Maya traced the infection path. The attacker uploaded a web shell, then moved laterally through an old NFS mount. They didn't touch production—yet. But they had credentials. Database dumps. API keys for the sandbox environment.
Place a .htaccess file in the root directory.
The eval-stdin.php file was intended for internal testing but was accidentally included in production distributions. It takes input from stdin and executes it as PHP code.
A critical flaw in PHPUnit, tracked as CVE-2017-9841, allows remote attackers to execute arbitrary PHP code on vulnerable servers. This security gap stems from an optional development script that was inadvertently exposed to the public web.