403Webshell
Server IP : 67.43.7.42  /  Your IP : 216.73.216.61
Web Server : Apache
System : Linux host.isabellascookies.com 2.6.32-754.35.1.el6.x86_64 #1 SMP Sat Nov 7 12:42:14 UTC 2020 x86_64
User : isabella ( 503)
PHP Version : 5.5.38
Disable Function : exec,passthru,shell_exec,system
MySQL : ON  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /tmp/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /tmp/sessionscribe-ioc-scan.79503.log
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"version","id":"version_detect","severity":"info","key":"detected","weight":0,"version":"86.0.44","tier":"86","build":"44","raw":"86.0 (build 44)","wpsquared":"0","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"version","id":"tier_class","severity":"info","key":"patched_per_build","weight":5,"tier":"86","build":"44","cutoff":"41","note":"86.0.44 ≥ vendor cutoff 86.0.41","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"alg_length_optrec_bug","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"start_authorize_in_die","severity":"advisory","key":"ancillary_bug_unpatched","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"OpenIdConnectBase.pm start_authorize() invoked inside a die() arg list mutates session-state on the error path. Pre-existing OIDC bug, NOT the SessionScribe primitive; post-auth oracle, fixed on the 134-line and not backported. Resolves on tier upgrade.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"service_name_fallback","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Security/Authn/Provider/OpenIdConnectBase.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"session_no_ob_branch","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Load.pm","note":"Patched session loader has the no-ob: prefix branch (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"session_hex_decode_only","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/Session/Encoder.pm","note":"Patched encoder adds hex_decode_only / hex_encode_only methods (WebPros plumbing).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"accessids_normalize_die_usernotfound","severity":"info","key":"patch_marker_present","weight":0,"file":"Cpanel/AccessIds/Normalize.pm","note":"Patched Normalize.pm dies with UserNotFound on missing uid (defense-in-depth).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"comet_state_bypass_branch","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Server/Handlers/OpenIdConnect.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"static","id":"cve_41940_set_pass_crlf_strip","severity":"info","key":"patch_marker_absent","weight":0,"file":"Cpanel/Session.pm","note":"Marker not present (older Perl line; expected on 110/118/126/132 backport tiers).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"binary","id":"cpsrvd_locate","severity":"info","key":"cpsrvd_path","weight":0,"path":"/usr/local/cpanel/cpsrvd","size":"18081136","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"binary","id":"acl_strings","severity":"info","key":"acl_machinery_present_informational","weight":0,"acl_count":"1","token_count":"0","note":"1 ACL + 0 token-reader strings - informational only; on 134+ both vuln and patched binaries carry these. Defer to version-string verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"logs","id":"ioc_scan","severity":"info","key":"no_ioc_hits","weight":0,"note":"no IOC-pattern hits in access logs (last 90d).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:1aJ74g_p1_p9vZSu","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T07:23:26Z","file_ctime":"2026-05-13T07:23:26Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:1aJ74g_p1_p9vZSu","cp_security_token":"/cpsess8295749318","token_denied":"1","origin":"address=4.234.194.233,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:3ATD2X7nf3cNdyCq","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T04:46:52Z","file_ctime":"2026-05-13T04:46:52Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:3ATD2X7nf3cNdyCq","cp_security_token":"/cpsess2365989535","token_denied":"1","origin":"address=159.89.204.146,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:QwUwCsvPGZzHq1fJ","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T10:32:25Z","file_ctime":"2026-05-13T10:32:25Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:QwUwCsvPGZzHq1fJ","cp_security_token":"/cpsess5078820308","token_denied":"1","origin":"address=20.123.43.104,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:Wq6hKORLLWVVpQQK","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T06:47:40Z","file_ctime":"2026-05-13T06:47:40Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:Wq6hKORLLWVVpQQK","cp_security_token":"/cpsess8011685107","token_denied":"1","origin":"address=94.26.106.37,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:XwOyIaN4u7kxLyMY","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-12T23:35:42Z","file_ctime":"2026-05-12T23:35:42Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:XwOyIaN4u7kxLyMY","cp_security_token":"/cpsess9596943054","token_denied":"1","origin":"address=62.60.130.224,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:_8Bhnl5qqTVBOltT","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T10:32:25Z","file_ctime":"2026-05-13T10:32:25Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:_8Bhnl5qqTVBOltT","cp_security_token":"/cpsess0788412993","token_denied":"1","origin":"address=172.216.248.23,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"ioc_token_attempt_:ymvB0jHQh3g5_EV1","severity":"evidence","key":"ioc_failed_exploit_attempt","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T13:49:39Z","file_ctime":"2026-05-13T13:49:39Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:ymvB0jHQh3g5_EV1","cp_security_token":"/cpsess9685426652","token_denied":"1","origin":"address=198.23.185.142,app=whostmgrd,method=badpass","pass_len":"172","note":"Failed exploit attempt: badpass origin + token_denied + pass= line, but no auth markers - patch held (ATTEMPT, not compromise).","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"session_shape_scan","severity":"evidence","key":"anomalous_root_sessions","weight":4,"count":"8","scanned":"50","note":"8 root-named sessions in last 90d lacking expected authz fields","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"sessions","id":"session_shape_sample","severity":"info","key":"anomalous_session_path","weight":0,"user":"root","src_ip":"","login_time":"","file_mtime":"2026-05-13T07:23:26Z","file_ctime":"2026-05-13T07:23:26Z","mtime_ctime_delta_sec":"0","path":"/var/cpanel/sessions/raw/:1aJ74g_p1_p9vZSu","note":"missing acllist","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"destruction","id":"ioc_pattern_m_sudoers_known_good","severity":"info","key":"ioc_pattern_m_sudoers_known_good","weight":0,"path":"/etc/sudoers.d/lwadmin","mtime_epoch":"1778613348","ctime_epoch":"1778613348","note":"Sudoers drop /etc/sudoers.d/lwadmin matches LW/Nexcess provisioning shape (NOPASSWD:ALL is standard for lwadmin) - re-image+restore re-stamps mtime/ctime; not a Pattern M IOC.