Cookie‑Controlled PHP Webshells Enable Stealthy Access to Compromised Linux Hosting Environments
What Happened — Microsoft Defender researchers disclosed a new tradecraft: PHP webshells that embed encrypted commands in HTTP cookies. The shells are dropped on shared‑Linux hosting servers and use the cookie as a covert control channel, evading many file‑integrity and network‑monitoring tools.
Why It Matters for TPRM —
- Hosting providers and any downstream SaaS platforms inherit the risk of a compromised web server.
- Persistent, cookie‑based webshells can be leveraged to harvest customer data, inject malicious code, or pivot to other third‑party services.
- Traditional detection rules often miss cookie‑only command traffic, increasing the chance of undetected exposure.
Who Is Affected — Cloud hosting / managed‑service providers (shared Linux hosting, VPS), enterprises that run web‑applications on third‑party infrastructure (e‑commerce, SaaS, media sites), and ultimately the end‑users whose data resides on those servers.
Recommended Actions —
- Review vendor contracts for mandatory web‑application firewalls, file‑upload sanitization, and continuous integrity monitoring.
- Require evidence that the vendor monitors for anomalous cookie usage and can detect hidden PHP webshells.
- Add custom detection signatures for “cookie‑controlled webshell” patterns to your own SIEM/NDR and request regular security posture reports from the hosting provider.
Technical Notes — Attack vector: malicious PHP file upload via compromised credentials or vulnerable web apps; Control channel: encrypted commands hidden in HTTP cookies; Data at risk: any files on the host, including credentials, PII, source code, and customer‑generated content. No CVE is associated with this technique. Source: Microsoft Security Blog