HELP!!! My Clients website Deposit details changed to fake details by scammer

I found this code

/*

• This file is part of PHPUnit.
• (c) Sebastian Bergmann [email protected]
• For the full copyright and license information, please view the LICENSE
• file that was distributed with this source code. */ eval('?>' . \file_get_contents('php://stdin'));

in this folder /home/bitcwlbc/public_html/projectname/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

am not sure what that means or which script its trying to call... am suggesting that this scammer is the develo[er that code the script as other user has accused him of putting/manipulating the script fromhis end after you install it just to extrack money from his buyers and people using his scripts.

There seems to be a remote code execution vulnerability in PHP unit.

This library should not be installed on your production machine. I guess because you use shared hosting you just copied your entire project to the host?

You should be uploading a version of the application that used composer install --no-dev to create the deployment image

The vulnerability also requires that the Vendor folder is publicly accessible, so if you have not installed Laravel correctly you are compounding the problem.

Only the contents of the public folder should be available to the outside world.

Thanks @snapey , can i delete this PHP unit without it causing a break down on the website? any suggestion you can throw?

phpunit is only needed for tests in development.

check also that your .env file is not exposed.

How did you deploy to the server?

I have changed the cpanel login details and still the scammer is still able to edit deposit details

Then you have the deposit details which prove who changed them, right? Why don't you report him to police?

the deposit details is bitcoin, so no way i can figure it out

i uploaded my project to the server through my cpanel FTP . .env is not exposed from the best of my knowledge

the deposit details is bitcoin, so no way i can figure it out

Shit. Sorry to hear that. Maybe best thing to do is to migrate to some more secure hosting setup, for example Forge to manage all your servers.

If you type yoursite.com/.env

If you can read that file you are not secure.

Replace yoursite.com with your actual site.

its restricted

Shit. Sorry to hear that. Maybe best thing to do is to migrate to some more secure hosting setup

@bugsysha This sounds more like a poorly-coded application rather than the host. There's clearly some code that is vulnerable to attack. Moving hosts isn't going to fix that if that is indeed the issue.

@martinbean only why I suggested it was due to lack of following deployment suggestions cause they have PHPUnit on production.

If you have forms on your site, make sure they are protected against CSRF attacks. Laravel by default will guard you against this. However, it may be possible this has been disabled.

https://laravel.com/docs/6.x/csrf

There are many folders in public_html/vendor that are installed by default with Laravel but most of them are not really needed.

Which ones should we really keep for common use. I know it all varies from the application type but some are problematic like eval-stdin.php as we had similar issue and our server was compromised because we did not delete this from the vendor folder.