Ping7 GitHub tools

Open-source CVE checkers for systems you own

Run it on systems you own when you need a first pass before patching, cleanup, or compromise review. Each checker stays read-only: inventory, configuration, logs, and indicators. No payloads. No mass scanning. No exploitation steps.

3 public repos
Read-only local evidence review
Issue or repair clean public triage path
1

Pick the matching repo

Choose by product and CVE. The tools are narrow on purpose, so the output stays useful for a site owner or hosting operator.

2

Run it on owned systems

Use a shell on your own server or an approved client server. Keep the command output, timestamp, hostname, and tool version.

3

Move to repair when evidence appears

Patch or isolate first. If logs, files, users, cron, SSH keys, or ransomware traces look wrong, send the sanitized output to Ping7 repair.

Copy-ready GitHub assets

Use the repos as traffic entry points

Each public repo should send readers back to the matching Ping7 guide and repair page. Keep the language narrow: owned systems, read-only checks, no exploit payloads, no mass scanning.

README opening

Read-only CVE checker for systems you own.

This tool helps collect version, config, log, and indicator evidence before patching.
It does not exploit the target and should not be used against systems you do not own.

Self-check guide: https://ping7.cc/cve/
Repair help: https://ping7.cc/cve-repair/

Issue triage label

Use GitHub Issues for tool bugs, unclear output, and documentation fixes.

Do not post private logs, domains, SSH keys, customer data, or screenshots with secrets.
For suspected compromise, use Ping7 repair instead.

Repair handoff fields

CVE ID:
Product and version:
Public exposure:
Checker output:
First suspicious timestamp:
Patch status:
Sanitized logs or screenshots:
CVE-2026-42945 nginx-rift-detector CVE-2026-1492 wp-user-registration-vuln-checker CVE-2026-41940 cpanel-cve-41940-detector

CVE-2026-42945

NGINX Rift Detector

Read-only Bash detector for NGINX version, rewrite config, ASLR, worker user, and crash or long-URI log signals.

Best for
NGINX operators, reverse-proxy owners, hosting teams, and Kubernetes ingress owners
Output
CLEAN / VULNERABLE / SUSPICIOUS

Checks

  • NGINX version compared with fixed releases
  • rewrite rules using risky capture and query-string patterns
  • access-log long URI and encoding anomalies
  • error-log worker crash signals
  • ASLR and worker privilege checks

Escalate when

  • The detector returns VULNERABLE or SUSPICIOUS.
  • NGINX was patched late and public traffic hit rewrite-heavy endpoints.
  • Worker crashes, redirects, or unusual long request paths appear in the exposure window.

CVE-2026-1492

WordPress User Registration Checker

Read-only checker for plugin exposure, hidden admin accounts, upload PHP files, cron entries, tampered files, and WordPress compromise residue.

Best for
WordPress site owners, agencies, WooCommerce operators, and hosting support teams
Output
CLEAN / SUSPICIOUS / COMPROMISED / ERROR

Checks

  • WordPress core and plugin version state
  • visible and hidden administrator accounts
  • PHP files under uploads
  • wp-config.php, theme, cron, and wp-includes anomalies
  • recent registration and backdoor filename signals

Escalate when

  • The checker returns SUSPICIOUS or COMPROMISED.
  • Unknown admin accounts, upload PHP files, redirects, or changed theme files appear.
  • The plugin was exposed before patching and customer or payment data is on the site.

CVE-2026-41940

cPanel CVE-2026-41940 IOC Detector

Read-only IOC detector for cPanel build state, .sorry ransomware traces, Mr_Rot13 Filemanager signs, cron, SSH keys, C2 callbacks, and log anomalies.

Best for
cPanel server owners, shared-hosting providers, MSPs, resellers, and VPS administrators
Output
CLEAN / SUSPICIOUS / COMPROMISED / ERROR

Checks

  • cPanel build and patch state
  • .sorry, .ENCRYPTED, and ransomware-style file extensions
  • Mr_Rot13 Filemanager paths and signatures
  • root cron, SSH authorized_keys, and cPanel session anomalies
  • Apache, ModSecurity, cphulkd, and root login indicators

Escalate when

  • The detector returns SUSPICIOUS or COMPROMISED.
  • The server was reachable during the exploitation window and patching was late.
  • Ransomware extensions, unknown SSH keys, cron jobs, or customer web-root changes appear.

GitHub triage

Open an issue or request repair?

GitHub Issues are fine for tool bugs, unclear output, documentation fixes, and non-sensitive examples. Repair is the right route when the output points to possible compromise or the evidence contains client data.

Open an issue

  • The checker crashes or gives an unclear result.
  • You can reproduce the problem without sharing private logs.
  • You want a feature request or documentation correction.

Request repair

  • The result is SUSPICIOUS, COMPROMISED, or VULNERABLE.
  • The evidence includes domains, customer data, logs, SSH keys, or filenames.
  • You need patch order, cleanup, account review, and a written handoff.

Handoff path

What to do after a checker runs

  1. Save the output. Keep the terminal result, tool version, timestamp, and target host name.
  2. Patch or isolate first. Do not keep a risky service public while waiting for a full review.
  3. Ask for repair when evidence appears. Send the CVE ID, output, first suspicious timestamp, and sanitized logs.

When the tool is not enough

Turn a suspicious result into a paid repair case

A checker can point at risky files, users, logs, or configuration. A repair job needs evidence handling, patch order, cleanup, account review, and a final note the owner can keep. Ping7 handles that handoff for owned systems and approved client work.

  • Send the CVE ID, domain or server type, tool output, first suspicious timestamp, and screenshots or sanitized logs.
  • Do not send passwords in the first message.
  • Use the sample report to see what the final deliverable looks like.