=== FILESYSTEM ANALYSIS === --- /etc/passwd (full) --- postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/usr/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/usr/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin root:x:0:0:root:/root:/bin/bash cpaneleximfilter:x:988:985::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell mail:x:8:12:mail:/var/spool/mail:/sbin/nologin mailman:x:992:989:GNU Mailing List Manager:/usr/local/cpanel/3rdparty/mailman:/usr/local/cpanel/bin/noshell mailnull:x:47:47:Exim:/var/spool/mqueue:/bin/false mysql:x:982:979:MariaDB server:/var/lib/mysql:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin carewell:x:1020:1025::/home/carewell:/bin/bash --- CHROOT DETECTION --- proc 1 root: proc self root: lrwxrwxrwx 1 carewell carewell 0 Mar 27 10:43 /proc/self/root -> / File: / Size: 166 Blocks: 0 IO Block: 4096 directory Device: 903h/2307d Inode: 628474 Links: 14 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2026-03-27 10:37:52.856052238 +0000 Modify: 2025-12-30 08:20:19.076303529 +0000 Change: 2026-03-27 03:37:02.022907349 +0000 Birth: 2025-12-30 08:20:11.376228451 +0000 --- MOUNT NAMESPACE --- 71704 71659 9:3 /usr/share/cagefs-skeleton / rw,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71705 71704 0:22 / /dev/pts rw,nosuid,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000 71706 71704 9:3 /usr/lib /lib ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71707 71704 9:3 /usr/lib64 /lib64 ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71708 71704 9:3 /opt /opt rw,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71709 71708 9:3 /usr/share/cagefs/.cagefs.empty /opt/suphp/sbin ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71710 71708 9:3 /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php81/root/usr/bin /opt/cpanel/ea-php81/root/usr/bin ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71711 71708 9:3 /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php81/root/etc /opt/cpanel/ea-php81/root/etc ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71712 71708 9:3 /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php82/root/usr/bin /opt/cpanel/ea-php82/root/usr/bin ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71713 71708 9:3 /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php82/root/etc /opt/cpanel/ea-php82/root/etc ro,nosuid,relatime - xfs /dev/md3 rw,attr2,inode64,logbufs=8,logbsize=32k,usrquota 71714 71708 9:127 /carewell/.cagefs/opt/alt/php53/link /opt/alt/php53/link rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71715 71708 9:127 /carewell/.cagefs/opt/alt/php53/var/lib/php/session /opt/alt/php53/var/lib/php/session rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71716 71708 9:127 /carewell/.cagefs/opt/alt/php54/link /opt/alt/php54/link rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71717 71708 9:127 /carewell/.cagefs/opt/alt/php54/var/lib/php/session /opt/alt/php54/var/lib/php/session rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71718 71708 9:127 /carewell/.cagefs/opt/alt/php74/link /opt/alt/php74/link rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71719 71708 9:127 /carewell/.cagefs/opt/alt/php74/var/lib/php/session /opt/alt/php74/var/lib/php/session rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71720 71708 9:127 /carewell/.cagefs/opt/alt/php80/link /opt/alt/php80/link rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71721 71708 9:127 /carewell/.cagefs/opt/alt/php80/var/lib/php/session /opt/alt/php80/var/lib/php/session rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71722 71708 9:127 /carewell/.cagefs/opt/alt/php81/link /opt/alt/php81/link rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 71723 71708 9:127 /carewell/.cagefs/opt/alt/php81/var/lib/php/session /opt/alt/php81/var/lib/php/session rw,nosuid,nodev,noexec,relatime - ext4 /dev/md127 rw,quota,usrquota,grpquota,stripe=32 --- REAL PASSWD --- --- addon_domains: altawasulalthaki.com: altawasulalthaki.com.carewellclinics.ae carewellclinics.in: carewellclinics.in.carewellclinics.ae drsruthybinoy.com: drsruthybinoy.com.carewellclinics.ae harylandproductions.com: harylandproductions.com.carewellclinics.ae kochuguruvayoor.com: kochuguruvayoor.com.carewellclinics.ae namariqgroup.ae: namariqgroup.ae.carewellclinics.ae nexaecom.ae: nexaecom.ae.carewellclinics.ae royalskychef.com: royalskychef.com.carewellclinics.ae === DIRTYPIPE ON SUID BINARY === --- /etc/shadow --- cat: /etc/shadow: Permission denied --- NAMESPACE --- mnt:[4026536119] --- PROC 1 --- --- SEARCH REAL PASSWD --- /usr/bin/passwd /etc/passwd /home/carewell/etc/carewellclinics.ae/passwd /home/carewell/etc/carewellclinics.in/passwd /home/carewell/etc/nexaecom.ae/passwd /home/carewell/etc/royalskychef.com/passwd --- CPANEL VERSION --- --- ETC SYMLINKS --- -rw-r--r-- 1 root root 512 Mar 27 10:20 /etc/group -rw-r--r-- 1 root root 1360 Mar 27 10:20 /etc/passwd -rw------- 1 root root 757 Mar 27 10:20 /etc/shadow DONE