SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
explainer

Shared Hosting and Web Shells: How One Account Compromise Takes Down Multiple Schools

Shared hosting is cheap and easy — but when attackers compromise one account, every site on it falls. Here's how web shell attacks work and what schools can do instead.

8 min readshared hosting, web shells, cPanel

Why This Matters

In 2026, attackers breached two colleges in La Union simultaneously — not by hacking each one individually, but by compromising the single shared hosting account that ran both their websites. From that one account, the attackers exfiltrated 16+ database tables containing student payments, enrollment records, tuition fees, and user accounts with plaintext passwords. Both sites were defaced within minutes of each other.

This wasn't an isolated case. Shared hosting is the default choice for most Philippine schools — it's affordable, often bundled with a domain, and easy to set up. But it's also one of the most dangerous hosting models for institutions that store sensitive student data.

What Is Shared Hosting?

Shared hosting means your school's website lives on the same server as dozens — sometimes hundreds — of other websites. You all share the same CPU, memory, disk space, and often the same control panel (cPanel, Plesk, or similar).

Think of it like renting a room in an apartment building. You share the hallways, plumbing, and electrical system. If someone in another unit causes a flood, your unit gets wet too.

Why Schools Use It

  • Cost: Shared hosting can be as cheap as P100–P500/month ($2–$10)
  • Simplicity: One-click WordPress installs, bundled email, no server management required
  • Familiarity: It's what most web developers default to

The Problem

On shared hosting, a single compromised account can expose every site on that account — their files, databases, emails, and control panel access. If your school shares a hosting account with another site (or even another school), a breach on either one is a breach on both.

How the Attack Works: Step by Step

Based on real incidents tracked on SchoolBreach.org and evidence posted by threat actors themselves, here's how shared hosting attacks typically unfold:

Step 1: Find a Vulnerable Entry Point

Attackers scan for:

  • Outdated CMS installations — WordPress, Joomla, or custom PHP sites that haven't been updated
  • Exposed admin panels — /wp-admin, /administrator, /cpanel with weak or default credentials
  • Open directory listings — web servers configured to show all files in a directory when no index page exists
  • Unpatched plugins — a single vulnerable WordPress plugin can give an attacker full server access
  • File upload vulnerabilities — forms that accept .php files instead of just images

Step 2: Upload a Web Shell

A web shell is a small PHP file (often just a few kilobytes) that, once uploaded to your server, gives the attacker a full file manager and command terminal — accessible through their web browser.

Common web shell capabilities:

| Capability | What It Means |

|-----------|---------------|

| File browser | Browse, read, edit, and delete any file on the hosting account |

| File upload | Upload additional malware, backdoors, or defacement pages |

| Database access | Read database credentials from config files, then dump entire databases |

| Command execution | Run system commands as if they were logged into the server |

| PHP info viewer | See full server configuration, installed modules, and file paths |

Web shells have names like "Simple Shell," "WSO," "c99," or "b374k." They're freely available and widely documented. The barrier to entry is extremely low.

Step 3: Read Database Credentials

Once the attacker has a web shell, they look for configuration files that contain database passwords:

  • wp-config.php (WordPress)
  • .env files (Laravel, Node.js)
  • configuration.php (Joomla)
  • config/database.php (various frameworks)

On shared hosting, these files are often readable by any script on the same account — meaning access to one site gives access to all databases on that account.

Step 4: Dump the Database

With database credentials in hand, the attacker exports the entire database to CSV or SQL files. In the La Union case, this included:

  • Student enrollment records (13+ MB)
  • Student payment records
  • Tuition and fee schedules
  • User accounts with plaintext passwords
  • Teacher evaluation records
  • Library records

Step 5: Pivot to Other Sites

On shared hosting, the file manager shows all domains on the account. If your school shares hosting with another school or organization, the attacker can:

  • Browse their files too
  • Read their database credentials
  • Deface all sites at once
  • Download all databases

This is exactly what happened in the La Union breach — three domains were accessible from a single compromised account.

