Sample Scan Report
This is an anonymized example of what a CleanShift deep scan produces. All hostnames and paths have been redacted.
Scan Summary
Scan ID
CS-SCAN-2024-08-21-001
Server
server-01.███████.com
Scan Mode
Deep (File + Database)
Sites Scanned
34
Duration
2m 47s
Agent Version
1.4.2
Scan Date
August 21, 2024
12
Critical
28
High
47
Medium
156
Low
243
Total Findings
Critical Findings — Database Layer
| # | Site | Finding | Severity | Type | Details |
|---|---|---|---|---|---|
| 1 | /home/user14/public_html | Rogue admin account: wp_developer_support | Critical | DB Injection | Created 2024-08-19 02:14 UTC. No matching email. Privilege: administrator. |
| 2 | /home/user14/public_html | Malicious wp_options payload | Critical | DB Injection | option_name: _site_transient_browser_check. Contains base64-encoded eval() redirect to click-tracker[.]buzz. |
| 3 | /home/user22/public_html | SEO spam injection in wp_posts | Critical | DB Injection | 847 posts modified. Japanese keyword spam injected into post_content via SQL injection. |
| 4 | /home/user07/public_html | Backdoor admin: developer_access | Critical | DB Injection | Created via REST API exploit (CVE-2024-28000). Role: administrator. |
High Findings — File Layer
| # | File Path | Finding | Severity | Hash (SHA-256) |
|---|---|---|---|---|
| 1 | /home/user14/public_html/wp-content/uploads/2024/08/.ht-access.php | PHP backdoor (web shell) | High | a3f8c2... |
| 2 | /home/user14/public_html/wp-includes/class-wp-recovery.php | Modified core file (injected eval) | High | 7d1e4b... |
| 3 | /home/user22/public_html/wp-content/mu-plugins/health-check.php | Fake mu-plugin (reverse shell) | High | c9f2a1... |
| 4 | /home/user31/public_html/favicon_backup.ico | Oversized .ico file (442KB, contains PHP) | High | e4b7d3... |
Cross-Site Correlation
Shared indicator of compromise detected across multiple sites
IoC (SHA-256)
a3f8c2d1e9b4f7a0c3d2e8f1b5a9c6d4e7f0a2b3c8d1e4f6a9b0c5d7e2f3a1b8
Classification
PHP backdoor variant (web shell)
Prevalence
Found on 12 of 34 sites (35%)
Patient Zero
/home/user14
Propagation Method
Shared wp-content/uploads via symlink
Related CVE
CVE-2024-28000 — LiteSpeed Cache unauthenticated privilege escalation
Remediation Summary
Automated actions (paid tier)
- ✅Remove 4 rogue admin accounts
- ✅Delete 3 malicious wp_options entries
- ✅Quarantine 4 backdoor files → /var/cleanshift/quarantine/
- ✅Restore 1 modified core file from known-good hash
- ✅Purge 847 spam-injected post modifications
- ✅Deploy Guard mu-plugin to all 34 sites
Estimated remediation time: ~4 minutes
This is what CleanShift finds.
Start your free scan and see what's hiding in your databases.