P7Ping7 security tools

cPanel incident first pass

Check cPanel CVE-2026-41940 residue before cleanup

A read-only local IOC detector for WHM/cPanel servers. It checks patch state, ransomware traces, Mr_Rot13 Filemanager indicators, cron, SSH keys, web paths, and logs.

Open repository View script Read guide All Ping7 tools Repair help
9.8CVSS critical
IOCpost-compromise signals
Root logsneeds local server access
Run this only on servers you own or are approved to review. The detector is for local evidence review. No payloads. No broad scanning. No exploitation steps.
# inspect before running
curl -fsSLO https://raw.githubusercontent.com/limo57640-crypto/cpanel-cve-41940-detector/main/detect.sh
less detect.sh

# run on the server
sudo bash detect.sh

# expected status words
CLEAN | SUSPICIOUS | COMPROMISED | ERROR

Checks that survive the first patch

Patching cPanel is not the same as proving the server is clean. This page is built around residue.

Patch and build state

Checks WHM/cPanel build markers and flags systems that still need version review.

Persistence signals

Reviews root cron, SSH authorized keys, cPanel session artifacts, and suspicious web paths.

Ransomware and backdoors

Looks for .sorry-style encrypted file traces, Mr_Rot13 Filemanager residue, and related indicators.

Result states

Use the status in the incident timeline and preserve evidence before deleting files.

CLEAN

No obvious IOC matched with the current local access.

SUSPICIOUS

An anomaly needs manual review before the server can be closed.

COMPROMISED

A strong IOC matched. Snapshot and preserve logs before cleanup.

ERROR

The script could not complete, usually because root access or cPanel paths were missing.

Issue or repair

Open a GitHub issue for tool bugs, false positives, OS or cPanel version handling, or non-sensitive documentation fixes.

Use Ping7 repair when the result is SUSPICIOUS or COMPROMISED, or when live domains, customer files, private logs, SSH keys, cron entries, or ransomware traces should not be posted in public.

Evidence to keep

  • Detector output and version.
  • WHM/cPanel version and OS family.
  • First suspicious timestamp.
  • Ransomware extension examples, unknown SSH keys, cron jobs, web-root paths, or cPanel session anomalies.
  • Whether Apache, ModSecurity, cphulkd, and root login logs are still available.

Repair handoff

Send WHM version, detector result, first suspicious timestamp, visible symptoms, and whether logs are still available. Do not send passwords in the first message.

Request Ping7 repair help