Active advisoryCVE-2026-41940 · cPanel/WHM

SessionScribe: cPanel/WHM session forgery

An unauthenticated CRLF injection in cPanel/WHM's session writer forges a logged-in root session. Disclosed 2026-04-28 by Sina Kheirkhah at watchTowr Labs.

Read the analysis Vendor advisory

Operator toolkit · sh.rfxn.com

modsec-sessionscribe.conf

5 phase-1 deny rules. Block at the WAF.

sessionscribe-remote-probe.sh

Remote verdict by HTTP code. Read-only.

sessionscribe-ioc-scan.sh

On-host IOC ladder. Vendor signals plus our heuristics.

GPL v2 · updated 2026-04-29

Hackathon submission

Attackers have agents. Defenders still have grep.

Blacklight is the counter: an agentic-defense layer on top of the Linux tooling your fleet already runs. ModSec, iptables, APF, CSF, LMD, ClamAV, YARA, fail2ban, directed by a Managed Agents curator with 1M-context forensic reasoning.

Built with Opus 4.7 · HackathonAnthropic × Cerebral Valley · Apr 21–28

See Blacklight Read the design

# no one is coming.

>_ defend.

BLACKLIGHT

>_ Agentic Defense · Human Trust · Attacker Speed

Curator

Opus 4.7

Time

8h → 10m

Skills

65 files

rfxn.com / blacklightSee the masthead

Research · April 21, 2026

AI-Generated Webshells: Why Pattern-Based Detection Still Wins

LLMs generate novel PHP webshells on demand and every sample is lexically unique. But a webshell still needs an input channel, a decode layer, and an execution primitive. maldet's compound signature engine matches on that semantic skeleton, and the paraphrase problem collapses back into a known one.

Read the Research All Research

Detection Research

One-line prompt, working webshell in five seconds

Lexically unique samples, semantically convergent

CSIG matches the input + decode + exec skeleton

MITRE ATT&CK T1505.003, honest about what still bypasses

maldetmalwareaidetectionwebshell

Active Servers (30d)

356.0k

Requests (30d)

30.82M

GitHub

2,158

Deployed across government, defense, education & enterprise networks

govNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehostgovNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehost

$git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

Featured Projects

View all

LMDv2.0.1

1,399

Linux Malware Detect

A high-performance malware scanner for Linux designed for the multi-core era. v2.0.1 introduces a foundational engine leap that delivers up to 10x faster performance than traditional scanners via hash-first short-circuiting and batch-parallel processing.

Learn more

APFv2.0.2

105

Advanced Policy Firewall

An iptables(netfilter) based firewall system for Linux servers. Provides three-fold filtering with static rules, stateful connection tracking, and sanity-based packet inspection.

Learn more

BFDv2.0.2

Brute Force Detection

A modular shell script for parsing application logs and detecting authentication failures. Uses regex rules and integrates with APF, Shorewall, or raw iptables for blocking.

Learn more

Quick Start

Get up and running in minutes. All tools install from source with a single command.

LMDLinux Malware Detect

bash

$ git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

APFAdvanced Policy Firewall

bash

$ git clone https://github.com/rfxn/advanced-policy-firewall.git && cd advanced-policy-firewall && ./install.sh

BFDBrute Force Detection

bash

$ git clone https://github.com/rfxn/brute-force-detection.git && cd brute-force-detection && ./install.sh

Built for Real-World Linux Security

Threat-Driven Design

Built from real malware data collected at the network edge. Every detection signature comes from active threats seen in production hosting environments, not theoretical research.

Shell-Native & Lightweight

Pure bash with minimal dependencies. No agents, no daemons eating resources, no runtime interpreters. Runs on any Linux system from embedded devices to enterprise servers.

Community-Sustained

20+ years of open source development under GPL v2. No venture funding, no enterprise upsells. Sustained by the community of sysadmins who rely on these tools daily.

Protection Stack

Three tools, one defense-in-depth strategy. Layer them together for comprehensive Linux security.

Layer 1

Malware Detection

LMD

Scan & quarantine threats from real hosting threat data

Layer 2

Firewall Policy

APF

Stateful iptables filtering with reactive address blocking

Layer 3

Intrusion Prevention

BFD

Block brute-force auth attacks with modular log parsing

Connect

About

@rfxn

Linux security, open source, and systems engineering

rfxn

Open source projects and contributions

Ryan MacDonald

SVP/CTO at Liquid Web

rfxn

Identity verification and encrypted messaging

Contact

Security reports and project inquiries

Support Open Source Security

R-fx Networks projects are entirely community-funded. If these tools help protect your infrastructure, consider contributing.

Support the Project Star on GitHub