February 21Feb 21 Posted in the CWP forums but there is not much going on there figure might get some help here..New CWP install on Alma 8. On a private IP with no ports forwarded just doing the updates and such.Ran some updates and. got the popup in the webpage ran and got this.No idea? Is it serious or just a false positive on something.sh /scripts/cwp_security_audit------------------------------------------------------[INFO] Auditing cwpsrv (PID: 156548)[OK] cwpsrv looks clean.------------------------------------------------------[INFO] Auditing php-fpm-cwp (PID: 1086)[!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found:php-fpm 1086 root DEL REG 253,0 1837740 /usr/local/ioncube/ioncube_loader_lin_7.2.soError:Can't add notification!------------------------------------------------------[INFO] Auditing apache (PID: 157091)[OK] apache looks clean.------------------------------------------------------ Edited February 21Feb 21 by MrDaveF
February 24Feb 24 It's clean; there is no rootkit on your server. IonCube is used by CWP as it is encoded with it, and for decryption purposes .so is loaded
March 12Mar 12 On 3/10/2026 at 9:56 PM, enetworkassociates said:CWP has recently started kicking out this and other like warnings for me as well...Yep. I'm now getting an alert about unauthorized ports for php-fpm. I'm not sure if it's due to my recent tweak to add php 8.5 support in CWP selectors.
March 22Mar 22 May be you should change line 87 in /scripts/cwp_security_audit like this:local CURRENT_PORTS=$(ss -ltnp | grep "pid=$PID," | sed -nE 's/.*:([0-9]+).*/\1/p')This way there is no false positives.Or may be, even better:local CURRENT_PORTS=$(ss -ltnp state listening | grep "pid=$PID," | sed -nE 's/.*:([0-9]+).*/\1/p' | sort -u)and after the "for ... do" line:[[ "$PORT" =~ ^[0-9]+$ ]] || continueto avoid garbage. Edited Monday at 04:40 PM4 days by Fidolas Enhancements
Create an account or sign in to comment