Samar State University (SSU)

What Happened

On June 28, 2020, a hacker using the handle "AR_404" gained unauthorized access to the website of Samar State University (SSU) at ssu.edu.ph. The attacker uploaded a PHP file (AR.php) to the server, demonstrating the ability to execute arbitrary code on the web server.

How the Attack Worked

The presence of an uploaded PHP file (AR.php) suggests the attacker exploited one of these common vulnerabilities:

• Insecure file upload — the website allowed uploading of PHP files without proper validation
• Remote code execution — a vulnerability in the web application allowed the attacker to write files to the server
• Compromised credentials — the attacker gained access to FTP or CPanel credentials

Why This Breach Matters

• Independent attacker — unlike most June 2020 school attacks attributed to Pinoy Grayhats, this came from a different actor (AR_404)
• Code execution — uploading a PHP file indicates full server compromise, not just a surface-level defacement
• Eastern Visayas targeting — along with NwSSU, this shows that schools in the Eastern Visayas region were specifically targeted

Lessons for Schools

1. 1.Disable PHP file uploads — web applications should never allow users to upload executable files
2. 2.Monitor file system changes — tools that detect new or modified files on the web server can catch intrusions early
3. 3.Restrict server permissions — web server processes should run with minimal permissions to prevent file writes