Malware Signatures

  1. Home
  2. Malware Signatures
  3. htaccess.hacktool.symlink-viewer

htaccess.hacktool.symlink-viewer

This malware category is related to malicious code hidden inside of the the server configuration file .htaccess.
One of applications for .htaccess file is changing the way web server processes files with certain extensions. Hackers use this function to make PHP files viewable as
plain text files. This helps them see their source code that in case of configuration files such as wp-config.php and configuration.php contain database credentials that can be used
to compromise those sites. It is typically used in "symlinking to root" attacks

Affecting

Compromised sites on Apache based web servers.

Cleanup

Scan you server for .htaccess files in all subdirectories. If you find one with suspicious rules, inspect content of that directory and directory above it.
The chances are, you'll find many symlinks and malicious scripts there. Make sure to search the site for other types of backdoors and security holes.
To preven symlink abuse, make consider using the following rules (Options -FollowSymLinks) or at least SymLinksIfOwnerMatch. You should also prevent PHP from accessing files
outside of users' directories, for example, using the "open_basedir" setting

Dump


Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any