## https://sploitus.com/exploit?id=9F256C1B-A510-5540-A856-CBCCDA226C78
# IOC Check Sessions Files
## Overview
`ioc_checksessions_files.sh` is a cPanel-provided detection script referenced in the official cPanel security advisory:
**Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026**
The script is used to scan cPanel/WHM session files for suspicious indicators of compromise (IOCs), failed exploitation attempts, and confirmed exploitation artifacts related to CVE-2026-41940.
CVE-2026-41940 is an authentication bypass issue affecting cPanel software, including DNSOnly, and WP2. The advisory recommends immediate patching and provides this detection script to help administrators identify possible compromise indicators within session files.
This script is useful for:
- cPanel/WHM administrators
- Hosting providers
- SOC analysts
- Incident response teams
- System administrators investigating possible exploitation activity
---
## Official Advisory Reference
This detection script is based on the tool provided by cPanel in its official advisory:
```text
Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026
```
According to the cPanel advisory change log:
```text
04/29/26 02:46PM CST: Updated article's required actions and added detection script.
05/01/26 08:05AM CST: Temporarily removed the current detection script while we confirm a new version.
05/01/26 11:52AM CST: An updated version of the detection script has been added. This addresses scenarios where false positives were being detected.
```
Administrators should always validate they are using the latest version of the script from the official cPanel advisory before running it in production.
---
## Purpose
The script checks session files located under the cPanel session directory and identifies suspicious patterns such as:
- Malformed session lines
- Injected `cp_security_token` values
- `badpass` session origin combined with abnormal authentication markers
- `token_denied` indicators
- Failed exploit attempts
- Confirmed exploitation artifacts
---
## Usage
Run the script using Bash:
```bash
/bin/bash ./ioc_checksessions_files.sh
```
Optional flags may be available depending on the version of the script provided by cPanel:
```bash
/bin/bash ./ioc_checksessions_files.sh --help
```
Common options shown in the advisory script include:
```text
--verbose
--purge
--yes or -y
--sessions-dir DIR
--access-log FILE
--help or -h
```
---
## Expected Output
After execution, the script generates a scan summary similar to the example below:
```text
=================================================================
SCAN SUMMARY
=================================================================
CRITICAL findings: 1
WARNING findings: 0
ATTEMPT findings: 1
INFO findings: 0
Total : 2
-----------------------------------------------------------------
=================================================================
SESSION: /var/cpanel/sessions/raw/:cusK9ghEd6MPo4eW
=================================================================
Findings:
[ATTEMPT ] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line)
=================================================================
SESSION: /var/cpanel/sessions/raw/:TMnjH0tBK6jP2V3I
=================================================================
Findings:
[CRITICAL] Exploitation artifact - token_denied with injected cp_security_token (badpass origin, token used)
```
---
## Finding Severity Explanation
| Severity | Description |
|---|---|
| `CRITICAL` | Indicates a confirmed or highly suspicious exploitation artifact requiring immediate action. |
| `WARNING` | Indicates suspicious behavior or weak indicators that should be reviewed further. |
| `ATTEMPT` | Indicates a failed exploit attempt or suspicious request pattern. |
| `INFO` | Provides informational findings that may help with investigation or correlation. |
---
## Indicator of Compromise Alert
If indicators of compromise are detected, the script may display an alert similar to:
```text
[!] INDICATORS OF COMPROMISE DETECTED - IMMEDIATE ACTION REQUIRED
```
When this alert appears, treat the system as potentially compromised until verified otherwise.
---
## Immediate Response Actions
If `CRITICAL` findings are identified, perform the following actions immediately:
1. Purge all affected sessions.
2. Force password reset for `root` and all WHM users.
3. Audit `/var/log/wtmp` and WHM access logs for unauthorized access.
4. Check for persistence mechanisms, including:
- Cron jobs
- Unauthorized SSH keys
- Web shells
- Backdoors
- Suspicious system users
- Modified startup scripts or services
---
## Recommended Patch and Verification Actions
Before relying only on IOC detection results, administrators should ensure that affected cPanel/WHM or WP2 systems are patched according to the official cPanel advisory.
Recommended verification commands from the advisory include:
```bash
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard
```
If a server is pinned to a specific cPanel version or automatic updates are disabled, administrators should manually verify that the server has been updated to a patched version.
---
## Recommended Investigation Areas
Security teams should review the following locations during investigation:
```text
/var/cpanel/sessions/raw/
/var/cpanel/sessions/preauth/
/var/log/wtmp
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/login_log
/root/.ssh/authorized_keys
/etc/cron*
/var/spool/cron/
```
---
## Recommended Log Review
During investigation, review the following:
- WHM login activity
- cPanel access logs
- Session creation timestamps
- Root-level login history
- Unusual source IP addresses
- Recently modified session files
- Unauthorized SSH key additions
- Suspicious cron entries
- Unexpected system users
- Web shell indicators under hosted accounts
---
## Important Notes
- This script is provided by cPanel as part of the CVE-2026-41940 advisory.
- Use the latest script version from the official cPanel advisory, especially because the advisory noted that an updated script was released to address false-positive scenarios.
- IOC detection does not replace patching. Patch the affected cPanel/WHM or WP2 system first, then perform detection and forensic review.
- Run the script with appropriate privileges to ensure it can read the required session and log files.
- Preserve copies of suspicious session files before deletion for forensic analysis.
- Correlate findings with WHM access logs, authentication logs, and network logs.
- If confirmed compromise is identified, consider migrating accounts to a known-clean server or rebuilding the server from a known-good backup after containment and evidence preservation.
---
## Disclaimer
This README is intended to document the usage of the cPanel-provided detection script for defensive security monitoring, incident response, and authorized system administration only.
Use this script only on systems where you have explicit authorization to perform security investigation activities.
Always refer to the official cPanel advisory for the latest instructions, patched versions, mitigations, and script updates.