Share
## https://sploitus.com/exploit?id=55501F20-AF66-5346-9001-9E2EB09B4D0B
# ๐Ÿ”’ cPanel CVE-2026-41940 / nuclear.x86 Security Audit & Cleanup Tool

![Bash](https://img.shields.io/badge/Shell-Bash-green?style=flat-square&logo=gnubash)
![License](https://img.shields.io/badge/License-MIT-blue?style=flat-square)
![CVE](https://img.shields.io/badge/CVE-2026--41940-red?style=flat-square)
![CVSS](https://img.shields.io/badge/CVSS-9.8%20Critical-red?style=flat-square)
![Platform](https://img.shields.io/badge/Platform-cPanel%2FWHM-orange?style=flat-square)

> **Automatic security audit & cleanup script for cPanel servers affected by CVE-2026-41940 and the nuclear.x86 Linux botnet.**  
> Works for both **original cPanel license** and **bypass/shared license** servers โ€” the vulnerability affects all equally.

---

## ๐Ÿ‘จโ€๐Ÿ’ป Author

| | |
|---|---|
| **Name** | MD Mahfuz Reham |
| **Role** | System Admin \| Web Hosting Specialist |
| **Website** | [MahfuzReham.Com](https://MahfuzReham.Com) |
| **WhatsApp** | [+8801790614055](https://wa.me/8801790614055) |

---

## โš ๏ธ About the Vulnerability

On **28 April 2026**, cPanel disclosed a critical authentication bypass vulnerability:

| Detail | Info |
|--------|------|
| CVE ID | CVE-2026-41940 |
| CVSS Score | **9.8 (Critical)** |
| Affected | All supported cPanel & WHM versions |
| Exploit | Active in the wild before public disclosure |
| Malware | `nuclear.x86` Linux botnet |

**Attacker C2 IPs:** `87.121.84.78` ยท `45.148.120.23`

### What the attacker does:
1. Downloads `nuclear.x86` botnet binary via wget/curl
2. Makes it executable (`chmod 777`) and runs it
3. Deletes the binary from disk to hide tracks
4. Reads `/etc/shadow`, all SSH private keys, shell history, env vars
5. Runs full server reconnaissance

### How to know if you're infected:
```bash
wget google.com
# If output says "Killed" โ†’ nuclear.x86 is actively running on your server
```

---

## ๐Ÿš€ Quick Usage

### One-liner (recommended):
```bash
curl -sO https://raw.githubusercontent.com/mahfuzreham/cpanel-cve-2026-41940/main/cpanel_security_check.sh && bash cpanel_security_check.sh
```

### Manual download:
```bash
wget https://raw.githubusercontent.com/mahfuzreham/cpanel-cve-2026-41940/main/cpanel_security_check.sh
bash cpanel_security_check.sh
```

> โš ๏ธ **Must be run as root**

---

## โœ… What the Script Checks & Does

### ๐Ÿ” Detection
| Check | Description |
|-------|-------------|
| Running process | Detects active `nuclear.x86` process |
| Binary on disk | Scans for botnet binary files |
| wget/curl kill test | Confirms if malware is intercepting network tools |
| Attacker IPs | Checks active connections to known C2 IPs |
| Command history | Scans all shell history for attack signatures |

### ๐Ÿ” cPanel & Ports
| Check | Description |
|-------|-------------|
| cPanel version | Shows installed version & last update time |
| Port exposure | Checks ports 2083, 2087, 2095, 2096 |
| Update status | Warns if cPanel hasn't been updated recently |

### ๐Ÿ—๏ธ SSH & Credentials
| Check | Description |
|-------|-------------|
| SSH key age | Flags private keys older than 5 days |
| Authorized keys | Lists all authorized keys for manual review |
| Rotation backup | Checks if key rotation was already performed |
| /etc/shadow perms | Verifies shadow file permissions |

### ๐Ÿšช Persistence / Backdoors
| Check | Description |
|-------|-------------|
| Cron jobs | Scans for suspicious cron entries |
| /tmp executables | Finds executable files in /tmp and /dev/shm |
| Webshells | Scans public_html PHP files for shell patterns |
| SUID binaries | Flags unexpected SUID files |
| Docker containers | Lists all containers for review |
| Environment vars | Checks /proc/1/environ for leaked secrets |

### ๐Ÿงน Automated Cleanup (with prompts)
- Kills `nuclear.x86` if running
- **SSH key rotation** โ€” backs up old keys, generates new Ed25519 key
- **cPanel update** โ€” runs `/scripts/upcp --force`

### ๐Ÿ“‹ Report
- Full colored terminal output
- Saves detailed log to `/root/cpanel_security_audit_TIMESTAMP.log`
- Issue/warning count summary
- Checklist of remaining manual steps

---

## ๐Ÿ“‹ Manual Steps After Running the Script

Even after the script completes, do these manually:

```
โ˜ Reset cPanel account passwords
โ˜ Reset all FTP / email / MySQL user passwords
โ˜ Update wp-config.php / .env files with new DB credentials
โ˜ Check cPanel โ†’ Email Forwarders for unknown entries
โ˜ Check cPanel โ†’ Cron Jobs for unknown entries
โ˜ Check cPanel โ†’ FTP Accounts for unknown accounts
โ˜ Revoke old SSH keys from GitHub / GitLab / Bitbucket
โ˜ Change passwords on any service where you reused this server's password
```

---

## ๐Ÿ›ก๏ธ Emergency Commands (Manual)

### Kill the malware immediately:
```bash
pkill -9 -f "./nuclear.x86"
pkill -9 -f "nuclear.x86"
ps auxf | grep -i nuclear
```

### Block cPanel ports at firewall (if can't update yet):
```bash
# CSF firewall
csf -d 2083; csf -d 2087; csf -d 2095; csf -d 2096

# iptables
iptables -I INPUT -p tcp --dport 2083 -j DROP
iptables -I INPUT -p tcp --dport 2087 -j DROP
iptables -I INPUT -p tcp --dport 2095 -j DROP
iptables -I INPUT -p tcp --dport 2096 -j DROP
```

### Stop cPanel services (alternative to firewall block):
```bash
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \
/scripts/restartsrv_cpsrvd --stop && \
/scripts/restartsrv_cpdavd --stop
```

### Update cPanel:
```bash
/scripts/upcp --force
```

---

## ๐Ÿ–ฅ๏ธ Compatibility

| OS | Status |
|----|--------|
| AlmaLinux 8/9 | โœ… Tested |
| CloudLinux 7/8 | โœ… Tested |
| CentOS 7 | โœ… Tested |
| Rocky Linux 8/9 | โœ… Tested |
| Ubuntu 20/22 (cPanel) | โœ… Tested |

---

## ๐Ÿ“š References

- [cPanel Security Advisory CVE-2026-41940](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026)

---

## ๐Ÿ“„ License

MIT License โ€” Free to use, share, and modify.  
**Please keep author attribution intact when sharing.**

---

## ๐Ÿค Support

Need help with cleanup or server security?

- ๐ŸŒ Website: [MahfuzReham.Com](https://MahfuzReham.Com)
- ๐Ÿ’ฌ WhatsApp: [+8801790614055](https://wa.me/8801790614055)

**Please share this tool with anyone who runs cPanel servers โ€” both original license and shared license users are affected.**