EV=/root/ir-evidencia-$(date +%Y%m%d-%H%M)
mkdir -p "$EV/cleanup"
chmod 700 "$EV"

# Backup todo lo de rese1289977
for path in \
    /var/cpanel/php-fpm.d/rese1289977.conf \
    /var/cpanel/users/rese1289977 \
    /var/cpanel/userdata/rese1289977 \
    /home/rese1289977 \
    /etc/imunify360/user_config/rese1289977 \
    /var/spool/cron/rese1289977 \
    /var/spool/cron/crontabs/rese1289977; do
  if [ -e "$path" ]; then
    cp -a "$path" "$EV/cleanup/rese1289977_$(echo $path | tr '/' '_')" 2>/dev/null
    echo "backup: $path"
  fi
done

# Encontrar TODO lo relacionado
find /var/cpanel /var/named /etc -name "*rese1289977*" 2>/dev/null > "$EV/cleanup/rese1289977_paths.txt"
wc -l "$EV/cleanup/rese1289977_paths.txt"

# Borrar
rm -f /var/cpanel/php-fpm.d/rese1289977.conf
rm -rf /var/cpanel/users/rese1289977
rm -rf /var/cpanel/userdata/rese1289977
rm -rf /home/rese1289977
rm -rf /etc/imunify360/user_config/rese1289977
rm -f /var/spool/cron/rese1289977 /var/spool/cron/crontabs/rese1289977

# DNS zones
rm -f /var/named/rese1289977.internal.db 2>/dev/null
rm -f /etc/named/zones/rese1289977.internal.db 2>/dev/null

# Domain registry
sed -i "/rese1289977/d" /etc/userdomains 2>/dev/null
sed -i "/rese1289977/d" /etc/trueuserdomains 2>/dev/null
sed -i "/rese1289977/d" /etc/domainusers 2>/dev/null
sed -i "/rese1289977/d" /etc/userdatadomains 2>/dev/null

# Misma operación para root1 y sptadm (preventivo aunque no hayan hecho cuenta cpanel completa)
for u in root1 sptadm; do
  rm -f /var/cpanel/php-fpm.d/${u}.conf 2>/dev/null
  rm -rf /var/cpanel/users/${u} /var/cpanel/userdata/${u} 2>/dev/null
  rm -rf /home/${u} 2>/dev/null
  rm -rf /etc/imunify360/user_config/${u} 2>/dev/null
  rm -f /var/spool/cron/${u} /var/spool/cron/crontabs/${u} 2>/dev/null
done

# MySQL — verificar y droppear bases del atacante
mysql -e "SHOW DATABASES;" 2>/dev/null | grep -E "rese1289977|root1|sptadm"
# Si aparecen, drop:
# mysql -e "DROP DATABASE \`rese1289977_wp\`;" etc.
mysql -e "SELECT User, Host FROM mysql.user;" 2>/dev/null | grep -E "rese1289977|root1|sptadm"

# Reconstruir
/scripts/updateuserdomains
systemctl reset-failed cpanel_php_fpm
systemctl start cpanel_php_fpm
sleep 2
systemctl status cpanel_php_fpm --no-pager | head -10