Back to projects

cPanel HF (High Forensic)

Cybersecurity

cPanel HF (High Forensic) COMPLETED

Technical summary

hf.sh is a Linux hosting forensic auditor, rewritten in Bash from the original hf.pl. It combines static file inspection and time-correlated evidence search across operational logs to identify probable upload/execution vectors.

Analysis architecture

Two execution phases:

  1. Static file analysis

    2. - permissions, size, metadata; - immutable attribute (chattr +i); - extension vs real MIME (spoofing checks); - risky code signatures (eval, base64_decode, etc.); - SHA-256 hash with VirusTotal lookup link.

  2. Time-window correlation

    3. - web logs (Apache/Nginx/domlogs); - panel traces (cPanel/DirectAdmin); - FTP logs (Pure-FTPd/ProFTPd/xferlog); - SSH/SFTP activity; - shell history when available.

Operational modes


# full mode (recommended with root)
hf.sh --mode full /home/account/public_html/index.php

# cPanel account-safe mode
hf.sh --mode user /home/account/public_html/suspicious.php

# non-colored output for CI/parsers
hf.sh --mode user --no-color /home/account/public_html/file.php

Mode semantics

  • full: attempts privileged host-level sources.
  • user: restricts to account-safe sources by design.

Useful environment variables


HF_MODE=user HF_UNPRIVILEGED=1 HF_AUDIT_USER=account hf.sh /home/account/public_html/a.php
  • HF_MODE=full|user
  • HF_UNPRIVILEGED=1
  • HF_AUDIT_USER=<account>
  • NO_COLOR=1

Output interpretation

  • MATCH FOUND (...): evidence source hit.
  • SPOOFING DETECTED: extension/type mismatch.
  • CRITICAL ALERT (immutable): file flagged with +i.
  • VirusTotal hash URL for quick enrichment.

Security and limits

  • Read-only operation (no delete/move/remediation actions).
  • Accuracy depends on log retention quality and timezone alignment.
  • .bash_history is weak temporal evidence by default.
  • Audited-user validation reduces malicious input risk.

Install and direct usage


curl -O https://raw.githubusercontent.com/sr00t3d/cpanel-hf/refs/heads/main/hf.sh
chmod +x hf.sh
./hf.sh --version

Direct execution via curl:


bash <(curl -fsSL 'https://raw.githubusercontent.com/sr00t3d/cpanel-hf/refs/heads/main/hf.sh') --mode user /home/account/public_html/file.php

Stack and tooling

  • Shell Script / Bash
  • cPanel/WHM
  • DirectAdmin
  • grep/awk/sed/zgrep
  • SHA-256 + VirusTotal hash lookup

Operational tags

  • Bash
  • Forensics
  • cPanel
  • DirectAdmin
  • Incident Response

Operational outcome

  • Faster probable attack-vector determination.
  • Standardized forensic triage for malicious upload incidents.
  • Better evidence quality for containment and hardening decisions.

GitHub progress (issues)

Real-time panel with latest repository issues.

live feed

open issues on GitHub
abertas (amostra): -- fechadas (amostra): -- base: -- ultimas issues

carregando andamento...

Real results

Standalone forensic auditor for Linux/cPanel/DirectAdmin that correlates file metadata with multi-source logs to estimate probable file origin.

Architecture and organization

Execution and operations

The project follows reproducible execution flow with technical validation in production-like environments.

Screenshots

cPanel HF (High Forensic) screenshot 1

Talk about this project

Apply this implementation pattern in your environment and accelerate delivery with technical consistency.

Open form LinkedIn GitHub View issues Technical Guide