{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"version","id":"version_detect","severity":"info","key":"detected","weight":0,"version":"86.0.43","tier":"86","build":"43","raw":"86.0 (build 43)","wpsquared":"0","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"version","id":"tier_class","severity":"info","key":"patched_per_build","weight":5,"tier":"86","build":"43","cutoff":"41","note":"86.0.43 ≥ vendor cutoff 86.0.41","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"alg_length_optrec_bug","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"start_authorize_in_die","severity":"advisory","key":"ancillary_bug_unpatched","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"OpenIdConnectBase.pm start_authorize() invoked inside a die() arg list mutates session-state on the error path. Pre-existing OIDC bug, NOT the SessionScribe primitive; post-auth oracle, fixed on the 134-line and not backported. Resolves on tier upgrade.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"service_name_fallback","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"session_no_ob_branch","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Load.pm","note":"Patched session loader has the no-ob: prefix branch (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"session_hex_decode_only","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Encoder.pm","note":"Patched encoder adds hex_decode_only / hex_encode_only methods (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"accessids_normalize_die_usernotfound","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/AccessIds/Normalize.pm","note":"Patched Normalize.pm dies with UserNotFound on missing uid (defense-in-depth).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"comet_state_bypass_branch","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Server/Handlers/OpenIdConnect.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"static","id":"cve_41940_set_pass_crlf_strip","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Session.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"binary","id":"cpsrvd_locate","severity":"info","key":"cpsrvd_path","weight":0,"path":"/usr/local/cpanel/cpsrvd","size":"18081120","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"binary","id":"acl_strings","severity":"info","key":"acl_machinery_present_informational","weight":0,"acl_count":"1","token_count":"0","note":"1 ACL + 0 token-reader strings - informational only; on 134+ both vuln and patched binaries carry these. Defer to version-string verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"logs","id":"ioc_scan","severity":"info","key":"no_ioc_hits","weight":0,"note":"no IOC-pattern hits in access logs (last 90d).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"sessions","id":"session_scan","severity":"info","key":"no_session_iocs","weight":0,"scanned":"28","probe_artifacts":"0","note":"no IOCs or anomalous-shape sessions found","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"destruction","id":"ioc_pattern_m_sudoers_known_good","severity":"info","key":"ioc_pattern_m_sudoers_known_good","weight":0,"path":"/etc/sudoers.d/lwadmin","mtime_epoch":"1778613348","ctime_epoch":"1778613348","note":"Sudoers drop /etc/sudoers.d/lwadmin matches LW/Nexcess provisioning shape (NOPASSWD:ALL is standard for lwadmin) - re-image+restore re-stamps mtime/ctime; not a Pattern M IOC.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"destruction","id":"ioc_pattern_m_accesshash_post_disclosure_review","severity":"warning","key":"ioc_pattern_m_accesshash_recent_drop_review","weight":4,"path":"/root/.accesshash","mtime_epoch":"1778620914","ctime_epoch":"1778620914","note":"/root/.accesshash touched on/after 2026-04-28 with no corroborating Pattern M signal - may be legitimate admin/devops WHM API enable; manual review.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"posture","id":"csf_active","severity":"info","key":"posture_csf_active","weight":0,"input_policy":"DROP","localin_rules":"3","has_invdrop":"1","lfd_pid":"15271","csf_version":"14.24","lf_ipset":"0","ipset_sets":"0","note":"CSF active: LOCALINPUT/LOCALOUTPUT/LOGDROPIN loaded, INPUT->LOCALINPUT jump present (3 rules), lfd pid=15271, csf=14.24, INPUT policy=DROP.