{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"version","id":"version_detect","severity":"info","key":"detected","weight":0,"version":"86.0.44","tier":"86","build":"44","raw":"86.0 (build 44)","wpsquared":"0","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"version","id":"tier_class","severity":"info","key":"patched_per_build","weight":5,"tier":"86","build":"44","cutoff":"44","note":"86.0.44 ≥ vendor cutoff 86.0.44","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"alg_length_optrec_bug","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"start_authorize_in_die","severity":"advisory","key":"ancillary_bug_unpatched","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"OpenIdConnectBase.pm start_authorize() invoked inside a die() arg list mutates session-state on the error path. Pre-existing OIDC bug, NOT the SessionScribe primitive; post-auth oracle, fixed on the 134-line and not backported. Resolves on tier upgrade.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"service_name_fallback","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"session_no_ob_branch","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Load.pm","note":"Patched session loader has the no-ob: prefix branch (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"session_hex_decode_only","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Encoder.pm","note":"Patched encoder adds hex_decode_only / hex_encode_only methods (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"accessids_normalize_die_usernotfound","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/AccessIds/Normalize.pm","note":"Patched Normalize.pm dies with UserNotFound on missing uid (defense-in-depth).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"comet_state_bypass_branch","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Server/Handlers/OpenIdConnect.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"static","id":"cve_41940_set_pass_crlf_strip","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Session.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"binary","id":"cpsrvd_locate","severity":"info","key":"cpsrvd_path","weight":0,"path":"/usr/local/cpanel/cpsrvd","size":"18081136","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"binary","id":"acl_strings","severity":"info","key":"acl_machinery_present_informational","weight":0,"acl_count":"1","token_count":"0","note":"1 ACL + 0 token-reader strings - informational only; on 134+ both vuln and patched binaries carry these. Defer to version-string verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"logs","id":"ioc_scan","severity":"info","key":"no_ioc_hits","weight":0,"note":"no IOC-pattern hits in access logs (last 90d).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"sessions","id":"ioc_token_attempt_:JH5rfvH9V3bWzEZH","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-14T05:11:38Z","file_ctime":"2026-05-14T05:11:38Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:JH5rfvH9V3bWzEZH","cp_security_token":"/cpsess8492755450","token_denied":"1","origin":"address=113.161.149.20,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"sessions","id":"session_shape_scan","severity":"evidence","key":"anomalous_root_sessions","weight":4,"count":"1","scanned":"19","note":"1 root-named sessions in last 90d lacking expected authz fields","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"sessions","id":"session_shape_sample","severity":"info","key":"anomalous_session_path","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-14T05:11:38Z","file_ctime":"2026-05-14T05:11:38Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:JH5rfvH9V3bWzEZH","note":"missing acllist","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"destruction","id":"ioc_pattern_m_sudoers_known_good","severity":"info","key":"ioc_pattern_m_sudoers_known_good","weight":0,"path":"/etc/sudoers.d/lwadmin","mtime_epoch":"1778613348","ctime_epoch":"1778613348","note":"Sudoers drop /etc/sudoers.d/lwadmin matches LW/Nexcess provisioning shape (NOPASSWD:ALL is standard for lwadmin) - re-image+restore re-stamps mtime/ctime; not a Pattern M IOC.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"posture","id":"csf_active","severity":"info","key":"posture_csf_active","weight":0,"input_policy":"DROP","localin_rules":"3","has_invdrop":"1","lfd_pid":"49583","csf_version":"14.24","lf_ipset":"0","ipset_sets":"0","note":"CSF active: LOCALINPUT/LOCALOUTPUT/LOGDROPIN loaded, INPUT->LOCALINPUT jump present (3 rules), lfd pid=49583, csf=14.24, INPUT policy=DROP.