On the Fortrabbit blog there's a post from Oliver Stark about securing your PHP application based on an experience they had with a recent support ticket.

A few days ago, late in the evening, we received a support ticket with the [message asking if their site had been hacked]. The support team started the conversation with the client and checked the domain routing first. It quickly became clear that the redirects to the phishing domain happened on our platform, so they searched the access logs for suspicious requests.

As they searched the logs, other similar requests showed up pointing back to a root.php file that seemed to be taking commands from URL parameters. This kind of script is called a "webshell" and is usually uploaded via a vulnerability with a plugin, poorly guarded upload forms or bad input validation. After some additional tracking, the vulnerability was located in the site's "vendor" folder that was web accessible. The post finishes with some recommendations to keep this from happening to you and your application including keeping dependencies up to date and preventing direct "vendor" folder access.

On the IBM Security Intelligence site there's a new article posted talking about webshells. For those not familiar with webshells, they're scripts that can be used to control servers or work as a platform to access other systems put in place by attackers. In this article they introduce some of the basics around webshells and the rise they're seeing in their use.

The IBM X-Force Research team reported an increase in PHP C99 webshell attacks in April 2016. More recently, webshells dubbed b374k made their mark with attacks that the team has been tracking over the past few months.

Although this blog highlights some features of the b374k shell, the main objective is to call your attention to the fact that PHP applications are becoming an increasingly popular choice for attackers aiming to glean your data and deface your website without much hard work. This threat should be pushed to the top of your priority list — primarily because of the power of the tool used for this type of attack, but also because of the startling increase in this attack type this year.

They start off with some of the basics of webshells, more related to the PHP versions: what they are, what kind of functionality they commonly provide and an example of the UI of a shell. They then talk about some of the common delivery methods, potential entry points of these attacks and some of the "indicators of compromise" you can use to detect them. They also include mitigations you can perform to rid yourself of these webshells including adding additional plugins/software and locking down features of PHP itself.