Loading threats
HTTP request body containing PHP code that invokes shell_exec() on a base64_decode() string, which decodes to a remote script download command (wget or curl) piped directly to sh -s (e.g., cve_2024_4577.selfrep). The payload also echoes an md5() marker string (e.g., md5("Hello CVE-2024-4577")) commonly used to verify successful remote code execution. Represents inline PHP-based command execution with obfuscated remote self-replication payload delivery embedded directly in the HTTP body.
This attack primitive is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker triggers this primitive, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other HTTP detections or look up a specific IP to check its threat profile.