At first glance, it looks like just another PHP script. But this small file (famously maintained by ) is one of the most widely used payloads in web application attacks.
Normally, when you connect to a remote server (like SSH or a web shell), you initiate the connection. That’s a —the server listens, and you connect. php-reverse-shell
nc -lvnp 4444 Compromised server (calling back): php -r '...reverse shell code...' Anatomy of php-reverse-shell.php Here’s a simplified version of what the script does (full versions add error handling, timeouts, and stream support): At first glance, it looks like just another PHP script
disable_functions = exec,system,shell_exec,passthru,proc_open,pcntl_exec This stops most PHP reverse shells (but not all — fsockopen might still work). Use a firewall to block unexpected egress: That’s a —the server listens, and you connect
If you manage a PHP application today, ask yourself: Could an attacker write this script to my web root? If yes, that’s your highest-priority fix. Want a lab to test this safely? Set up two Docker containers — one for the attacker (with netcat) and one for the victim (Apache + PHP). Try uploading the reverse shell, then implement the defenses above to stop it.