Beginning in April 2019, Wapack Labs SOC observed an uptick in alerts for inbound PHP exploit attempts affecting multiple clients. These alerts indicate attacks on vulnerable systems through the use of malicious PHP code in HTTP requests. If these attacks are successful, they can result in data exfiltration as well as remote control of victim servers.
Wapack Labs has identified the majority of these attacks as originating from Conficker botnet nodes located in China and other southeast Asian countries. This suggests not only that the Conficker botnet is still extremely active, but that attacks leveraging Conficker bots, particularly Chinese bots, are increasing in popularity and sophistication.
The full report is available here: IR_19_164_001 PHP Exploits.pdf