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"posture","id":"csf_active","severity":"info","key":"posture_csf_active","weight":0,"input_policy":"DROP","localin_rules":"3","has_invdrop":"1","lfd_pid":"82950","csf_version":"14.24","lf_ipset":"0","ipset_sets":"0","note":"CSF active: LOCALINPUT/LOCALOUTPUT/LOGDROPIN loaded, INPUT->LOCALINPUT jump present (3 rules), lfd pid=82950, csf=14.24, INPUT policy=DROP.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"summary","id":"forensic_run","severity":"info","key":"forensic_chain_on_all","weight":0,"host_root_verdict":"CLEAN","host_user_verdict":"CLEAN","note":"host_root=CLEAN host_user=CLEAN; --chain-on-all forces forensic phases regardless of verdict.","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"patch_active","severity":"info","key":"patch_active","weight":0,"note":"build=11.86.0.44 mtime=2026-05-06T17:19:27Z","epoch":"1778087967","build":"11.86.0.44","patch_state":"PATCHED","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"cpsrvd_running","severity":"info","key":"cpsrvd_running","weight":0,"note":"pid=2476 started=2026-05-12T19:52:30Z","epoch":"1778615550","pid":"2476","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"mitigate_absent","severity":"warning","key":"mitigate_absent","weight":4,"note":"/var/cpanel/sessionscribe-mitigation does not exist","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"modsec_absent","severity":"warning","key":"modsec_absent","weight":4,"note":"rule 1500030 missing","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"csf_dirty","severity":"warning","key":"csf_dirty","weight":4,"note":"cpsrvd ports present in TCP_IN/TCP6_IN","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"csf_not_in_effect","severity":"warning","key":"csf_not_in_effect","weight":4,"note":"csf.conf clean but iptables INPUT still ACCEPTs cpsrvd ports from 0.0.0.0/0","open_ports":"2082 2083 2086 2087 2095 2096","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"proxysub_enabled","severity":"info","key":"proxysub_enabled","weight":0,"note":"main=1 new=1","epoch":"1778708142","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"defense","id":"upcp_history","severity":"info","key":"upcp_history","weight":0,"note":"last_complete=2026-05-13 13:41:52 -0400","epoch":"1778694112","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"offense","id":"pattern_g_ssh_key","severity":"warning","key":"pattern_g_ssh_key","weight":4,"note":"non-standard ssh key in /root/.ssh/authorized_keys: comment=wallarm@yubikey","file":"/root/.ssh/authorized_keys","comment":"wallarm@yubikey","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"reconcile","id":"clean","severity":"info","key":"clean","weight":0,"note":"no IOCs to reconcile","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"pkg_inventory_written","severity":"info","key":"pkg_inventory_written","weight":0,"note":"package inventory captured (kind=rpm count=1701)","kind":"rpm","count":"1701","path":"software-inventory.txt","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"pkg_inventory_b64gz","severity":"info","key":"pkg_inventory_b64gz","weight":0,"note":"inventory encoded for envelope (note=ok raw=73200 enc=25068)","note":"ok","raw_bytes":"73200","encoded_bytes":"25068","sha256":"cd3738801adedd856e37c0a5d8ad0ca3fb77fb8a37245ad1698d17b53597a867","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"ioc_envelope_captured","severity":"info","key":"ioc_envelope_captured","weight":0,"note":"ioc-scan envelope written to bundle (41293 bytes)","dest":"ioc-scan-envelope.json","bytes":"41293","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"kill_chain_primitives","severity":"info","key":"kill_chain_primitives","weight":0,"note":"wrote kill-chain.tsv/jsonl/md to bundle dir","tsv":"kill-chain.tsv","jsonl":"kill-chain.jsonl","md":"kill-chain.md","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"lsof_captured","severity":"info","key":"lsof_captured","weight":0,"note":"lsof captured (726273B)","bytes":"726273","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"bundle","id":"bundle_complete","severity":"info","key":"bundle_complete","weight":0,"note":"dir=/root/.ic5790-forensic/2026-05-13T21:42:04Z-1778708524-80190 size=1.2M","dir":"/root/.ic5790-forensic/2026-05-13T21:42:04Z-1778708524-80190","size":"1.2M","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"upload","id":"upload_complete","severity":"info","key":"upload_complete","weight":0,"note":"http=201 url=https://intake.rfxn.com/","url":"https://intake.rfxn.com/","body":"{\"stored_as\":\"20260513-214211-886076-67.43.7.40-sessionscribe-telemetry.tgz\",\"label\":\"sessionscribe-telemetry\",\"bytes\":136593,\"sha256\":\"8b2cdf657af221b34186cf3e21df80590b66c519210a8444a105a7621fca1ba1\",\"remaining_uses\":4331514}","outer":"/root/.ic5790-forensic/2026-05-13T21:42:04Z-1778708524-80190.upload.tgz","telemetry_mode":"1","affected_user":"_root","actor_privilege":"root"}
{"host":"host.isabellascookies.com","run_id":"1778708524-80190","area":"summary","id":"forensic_summary","severity":"info","key":"forensic_reconstruction","weight":0,"verdict":"CLEAN","iocs_total":"0","pre_defense":"0","post_defense":"0","defenses_extracted":"2","note":"forensic reconstruction: CLEAN (exit=0; does not override host_verdict exit code)","affected_user":"_root","actor_privilege":"root"}

Youez - 2016 - github.com/yon3zu
LinuXploit