Hello, welcome to the Wednesday, December 1st, 2021 edition of the Sands and a Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Took a look this weekend, actually, at one of our honeypots that we tuned a little bit towards some of

the word press exploits.

And one thing I noticed was more than I expected attacks against an old PHP unit vulnerability.

It was a very straightforward remote code execution.

Essentially a PHP unit sort of comes with a built-in web shell that was exploited back in 2017,

or actually, well, is exploited still today, as it turns out.

And one thing I noticed is that aside from the WordPress plugins that were targeted,

there were a couple other packages that apparently sort of were targeted for a PHP unit,

not necessarily for a vulnerability of the package itself. A little bit more digging led me to a tool

called Composer.

If you are familiar with PHP, you heard of Composer.

It's a package management tool for PHP that will like all these package management tools automatically install dependencies.

And turns out that all of these attacked plugins and such have

PHP unit as a dependency. So whenever you install the plugin PHP unit may be installed as well

and really depends on how you install it. When you are using Composer, you do have the option to specify

different environments like a live production versus a development environment. And in this case,

PHP unit is usually installed if you specify that it's a development environment.

So this may explain that there are still a lot of these vulnerable PHP unit installs around.

They got installed back in the day without the user really noticing that it was installed,

maybe on the development system, or maybe development features were enabled on a

...