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"summary","id":"forensic_run","severity":"info","key":"forensic_chain_on_all","weight":0,"host_root_verdict":"CLEAN","host_user_verdict":"CLEAN","note":"host_root=CLEAN host_user=CLEAN; --chain-on-all forces forensic phases regardless of verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"patch_active","severity":"info","key":"patch_active","weight":0,"note":"build=11.86.0.44 mtime=2026-05-06T17:19:27Z","epoch":"1778087967","build":"11.86.0.44","patch_state":"PATCHED","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"cpsrvd_running","severity":"info","key":"cpsrvd_running","weight":0,"note":"pid=2476 started=2026-05-12T19:52:30Z","epoch":"1778615550","pid":"2476","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"mitigate_absent","severity":"warning","key":"mitigate_absent","weight":4,"note":"/var/cpanel/sessionscribe-mitigation does not exist","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"modsec_absent","severity":"warning","key":"modsec_absent","weight":4,"note":"rule 1500030 missing","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"csf_dirty","severity":"warning","key":"csf_dirty","weight":4,"note":"cpsrvd ports present in TCP_IN/TCP6_IN","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"csf_not_in_effect","severity":"warning","key":"csf_not_in_effect","weight":4,"note":"csf.conf clean but iptables INPUT still ACCEPTs cpsrvd ports from 0.0.0.0/0","open_ports":"2082 2083 2086 2087 2095 2096","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"proxysub_enabled","severity":"info","key":"proxysub_enabled","weight":0,"note":"main=1 new=1","epoch":"1778769244","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"defense","id":"upcp_history","severity":"info","key":"upcp_history","weight":0,"note":"last_complete=2026-05-13 13:41:52 -0400","epoch":"1778694112","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"reconcile","id":"clean","severity":"info","key":"clean","weight":0,"note":"no IOCs to reconcile","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"pkg_inventory_written","severity":"info","key":"pkg_inventory_written","weight":0,"note":"package inventory captured (kind=rpm count=1701)","kind":"rpm","count":"1701","path":"software-inventory.txt","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"pkg_inventory_b64gz","severity":"info","key":"pkg_inventory_b64gz","weight":0,"note":"inventory encoded for envelope (note=ok raw=73200 enc=25068)","note":"ok","raw_bytes":"73200","encoded_bytes":"25068","sha256":"efa817b9c1c374eda9d7ad6f5860e28bb75cc100ff6759c435f97dcf284b5f02","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"ioc_envelope_captured","severity":"info","key":"ioc_envelope_captured","weight":0,"note":"ioc-scan envelope written to bundle (36818 bytes)","dest":"ioc-scan-envelope.json","bytes":"36818","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"kill_chain_primitives","severity":"info","key":"kill_chain_primitives","weight":0,"note":"wrote kill-chain.tsv/jsonl/md to bundle dir","tsv":"kill-chain.tsv","jsonl":"kill-chain.jsonl","md":"kill-chain.md","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"lsof_captured","severity":"info","key":"lsof_captured","weight":0,"note":"lsof captured (723144B)","bytes":"723144","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"bundle","id":"bundle_complete","severity":"info","key":"bundle_complete","weight":0,"note":"dir=/root/.ic5790-forensic/2026-05-14T14:35:07Z-1778769307-40661 size=1.1M","dir":"/root/.ic5790-forensic/2026-05-14T14:35:07Z-1778769307-40661","size":"1.1M","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"upload","id":"upload_failed","severity":"strong","key":"upload_failed","weight":10,"note":"curl_rc=0 http=503","curl_rc":"0","http_code":"503","body":"{\"error\":\"maintenance\",\"message\":\"Intake is paused for maintenance. Retry in ~15 min.\"}","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778769307-40661","area":"summary","id":"forensic_summary","severity":"info","key":"forensic_reconstruction","weight":0,"verdict":"CLEAN","iocs_total":"0","pre_defense":"0","post_defense":"0","defenses_extracted":"2","note":"forensic reconstruction: CLEAN (exit=0; does not override host_verdict exit code)","affected_user":"_root","actor_privilege":"root"}