Be part of JetBrains PHPverse 2026 on June 9 β a free online event bringing PHP devs worldwide together.
Hello all,
I have a website which was written in Laravel 5.
I found malicious files in folders: public_html and mylaravelproject\public.
I'm not sure how this happened because I don't use upload file functionality anywere.
Anyway, I restored this folders from backup and now website is running fine.
To avoid future issues, I deleted all contact forms and auth paths from source code so webpage is now more or less just showing static pages like About Me, etc...
But that's fine because in the future I have plan to rebuild everything.
But until rebuilding, I want to run current website as it is.
Based on last modified date my conclusion is that the entry point was mylaravelproject\public folder.
So, to keep the website safe until rebuilding, I want to completely disable this folder.
Please suggest how can I disable Laravel public folder (mylaravelproject\public)
If this helps, I provide some config details:
public_html
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
<?php
return [
'default' => env('FILESYSTEM_DRIVER', 'local'),
// ...
'disks' => [
'local' => [
'driver' => 'local',
'root' => storage_path('app'),
],
'public' => [
'driver' => 'local',
'root' => storage_path('app/public'),
'url' => env('APP_URL').'/storage',
'visibility' => 'public',
],
// ...
Malicious files found in Laravel public folder
Via what? If this is a program to protect your files it thinks JS or any code can be harmful, but if you know what you are doing then disable that path entirely.
You also said you don't upload user files on that folder so I think nothing to worry about here.
I wanted to say A N T I V I R U S but Laracasts is preventing me from typing it, it thinks its a spam π
I found a malicious php file there in mylaravelproject\public.
I have no idea how it ended there.
You said to disable the path entirely, but I don't have path to public anyway...
Btw, AV anyway found nothing even after my site was down (replaced with ssi.shtml)...
I have also found Malware files in my public folder, I have my project on a digital ocean droplet, no idea how this could have happened.
All my Laravel projects were hacked at the end. Sorry to say that but I switched to other programming language and framework. Now at the end I think it may be related to PHP/Laravel mail sending capabilities which from security point should not be present on the server out of the box (that's my opinion, but maybe I'm wrong).
@ahmeddabak Simple answer is vulnerable code.
I thought so at the beginning, and I checked many times. But it is not the case here for many reasons.
Maybe a vulnerable composer package, or a Linux exploit.
It can happen due to the "off-by-a-slash" vulnerability in nginx. If you forget to end a location with a slash, you can allow directory traversal
https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
This is not php related though :)
@lugi we have been investigation the problem, turned out that on our staging server the ignition package is vulnerable, and would allow an unauthenticated user to upload files.
https://securitynews.sonicwall.com/xmlpost/laravel-ignition-remote-code-execution-vulnerability/
Since this is a staging server, debug mode was on and the dev packages were installed. Updating ignition to 2.12.0 was enough.
Please or to participate in this conversation.