Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Deep Checks

28 checks, run every 60 minutes. Thorough filesystem and database scans.

Filesystem

CheckDescription
filesystemBackdoors, hidden executables, suspicious SUID binaries
webshellsKnown webshell patterns (c99, r57, b374k, etc.)
htaccess.htaccess injection (auto_prepend_file, eval, base64 handlers)
file_indexIndexed file listing to detect new/unauthorized files
php_contentSuspicious PHP functions (exec, eval, system, passthru)
group_writable_phpWorld/group-writable PHP files (privilege escalation)
symlink_attacksSymlink-based privilege escalation attempts

WordPress

CheckDescription
wp_coreCore file integrity via official WordPress.org checksums
nulled_pluginsCracked/nulled plugin detection
outdated_pluginsPlugins with known CVEs
db_contentDatabase injection, siteurl hijacking, rogue admins, spam

Phishing & Malware

CheckDescription
phishing8-layer phishing detection (kit directories, credential harvesting)
email_contentOutbound email body scanning for credentials and suspicious URLs

System Integrity

CheckDescription
rpm_integritySystem binary verification via rpm -V
open_basediropen_basedir restriction validation
php_config_changesphp.ini modifications

DNS & SSL

CheckDescription
dns_zonesDNS zone file changes (MX record hijacking)
ssl_certsSSL certificate issuance (subdomain takeover)
waf_statusWAF mode, staleness, bypass detection

Email Security

CheckDescription
email_weak_passwordEmail accounts with weak passwords
email_forwarder_auditForwarders redirecting to external addresses

Performance

CheckDescription
perf_php_handlerPHP handler configuration (DSO vs CGI vs FPM)
perf_mysql_configMySQL my.cnf optimization
perf_redis_configRedis configuration
perf_error_logsError log file growth (bloat)
perf_wp_configWordPress wp-config.php settings
perf_wp_transientsWordPress database transient bloat
perf_wp_cronWordPress cron scheduling (missed crons)

Platform Support

The deep checks are the most cPanel-biased part of CSM because they iterate account home directories and per-user public_html trees. On plain Ubuntu/AlmaLinux the account-scan based checks do not run today:

cPanel-only (skipped on plain Linux):

  • htaccess, file_index, php_content, group_writable_php, symlink_attacks – iterate /home/*/public_html/**
  • wp_core, nulled_plugins, outdated_plugins, db_content – find WordPress installs under /home/*/public_html
  • phishing, email_content – scan user home directories and Exim spool
  • dns_zones, ssl_certs – read cPanel’s DNS zone store and SSL installation records
  • email_weak_password, email_forwarder_audit – read /etc/valiases, Dovecot/Courier auth databases
  • open_basedir, php_config_changes – read EA-PHP php.ini under /opt/cpanel/ea-php*/
  • perf_wp_config, perf_wp_transients, perf_wp_cron, perf_php_handler – WordPress and PHP handler introspection via cPanel’s EA-PHP layout

Runs on every platform:

  • filesystem, webshells – fanotify and file-tree scans over /home, /tmp, /dev/shm
  • rpm_integrity – dispatches to rpm -V on RHEL family or debsums / dpkg --verify on Debian family
  • waf_status – detects ModSecurity on Apache, Nginx, and LiteSpeed across all supported distros
  • perf_mysql_config, perf_redis_config, perf_error_logs – rely on standard service locations

A future release may add a config-driven account_roots option so the account-scan checks can iterate generic Linux webroots (/var/www/*, /srv/http/*, etc.). See the project roadmap.