Crazy htaccess hacking

Below are some linux commands to find files matching a specific format.  In this case I had found a bunch of htaccess files on some webservers that were redirecting the 404 error pages to some hacker's php files that he had snuck in through a backdoor.

A colleague came up with the below to find the offending php files and remove them.  This was made easier by the fact that they were all named using the same format of 12345.php or 123456.php.

  1. find . –name [0-9][0-9][0-9][0-9][0-9].php –exec rm –f {} \;                                                  //Find files with 5 digits and a .php extension
  2. find . –name [0-9][0-9][0-9][0-9][0-9][0-9].php –exec rm –f {} \;                                          //Find files with 6 digits and a .php extension
  3. find . –name .htaccess –exec grep –l ‘ErrorDocument 404 //’ {} \; -a –exec rm –f {} \;  //Find htaccess files that redirect the 404 error document

Using these simple commands we were able to clean out most of the sites with relative ease.

I hope no one ever has the need to use these commands to get rid of the same type of files that my colleague and I had to remove.  Regardless, here they are in the event that anyone (myself included) needs them.

 

Enjoy!

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.