Bluehost: CVE-2026-41940: Compromise Check Guide
CVE-2026-41940 is a critical vulnerability in cPanel/WHM that may allow unauthenticated attackers to gain administrative (root-level) access to affected servers. Public reporting confirms active exploitation and associated "Sorry" ransomware activity. This guide provides commands to check for known indicators of compromise (IOCs). These checks are not exhaustive. Attackers may delete logs, alter timestamps, remove files, replace binaries, or use tooling not covered here.
Step 1: Check Your cPanel Version
Run the following command to check your installed cPanel version:
/usr/local/cpanel/cpanel -V
Follow the steps in the Upgrade to Latest Version article to upgrade to the latest version.
Note: Being on a patched version does not mean you were not previously compromised. Run all checks below regardless of your current version.
Step 2: Set Up Check Directory
Run these commands as root to create a working directory for your checks:
mkdir -p /root/cpanel-cve-2026-41940-checks
cd /root/cpanel-cve-2026-41940-checks
Step 3: Run Compromise Checks
Run each check below in order. Any positive result should be treated as a potential full-server compromise.
Check 1: Look for "Sorry" Ransomware Marker Files
This searches common directories for files ending in .sorry, a known indicator of "Sorry" ransomware activity.
HOST="$(hostname -f 2>/dev/null || hostname)"
find /etc /root /usr/local/cpanel /home /var/lib/mysql /var \
\( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o \
-type f -name '*.sorry' \
-printf "$HOST possible-ransomware-marker %p\n" 2>/dev/null
What to look for: Any output indicates files matching the .sorry extension were found. The server may have been encrypted or partially encrypted. No output does not confirm the server is safe.
Check 2: Look for Known Malicious Process Hash
This calculates SHA1 hashes of all currently running process executables and checks for a known malicious binary.
HOST="$(hostname -f 2>/dev/null || hostname)"
BAD_SHA1="731572b5fe2a7ac6905527a237af4f59de8f7253"
for exe in /proc/[0-9]*/exe; do
HASH="$(sha1sum "$exe" 2>/dev/null | awk '{print $1}')"
if [ "$HASH" = "$BAD_SHA1" ]; then
PID="$(echo "$exe" | cut -d/ -f3)"
CMD="$(tr '\0' ' ' < "/proc/$PID/cmdline" 2>/dev/null)"
echo "$HOST malicious-process-hash pid=$PID exe=$exe cmdline=$CMD"
fi
done
What to look for: Any output means a running process matched the known malicious binary hash. This check only detects that specific binary while it is still running. It will not detect modified variants, stopped processes, deleted payloads, scripts, or webshells.
Check 3: Check for Suspicious /root/.bashrc Injection
Attackers sometimes modify shell startup files to reload malware, hide commands, alter PATH, or maintain persistence. This check looks for a known suspicious string and common malicious patterns.
Basic Check
HOST="$(hostname -f 2>/dev/null || hostname)"
grep -Fq '0xa59ac734' /root/.bashrc 2>/dev/null \
&& echo "$HOST found-root-bashrc-injection /root/.bashrc contains 0xa59ac734"
Expanded Check (Recommended)
HOST="$(hostname -f 2>/dev/null || hostname)"
grep -RInE '0xa59ac734|curl |wget |base64|/dev/tcp|nohup|setsid|nc |ncat|socat|bash -i|python.*socket|perl.*socket' \
/root/.bashrc /root/.bash_profile /root/.profile /etc/profile /etc/bashrc /etc/profile.d 2>/dev/null \
| sed "s/^/$HOST suspicious-shell-startup /"
Note: The expanded check may produce false positives. Review all matches manually before taking action.
Check 4: Review Root SSH Authorized Keys
This checks whether the root SSH authorized_keys file was modified after the vulnerability was first publicly reported (2026-04-28), and prints current keys for manual review.
Check for Recent Modifications
HOST="$(hostname -f 2>/dev/null || hostname)"
SINCE="2026-02-23"
find /root/.ssh/authorized_keys -type f -newermt "$SINCE" \
-printf "$HOST root-authorized-keys-modified %TY-%Tm-%Td %TH:%TM:%TS %p\n" 2>/dev/null
Print Current Keys for Manual Review
HOST="$(hostname -f 2>/dev/null || hostname)"
stat /root/.ssh/authorized_keys 2>/dev/null | sed "s/^/$HOST authorized_keys_stat /"
nl -ba /root/.ssh/authorized_keys 2>/dev/null | sed "s/^/$HOST authorized_keys_line /"
What to look for: Look for any SSH keys you do not recognize. A clean timestamp does not prove the file was never modified — attackers can alter timestamps.
Check 5: Check cPanel Template for Credential Stealer
This checks whether cPanel's main login template has been modified to inject JavaScript that could steal credentials or session data.
HOST="$(hostname -f 2>/dev/null || hostname)"
FILE="/usr/local/cpanel/base/unprotected/cpanel/main.tmpl"
grep -nE 'XMLHttpRequest|fetch\(|document\.cookie|localStorage|navigator\.sendBeacon|atob\(|eval\(' "$FILE" 2>/dev/null \
| sed "s/^/$HOST suspicious-cpanel-template $FILE:/"
What to look for: Any output should be manually reviewed. Some JavaScript patterns may be legitimate, but unexpected changes to cPanel templates are highly suspicious.
Check 6: Review Shell History for Suspicious Activity
Some confirmed compromises have included destructive cleanup, encryption, and persistence commands in shell history.
HOST="$(hostname -f 2>/dev/null || hostname)"
for hist in /root/.*history /home/*/.*history; do
[ -f "$hist" ] || continue
grep -HnEi 'nuclear|\.sorry|encrypt|ransom|authorized_keys|main\.tmpl|XMLHttpRequest|curl |wget |chmod \+x|base64|nohup|setsid|rm -rf|shred|wipe|chattr|iptables|firewall-cmd|systemctl disable|history -c' "$hist" 2>/dev/null \
| sed "s/^/$HOST suspicious-history /"
done
Important: Shell history is unreliable. Attackers often disable it, delete it, truncate it, or run commands through non-interactive shells that never write to history. Absence of suspicious history does not mean the server is clean.
What to Do If Any Check Returns a Positive Result
Treat any positive result as a potential full-server compromise. Do not assume only cPanel is affected. Root-level access means the entire server should be considered untrusted.
Recommended immediate actions:
- Do not continue using the server for production traffic until it has been reviewed or rebuilt.
- Contact Bluehost Support immediately for assistance.
- Preserve evidence — take snapshots or disk images before making changes.
- Review all hosted accounts for signs of compromise or unauthorized changes.
- Rotate all credentials, SSH keys, API keys, and passwords that may have been accessible on the server.
- Notify affected customers if customer data may have been exposed.
Limitations of These Checks
Important: These checks detect some known compromise patterns associated with CVE-2026-41940 exploitation. A server with no detections may still be fully compromised.
These checks do not replace:
- Forensic review by a security professional
- Endpoint detection and response (EDR) tools
- File integrity monitoring
- Full log analysis
- Rebuilding from trusted, clean media
If you need further assistance, Bluehost Chat Support is available 24 hours a day, 7days a week while Bluehost Phone Support is available 7 days a week from 7 am-12 midnight EST.
- Chat Support - While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
- Phone Support -
- US: 888-401-4678
- International: +1 801-765-9400
You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.