Skip to content
Vulnity Vulnity Docs

PHP File Upload

Alert ID: php_upload MITRE ATT&CK: T1505.003 – Server Software Component: Web Shell

Severity / Criticality

Section titled “Severity / Criticality”

!!! danger “Critical” Any PHP file detected inside the uploads directory is considered a serious threat.

Why is it considered malicious?

Section titled “Why is it considered malicious?”
  • Web shells: allow remote command execution on the server.
  • Backdoors: give the attacker persistent access.
  • Cryptominers: use server resources without authorization.
  • Spam mailers: turn the site into a bulk spam platform.
  • Data exfiltration: theft of sensitive information.

!!! warning "" The uploads directory must not contain executable code under any circumstances.

When does the alert trigger?

Section titled “When does the alert trigger?”
  • Immediate detection of suspicious extensions: .php, .php3, .php4, .php5, .phtml, .phar.
  • Other monitored extensions:
    • Scripts: .asp, .aspx, .jsp, .cgi, .pl, .py, .rb.
    • Executables: .exe, .dll, .bat, .sh, .ps1.
  • Content analysis: PHP indicators such as <?php, <?=.
  • Deduplication window: 30 seconds.

Technical Indicators (IOCs)

Section titled “Technical Indicators (IOCs)”
TypePatternDescription
file_patterneval($_POST['cmd']);Remote code execution
file_patternsystem($_GET['command']);System command execution
file_patternbase64_decode(Obfuscated code
file_patternfile_get_contents('php://input')Direct read from PHP input
file_patternc99.php, r57.php, wso.phpKnown web shells

Common false positives

Section titled “Common false positives”
  • Poorly designed legitimate plugins that allow PHP uploads.
  • Developers uploading test code, which is bad practice.
  • Migration or backup tools that do not use temporary directories.

!!! warning “Attention” Even “false positives” represent serious security weaknesses that must be fixed.

Investigation steps

Section titled “Investigation steps”

  1. Do not execute the file. Inspect it with:

    Terminal window
    strings /path/to/file.php | grep -E 'eval|exec|system|base64'

  2. Calculate the file’s MD5 and SHA256 hashes.

  3. Verify origin through timestamp and access logs (user/IP).

  4. Search for other shells:

    Terminal window
    find wp-content/uploads -name "*.php" -type f

  5. Review logs for requests targeting the suspicious file.

Section titled “Recommended mitigations”

=== “Immediate”

!!! danger ""
    - Isolate the file; do not delete it if you need evidence.
    - Move it to a quarantine directory outside the `webroot`.
    - Block access through `.htaccess`.
    - Scan the full site with antimalware tools.
    - Change all passwords: WordPress, hosting, FTP, and database.

=== “Preventive”

!!! tip ""
    Add inside `wp-content/uploads/.htaccess`:


    ```apache
    <FilesMatch "\.(?:php|phtml)$">
    Deny from all
    </FilesMatch>
    ```


    - Restrict upload policies to images and documents only.
    - Validate files server-side before storing them.
    - Implement `mod_security` with web-shell detection rules.
    - Use safe permissions: 755 for upload folders, 644 for files.

References

Section titled “References”