Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Our /public/index.php was replaced.
And a directory named /public/ALFA_DATA/alfacgiapi in our Laravel app this morning.
In this folder there're .htaccess, aspx.aspx, bash.alfa, perl.alfa and py.alfa.
After reading some articles it appears to be some Wordpress-related exploit. But this VM has no Wordpress installation at all.
We have also found a malicious file /public/c.php that has an arbitrary file upload form.
We have no idea how it got there.
And another malicious /public/style.php that handles file copying, renaming, replacing, reading directories etc.
The /public/.htaccess is also modified by the malware.
We have checked all controllers that deal with file upload,
but we have no controllers that upload files to the /public folder.
Would appreciate if anyone having the same breach can tell us what it is and what steps can we take.
Thank you.
p/s: The app is running on Apache and Windows Server
First thing I would do is to check all directories permissions.
The ./public directory should not be writable in production by the user running apache/nginx by no means.
Only the ./storage directory should be writable.
If you need to upload files and make them available on the ./public directory use a symlink for that:
@rodrigo.pedra Thanks for your reply.
(1) The app is currently hosted in a Windows Server environment.
Is there anyway we can have the /public folder not writable by Apache in this Windows OS?
(2) Should we be more concern about how these malicious files drop into the /public folder in the first place?
@rodrigo.pedra We have limited number of forms we can check one-by-one. Of all files upload, the original file name is never used. We have the server-side generated a uuid as file name for storage for each file uploaded. The original file name is ignored.
If you have any other thoughts or guess please do drop a reply.
Thanks a lot for your replies.
@gab no problem, sorry not bring able to help further.
The deal with the file uploads is not how you name the files, but where you save them. But if you are using standard Laravel methods you should be fine.
But most importantly check your directories permissions.
Good Luck!
@rodrigo.pedra We always use the Laravel methods i.e.
Storage::disk('documents')->put($uuid, $contents);
I understand Linux-based OS have this chmod 777-thing, but I doubt Windows have any similar file permission mechanism.
@gab @rodrigo.pedra Did you got any solution to this? Got to know the reason for this & how to avoid it?
Please or to participate in this conversation.