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"summary","id":"forensic_run","severity":"info","key":"forensic_chain_on_all","weight":0,"host_root_verdict":"SUSPICIOUS","host_user_verdict":"CLEAN","note":"host_root=SUSPICIOUS host_user=CLEAN; --chain-on-all forces forensic phases regardless of verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"patch_active","severity":"info","key":"patch_active","weight":0,"note":"build=11.86.0.43 mtime=2026-05-06T17:19:27Z","epoch":"1778087967","build":"11.86.0.43","patch_state":"PATCHED","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"cpsrvd_running","severity":"info","key":"cpsrvd_running","weight":0,"note":"pid=2476 started=2026-05-12T19:52:30Z","epoch":"1778615550","pid":"2476","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"mitigate_absent","severity":"warning","key":"mitigate_absent","weight":4,"note":"/var/cpanel/sessionscribe-mitigation does not exist","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"modsec_absent","severity":"warning","key":"modsec_absent","weight":4,"note":"rule 1500030 missing","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"csf_dirty","severity":"warning","key":"csf_dirty","weight":4,"note":"cpsrvd ports present in TCP_IN/TCP6_IN","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"csf_not_in_effect","severity":"warning","key":"csf_not_in_effect","weight":4,"note":"csf.conf clean but iptables INPUT still ACCEPTs cpsrvd ports from 0.0.0.0/0","open_ports":"2082 2083 2086 2087 2095 2096","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"proxysub_enabled","severity":"info","key":"proxysub_enabled","weight":0,"note":"main=1 new=1","epoch":"1778621060","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"defense","id":"upcp_history","severity":"info","key":"upcp_history","weight":0,"note":"last_complete=2026-05-12 15:18:04 -0400","epoch":"1778613484","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"offense","id":"ioc_pattern_m_accesshash_recent_drop_review","severity":"strong","key":"ioc_pattern_m_accesshash_recent_drop_review","weight":10,"note":"/root/.accesshash touched on/after 2026-04-28 with no corroborating Pattern M signal - may be legitimate admin/devops WHM API enable; manual review.","epoch":"1778620914","pattern":"?","envelope":"1778621094-19840.json","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"reconcile","id":"kill_chain_event","severity":"info","key":"kill_chain_event","weight":0,"note":"pattern=? verdict=POST-PARTIAL event=ioc_pattern_m_accesshash_recent_drop_review when=2026-05-12T21:21:54Z delta=partial:patch","verdict":"POST-PARTIAL","pattern":"?","event_key":"ioc_pattern_m_accesshash_recent_drop_review","event_epoch":"1778620914","delta_seconds":"partial:patch","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"reconcile","id":"defense_late","severity":"warning","key":"defense_late","weight":4,"note":"latest defense 146s after first compromise","gap_seconds":"146","first_offense":"1778620914","last_defense":"1778621060","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"pkg_inventory_written","severity":"info","key":"pkg_inventory_written","weight":0,"note":"package inventory captured (kind=rpm count=1700)","kind":"rpm","count":"1700","path":"software-inventory.txt","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"pkg_inventory_b64gz","severity":"info","key":"pkg_inventory_b64gz","weight":0,"note":"inventory encoded for envelope (note=ok raw=73312 enc=25096)","note":"ok","raw_bytes":"73312","encoded_bytes":"25096","sha256":"14968d6e3486c81a5e671fdc27920484c36ce5fbea5e110fee5d51bf9047f2a7","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"ioc_envelope_captured","severity":"info","key":"ioc_envelope_captured","weight":0,"note":"ioc-scan envelope written to bundle (37282 bytes)","dest":"ioc-scan-envelope.json","bytes":"37282","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"kill_chain_primitives","severity":"info","key":"kill_chain_primitives","weight":0,"note":"wrote kill-chain.tsv/jsonl/md to bundle dir","tsv":"kill-chain.tsv","jsonl":"kill-chain.jsonl","md":"kill-chain.md","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"lsof_captured","severity":"info","key":"lsof_captured","weight":0,"note":"lsof captured (637331B)","bytes":"637331","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"bundle","id":"bundle_complete","severity":"info","key":"bundle_complete","weight":0,"note":"dir=/root/.ic5790-forensic/2026-05-12T21:24:54Z-1778621094-19840 size=1.1M","dir":"/root/.ic5790-forensic/2026-05-12T21:24:54Z-1778621094-19840","size":"1.1M","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"upload","id":"upload_complete","severity":"info","key":"upload_complete","weight":0,"note":"http=201 url=https://intake.rfxn.com/","url":"https://intake.rfxn.com/","body":"{\"stored_as\":\"20260512-212502-685627-67.43.7.40-sessionscribe-telemetry.tgz\",\"label\":\"sessionscribe-telemetry\",\"bytes\":128340,\"sha256\":\"725cfebf9997550efd7abf34754f71c26eaffa17045a4df0e15cc0ad9c4c9a64\",\"remaining_uses\":4393951}","outer":"/root/.ic5790-forensic/2026-05-12T21:24:54Z-1778621094-19840.upload.tgz","telemetry_mode":"1","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778621094-19840","area":"summary","id":"forensic_summary","severity":"info","key":"forensic_reconstruction","weight":0,"verdict":"COMPROMISED_POST_DEFENSE","iocs_total":"1","pre_defense":"0","post_defense":"1","defenses_extracted":"2","note":"forensic reconstruction: COMPROMISED_POST_DEFENSE (exit=1; does not override host_verdict exit code)","affected_user":"_root","actor_privilege":"root"}