A publicly exposed, unrestricted PHP file upload on a Linux webserver allowed a threat actor to upload an obfuscated PHP web shell and a mailer script, though the uploaded payloads were not externally reachable and broader exploitation was prevented. Varonis’ forensic investigation highlighted missing EDR, lack of centralized logs, unpatched high-severity CVEs, and recommended controls including upload restrictions, logging, segmentation, and vulnerability management. #webshell #PHPLeafMailer
Keypoints
- The initial access vector was an unrestricted, publicly accessible upload page (e.g., hxxps://redacted.tld/en/upload[.]php) intended for testing but misconfigured to be internet-exposed.
- The attacker uploaded an obfuscated PHP web shell that provided filesystem navigation, directory/file creation, and reverse shell capabilities, discovered and deobfuscated by Varonis.
- A PHP mailer script (mailer.php / PHP Leaf Mailer) was also found, indicating intent or potential to send spam/phishing from the compromised host.
- The webserver resided on the corporate VLAN, lacked an EDR agent, was unpatched with multiple high-severity CVEs, and had no centralized logging, increasing risk of lateral movement and undetected activity.
- Uploaded threats were not publicly accessible and the attacker could not communicate with the web shell externally, limiting impact in this case, but the misconfiguration persisted unnoticed for months.
- Potential consequences included privilege escalation, lateral movement to domain controllers, PII exfiltration, use as attacker infrastructure for spam/phishing, and resale of stolen data.
- Recommended defenses: audit and map web exposure, restrict and validate file uploads, centralize logging and alerts, deploy EDR and vulnerability management, harden applications/servers, and maintain incident response and backups.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker abused an unrestricted upload page to gain initial access (“a publicly accessible, unrestricted upload functionality on the victim’s website… anyone who accessed the URL could simply upload any file by clicking on the upload button”).
- [T1505.003] Server Software Component: Web Shell – The attacker uploaded and used an obfuscated PHP web shell to execute commands and interact with the OS (“The threat actor uploaded an obfuscated PHP web shell… Gain access to the underlying operating system of the server… Establish a reverse shell”).
- [T1059.004] Command and Scripting Interpreter: PHP – The web shell used PHP to perform filesystem navigation, create files/directories, and establish reverse shells (“deobfuscated code contained sections… for instance, the following code pertains to establishing a reverse shell on the webserver”).
- [T1105] Ingress Tool Transfer – The attacker uploaded additional tooling (mailer.php / PHP Leaf Mailer) to the compromised host potentially to send phishing/spam or support further operations (“a file named mailer.php was also discovered… confirmed to be a PHP Leaf Mailer script”).
- [T1078] Valid Accounts (Potential) – The web shell could enable persistent remote access that might be used to establish valid access paths and maintain persistence (“Establish a reverse shell… Help establish persistence on the compromised device”).
- [T1486] Data Encrypted for Impact (Potential outcome) – The report notes the possibility that exfiltrated PII could be held for ransom, illustrating a potential follow-on impact though not observed (“the database hosted on the webserver had PII entries — the threat actor could have exfiltrated the data and held the customer to ransom”).
Indicators of Compromise
- [URL ] Unrestricted upload endpoint – example: hxxps://redacted.tld/en/upload[.]php (upload page used to deliver web shell)
- [File Name ] Malicious files found on server – mailer.php (PHP Leaf Mailer script), and an obfuscated web shell saved as an uploaded PHP/HTML blob
- [Vulnerabilities ] Unpatched high-severity CVEs – numerous unpatched high-severity CVEs were present on the webserver (no specific CVE IDs provided)
- [Configuration ] Missing security controls context – server lacked EDR and centralized logging, and was located on the corporate VLAN rather than a DMZ (no examples of EDR/logging artifacts provided)
Read more: https://www.varonis.com/blog/misconfigured-upload-path