis-2.13.1-1.el8.noarch from @System requires perl-Amavis = 2.13.1-1.el8, but none of the providers can be installed
- package perl-Amavis-2.13.1-1.el8.noarch from epel requires perl(Compress::Zlib) >= 1.35, but none of the providers can be installed
- package perl-Amavis-2.13.1-1.el8.noarch from @System requires perl(Compress::Zlib) >= 1.35, but none of the providers can be installed
- cannot install the best update candidate for package perl-IO-Compress-2.081-1.el8.noarch
- package perl-IO-Compress-2.081-1.el8.noarch from @System requires perl(Compress::Raw::Zlib) >= 2.081, but none of the providers can be installed
- package perl-IO-Compress-2.081-1.el8.noarch from baseos requires perl(Compress::Raw::Zlib) >= 2.081, but none of the providers can be installed
- cannot install both perl-Compress-Raw-Zlib-1:2.061-4.el7.x86_64 from base and perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 from @System
- cannot install both perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 from baseos and perl-Compress-Raw-Zlib-1:2.061-4.el7.x86_64 from base
- package amavis-2.13.1-1.el8.noarch from @System requires perl(Compress::Raw::Zlib) >= 2.017, but none of the providers can be installed
- cannot install the best update candidate for package perl-Compress-Raw-Zlib-2.081-1.el8.x86_64
- package perl-Compress-Raw-Zlib-2.074-2.module_el8.1.0+6019+b22674e1.x86_64 from appstream is filtered out by modular filtering
- package perl-Compress-Raw-Zlib-2.093-1.module_el8.3.0+6149+d2c5d96d.x86_64 from appstream is filtered out by modular filtering
- package perl-Compress-Raw-Zlib-2.096-2.module_el8.10.0+3779+d5938d28.x86_64 from appstream is filtered out by modular filtering
- cannot install the best update candidate for package amavis-2.13.1-1.el8.noarch
- problem with installed package amavis-2.13.1-1.el8.noarch
- package perl-IO-Compress-2.074-2.module_el8.1.0+6019+b22674e1.noarch from appstream is filtered out by modular filtering
- package perl-IO-Compress-2.093-1.module_el8.3.0+6149+d2c5d96d.noarch from appstream is filtered out by modular filtering
- package perl-IO-Compress-2.096-1.module_el8.6.0+2766+8bf0b7ce.noarch from appstream is filtered out by modular filtering
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)29
CentOS 8 Problems / Re: packages update error AlmaLinux 8
« Last post by djprmf on October 10, 2025, 12:58:27 PM »Hi,
Try to do this commands in SSH:
sudo dnf clean all
sudo dnf update
if the error is still there, you can try to update anyway:
sudo dnf update --allowerasing
Try to do this commands in SSH:
sudo dnf clean all
sudo dnf update
if the error is still there, you can try to update anyway:
sudo dnf update --allowerasing
30
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ
« Last post by pedromidiasf on October 10, 2025, 12:58:06 PM »Cool. Thank you
