Laravel Sites Hacked: Public Folder Backdoors, Google-Only Redirects, and CPU Cryptomining (Likely via Livewire RCE)

I’ve managed multiple Laravel sites across Forge and Liquid Web that were compromised with a similar pattern:

• Unexpected PHP files placed in the Laravel public/ directory
• Redirects only when visitors came from Google
• SEO titles/descriptions silently altered
• One server pinned at 100% CPU (cryptomining)

Initially it looked like “a Laravel 11 issue”. But after correlating the behavior with recent disclosures, the most likely culprit is Livewire Remote Code Execution (RCE), which can enable exactly this kind of post-exploitation.

What the Attack Looked Like

1) Backdoors in public/

Across incidents, attackers placed PHP files under:

• public/
• public/.well-known/
• sometimes nested in folders that look “normal”

Once a PHP file is in public/, it bypasses Laravel middleware/routing entirely and can be executed directly via HTTP.

2) Google-only redirects (SEO cloaking)

A common trick:

• direct visits → site appears normal
• visits from Google → redirected to a spam domain

This is usually done by checking HTTP_REFERER and/or user agent and only hijacking “valuable” organic traffic.

3) Cryptomining / resource abuse

Another server showed constant high load. After digging, it turned out malicious code was running long-lived processes and consuming CPU.

Why I Think Livewire RCE May Be the Entry Point

Tenable’s Web App Scanning plugin describes a critical RCE affecting Livewire 3.x < 3.6.4, caused by improper handling of serialized data during component hydration. An attacker can send a crafted request that gets deserialized and leads to arbitrary code execution. 

SecurityOnline (summarizing Synacktiv’s research) describes the same theme: Livewire’s hydration/update mechanism can be manipulated to achieve “stealthy” RCE, and notes the issue tracked as CVE-2025-54068, with a patch released in Livewire 3.6.4+. 

If an attacker can execute code, then everything I observed becomes straightforward:

• drop a backdoor into public/
• add Google-only redirect logic
• spawn cryptominers or persistence

Related (But Different) Laravel Risk: File Validation Bypass

Separately, Laravel has also had a file validation bypass advisory (CVE-2025-27515 / GHSA-78fx-h6xr-vch4) that can matter if you rely on wildcard file rules like files.* and then store uploads somewhere publicly accessible. This doesn’t auto-write into public/, but it can increase risk if your upload pipeline is weak. 

What To Do Right Now (Practical Checklist)

1) Patch Livewire immediately

• If you use Livewire 3, upgrade to 3.6.4 or later. 
• Confirm in your composer.lock what actually runs in production.

2) Treat APP_KEY like a crown jewel

Even when a CVE is patched, leaked secrets can turn “minor” issues into full compromise. Audit where your .env might leak (debug pages, backups, repos).

3) Lock permissions

• public/ must not be writable by the web server user.
• Only storage/ and bootstrap/cache/ should be writable (and even those should be tight).

4) Hunt for indicators of compromise

• Search for recently modified PHP files under public/
• Check cron jobs, supervisor configs, and unknown processes
• Scan outbound connections from PHP-FPM / web users

5) Rebuild if you suspect persistence

In real-world compromises, “delete the bad file” is rarely enough. The cleanest path is often:

• rotate credentials + keys
• redeploy from a clean repo
• rebuild server if root/SSH access is suspected

Need help cleaning a compromised Laravel server?

If you’re seeing public folder backdoors, Google-only redirects, or mystery CPU spikes, I can help investigate and clean it safely (and set up monitoring so it doesn’t happen again).