How do I keep getting hacked on PHPUnit?

Posted 2 weeks ago by mchiasson

I need to secure my install a bit better as it was installed as a subdomain of my root. I do have .htaccess restrictions to block .ENV access but still keep manage to see a hacked page popup once in a while on my server monitoring. Each time it looks like a PHP Webshell gets uploaded.

When looking at my raw access logs it shows a lot of different requests to PHPUnit and I'm curious if that is the flaw in my system. My Env is set for App_Debug=False. Below is a snippit of my logs, you can see them sending get/post requests to alpha.php in phpunit and then also eventually they have access to a phpshell of '/wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php' in an above level wordpress install.

109.127.13.152 - - [29/Jun/2019:19:20:30 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 146160 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:32 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 10536 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:34 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 3141 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:41 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 3909 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:46 -0400] "GET /portal.MYDOMAIN.com/MYDOMAIN-back-office/vendor/knplabs/knp-snappy/src/Knp/new.php HTTP/1.1" 404 73885 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:48 -0400] "GET /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 319 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:52 -0400] "POST /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 8038 "http://www.MYDOMAIN.com/wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:21:33 -0400] "GET / HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:21:59 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 11910 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:22:15 -0400] "GET /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 8038 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:22:25 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 7199 " ```
Any suggestions? This weekend I'll go separate these domains into different cPanel directories.

Please sign in or create an account to participate in this conversation.