Share
## https://sploitus.com/exploit?id=55501F20-AF66-5346-9001-9E2EB09B4D0B
# ๐ cPanel CVE-2026-41940 / nuclear.x86 Security Audit & Cleanup Tool





> **Automatic security audit & cleanup script for cPanel servers affected by CVE-2026-41940 and the nuclear.x86 Linux botnet.**
> Works for both **original cPanel license** and **bypass/shared license** servers โ the vulnerability affects all equally.
---
## ๐จโ๐ป Author
| | |
|---|---|
| **Name** | MD Mahfuz Reham |
| **Role** | System Admin \| Web Hosting Specialist |
| **Website** | [MahfuzReham.Com](https://MahfuzReham.Com) |
| **WhatsApp** | [+8801790614055](https://wa.me/8801790614055) |
---
## โ ๏ธ About the Vulnerability
On **28 April 2026**, cPanel disclosed a critical authentication bypass vulnerability:
| Detail | Info |
|--------|------|
| CVE ID | CVE-2026-41940 |
| CVSS Score | **9.8 (Critical)** |
| Affected | All supported cPanel & WHM versions |
| Exploit | Active in the wild before public disclosure |
| Malware | `nuclear.x86` Linux botnet |
**Attacker C2 IPs:** `87.121.84.78` ยท `45.148.120.23`
### What the attacker does:
1. Downloads `nuclear.x86` botnet binary via wget/curl
2. Makes it executable (`chmod 777`) and runs it
3. Deletes the binary from disk to hide tracks
4. Reads `/etc/shadow`, all SSH private keys, shell history, env vars
5. Runs full server reconnaissance
### How to know if you're infected:
```bash
wget google.com
# If output says "Killed" โ nuclear.x86 is actively running on your server
```
---
## ๐ Quick Usage
### One-liner (recommended):
```bash
curl -sO https://raw.githubusercontent.com/mahfuzreham/cpanel-cve-2026-41940/main/cpanel_security_check.sh && bash cpanel_security_check.sh
```
### Manual download:
```bash
wget https://raw.githubusercontent.com/mahfuzreham/cpanel-cve-2026-41940/main/cpanel_security_check.sh
bash cpanel_security_check.sh
```
> โ ๏ธ **Must be run as root**
---
## โ
What the Script Checks & Does
### ๐ Detection
| Check | Description |
|-------|-------------|
| Running process | Detects active `nuclear.x86` process |
| Binary on disk | Scans for botnet binary files |
| wget/curl kill test | Confirms if malware is intercepting network tools |
| Attacker IPs | Checks active connections to known C2 IPs |
| Command history | Scans all shell history for attack signatures |
### ๐ cPanel & Ports
| Check | Description |
|-------|-------------|
| cPanel version | Shows installed version & last update time |
| Port exposure | Checks ports 2083, 2087, 2095, 2096 |
| Update status | Warns if cPanel hasn't been updated recently |
### ๐๏ธ SSH & Credentials
| Check | Description |
|-------|-------------|
| SSH key age | Flags private keys older than 5 days |
| Authorized keys | Lists all authorized keys for manual review |
| Rotation backup | Checks if key rotation was already performed |
| /etc/shadow perms | Verifies shadow file permissions |
### ๐ช Persistence / Backdoors
| Check | Description |
|-------|-------------|
| Cron jobs | Scans for suspicious cron entries |
| /tmp executables | Finds executable files in /tmp and /dev/shm |
| Webshells | Scans public_html PHP files for shell patterns |
| SUID binaries | Flags unexpected SUID files |
| Docker containers | Lists all containers for review |
| Environment vars | Checks /proc/1/environ for leaked secrets |
### ๐งน Automated Cleanup (with prompts)
- Kills `nuclear.x86` if running
- **SSH key rotation** โ backs up old keys, generates new Ed25519 key
- **cPanel update** โ runs `/scripts/upcp --force`
### ๐ Report
- Full colored terminal output
- Saves detailed log to `/root/cpanel_security_audit_TIMESTAMP.log`
- Issue/warning count summary
- Checklist of remaining manual steps
---
## ๐ Manual Steps After Running the Script
Even after the script completes, do these manually:
```
โ Reset cPanel account passwords
โ Reset all FTP / email / MySQL user passwords
โ Update wp-config.php / .env files with new DB credentials
โ Check cPanel โ Email Forwarders for unknown entries
โ Check cPanel โ Cron Jobs for unknown entries
โ Check cPanel โ FTP Accounts for unknown accounts
โ Revoke old SSH keys from GitHub / GitLab / Bitbucket
โ Change passwords on any service where you reused this server's password
```
---
## ๐ก๏ธ Emergency Commands (Manual)
### Kill the malware immediately:
```bash
pkill -9 -f "./nuclear.x86"
pkill -9 -f "nuclear.x86"
ps auxf | grep -i nuclear
```
### Block cPanel ports at firewall (if can't update yet):
```bash
# CSF firewall
csf -d 2083; csf -d 2087; csf -d 2095; csf -d 2096
# iptables
iptables -I INPUT -p tcp --dport 2083 -j DROP
iptables -I INPUT -p tcp --dport 2087 -j DROP
iptables -I INPUT -p tcp --dport 2095 -j DROP
iptables -I INPUT -p tcp --dport 2096 -j DROP
```
### Stop cPanel services (alternative to firewall block):
```bash
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \
/scripts/restartsrv_cpsrvd --stop && \
/scripts/restartsrv_cpdavd --stop
```
### Update cPanel:
```bash
/scripts/upcp --force
```
---
## ๐ฅ๏ธ Compatibility
| OS | Status |
|----|--------|
| AlmaLinux 8/9 | โ
Tested |
| CloudLinux 7/8 | โ
Tested |
| CentOS 7 | โ
Tested |
| Rocky Linux 8/9 | โ
Tested |
| Ubuntu 20/22 (cPanel) | โ
Tested |
---
## ๐ References
- [cPanel Security Advisory CVE-2026-41940](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026)
---
## ๐ License
MIT License โ Free to use, share, and modify.
**Please keep author attribution intact when sharing.**
---
## ๐ค Support
Need help with cleanup or server security?
- ๐ Website: [MahfuzReham.Com](https://MahfuzReham.Com)
- ๐ฌ WhatsApp: [+8801790614055](https://wa.me/8801790614055)
**Please share this tool with anyone who runs cPanel servers โ both original license and shared license users are affected.**