Step 6: Deface and Claim

Finally, the attackers replace the homepage with a defacement banner claiming credit. By this point, the real damage (data exfiltration) is already done. The defacement is just the public announcement.

How to Detect a Compromised Server

Watch for these signs:

  • Unfamiliar PHP files in your web root — especially files with random names like x.php, shell.php, or 404.php that you didn't create
  • Modified .htaccess files — attackers use these to redirect traffic or hide their shells
  • Unexpected FTP/cPanel logins — check your access logs for logins from unfamiliar IP addresses
  • New database users that you didn't create
  • Outbound connections to unfamiliar servers — your hosting provider may alert you to this
  • Defacement mirror sites — check Zone-H or Zone-Xsec for your domain; attackers often submit their defacements to these archives

What Schools Should Do

If You're Currently on Shared Hosting

  1. 1Audit your hosting account — How many sites are on this account? Who else shares it? Are there sites you don't recognize?
  2. 2Check for web shells — Look for PHP files you didn't upload, especially in /wp-content/uploads/, /tmp/, or any writable directory
  3. 3Update everything — CMS, plugins, themes, PHP version. Outdated software is the primary entry point
  4. 4Use strong, unique passwords — For cPanel, FTP, database, and CMS admin. Enable two-factor authentication wherever available
  5. 5Disable directory listing — Add Options -Indexes to your .htaccess file so attackers can't browse your file structure
  6. 6Remove unused files — Old backups, test scripts, and unused plugins are attack surface
  7. 7Check file permissions — Configuration files containing database credentials should not be world-readable

If You're Choosing a Hosting Solution

| Hosting Type | Cost | Isolation | Risk Level | Best For |

|-------------|------|-----------|------------|----------|

| Shared hosting | P100–500/mo | None — all sites share everything | High | Brochure sites with no sensitive data |

| VPS (Virtual Private Server) | P500–2,000/mo | Your own virtual machine | Medium | Schools with student portals or databases |

| Managed WordPress hosting | P300–1,500/mo | Site-level isolation, automatic updates | Low-Medium | WordPress-based school sites |

| Cloud hosting (AWS, GCP, Azure) | P500–5,000/mo | Full isolation, enterprise security | Low | Schools with custom systems or large databases |

Our recommendation: If your school's website handles student data, enrollment, payments, or any personally identifiable information, do not use shared hosting. A basic VPS or managed hosting plan costs only marginally more and provides fundamental security isolation that shared hosting cannot.

Hardening cPanel (If You Must Stay on Shared Hosting)

If migrating isn't immediately possible:

  1. 1Enable two-factor authentication on your cPanel login
  2. 2Restrict cPanel access by IP if your school has a static IP address
  3. 3Disable the File Manager in cPanel if you use FTP/SFTP instead — the web file manager is a common target
  4. 4Use separate database users for each site, with minimal privileges (no GRANT, no DROP)
  5. 5Install a security plugin — Wordfence (WordPress) or similar WAF plugins can detect and block web shell uploads
  6. 6Monitor file changes — Many hosting providers offer file change monitoring; enable it
  7. 7Never store passwords in plaintext — use bcrypt, Argon2, or scrypt for all credential storage

The Bigger Picture

The shared hosting attack pattern — upload shell, read configs, dump database, pivot to neighbors — is the most common methodology we've observed in hacktivist attacks against Philippine schools in 2025–2026. Groups like Nullsec Philippines and its affiliates have used this technique repeatedly, and they've publicly posted screenshots demonstrating the process.

This isn't a theoretical risk. It's happening now, and the tools required are freely available to anyone. The best defense is not to be on shared hosting in the first place — but if you are, the hardening steps above can significantly reduce your exposure.


Related Resources

  • Sensitive Paths Exposed — how exposed admin panels and config files become entry points
  • Common Attack Vectors in Philippine Schools — all major attack types
  • Site Scanner — check your school site for exposed paths and misconfigurations
  • Vendor Security Assessment Checklist — evaluate your hosting and software providers
  • 10-Point School Cybersecurity Checklist — full hardening checklist
More ArticlesTry Free Tools