TheLaw
Well-known member
On some of my sites I have Wordpress installed in subdirectories and they operate independently from Xenforo. I found a strange phenomenon where my site was being taken offline and seeing the index.php replaced with a Wordpress index.php and malicious code stuck in the top. I was wondering whether it was some automated script that was assuming my site was running WP from the root - which I'm not - and just took the site offline. But it apparently does not appear to have been Wordpress that may have been the culprit.
Given that I found the exact same issue as in this post, it seems that my site was targeted using a Control-Web Panel (CWP) exploit that was revealed recently in October. Control-Web Panel which is a low cost alternative to WHM/Cpanel. I have some of my servers on managed VPS and it seems that at least some of their security team may not have been aware. So in the event you're seeing your XF site being taken offline, check your index.php file and look for the files that I found. Hopefully this will save some of you time and also not need to report it here.
Given that I found the exact same issue as in this post, it seems that my site was targeted using a Control-Web Panel (CWP) exploit that was revealed recently in October. Control-Web Panel which is a low cost alternative to WHM/Cpanel. I have some of my servers on managed VPS and it seems that at least some of their security team may not have been aware. So in the event you're seeing your XF site being taken offline, check your index.php file and look for the files that I found. Hopefully this will save some of you time and also not need to report it here.
[CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
[CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
forum.centos-webpanel.com
Last edited: