Devin laughed nervously. “Just delete the file.”
: Check your access logs for suspicious POST requests targeting eval-stdin.php , which is a common indicator of an attempted exploit.
Implement a whitelist of allowed functions/classes when evaluating untrusted code:
However, the script is – you can use it independently of PHPUnit’s test runner. Devin laughed nervously
Whoever broke into our systems had total control for eleven days. They chose not to destroy us. Next time, we might not be so lucky. Or so ‘better.’
While the script is clever, there are often tools for the job:
Transform your server into a malicious botnet node to participate in DDoS attacks or cryptocurrency mining operations. Why a "9-Year-Old" Vulnerability Is Still Heavily Targeted Web Attack: PHPUnit RCE CVE-2017-9841 - Broadcom Inc. Whoever broke into our systems had total control
: vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
The evalStdin.php script relies heavily on indexing to function efficiently. By creating an index of the test code, PHPUnit can quickly locate and execute the necessary test cases. The indexing mechanism used in evalStdin.php is based on a combination of techniques, including:
Lyra traced the access logs. The attacker hadn’t just found the file—they’d used it. POST requests to eval-stdin.php with base64-encoded payloads. System reconnaissance. Database dumps. A reverse shell that had been sleeping inside their cloud environment for eleven days. Or so ‘better
Deep in the shadows of a botnet hosted in a cold climate, a script finally matched the index. It didn’t send a polite request. It sent a payload—a string of encoded gibberice that flowed through the eval-stdin.php pipe like a virus through an IV drip.
better.php