On one of the web servers I help run, we noticed some suspicious activity. After poking around, I found a pair of suspicious files in a directory that contains user-uploaded files. One was named .htaccess (typical Apache distributed configuration file), and one was named 203497.php. Here’s my analysis of these mystery files.