: Is this literal or code in the .htaccess file? Background: Recently, a business acquaintance contacted me because of strange behavior on his website. As may be expected, I found that the site
Background: Recently, a business acquaintance contacted me because of strange behavior on his website. As may be expected, I found that the site was compromised.
One of the signs of the compromise is changes in his .htaccess file, which is fairly common. I have only done a little bit of regex, but I'm familiar with the [0-9] construct. However, I found a RewriteRule that seems to have a literal number.
RewriteRule ^5014466727/(.*)$ jabez-darla.php [QSA,L]
Question: Do I understand correctly, that this rule is looking for a match on a URL that literally has 5014466727/ or does this represent some string of other characters?
There is base64 in other parts of the compromise, but I don't know whether that is relevant in this specific code.
More posts by @Gretchen104
1 Comments
Sorted by latest first Latest Oldest Best
RewriteRule ^5014466727/(.*)$ jabez-darla.php [QSA,L]
...this rule is looking for a match on a URL that literally has 5014466727/
Yes, as closetnoc stated in comments, this is simply a literal string of (seemingly random) digits at the start of the URL.
Since the captured group (ie. (.*)) does not appear to be used in the substitution (or in any preceding RewriteCond directives), the pattern ^5014466727/(.*)$ is equivalent to ^5014466727/.
The seemingly random number (which might be unique per site/hack) is probably just to make this harder to find in the search engines.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.