Is this literal or code in the .htaccess file?

Question

Background: Recently, a business acquaintance contacted me because of strange behavior on his website. As may be expected, I found that the site was compromised.

One of the signs of the compromise is changes in his .htaccess file, which is fairly common. I have only done a little bit of regex, but I'm familiar with the [0-9] construct. However, I found a RewriteRule that seems to have a literal number.

RewriteRule ^5014466727/(.*)$ jabez-darla.php [QSA,L]

Question: Do I understand correctly, that this rule is looking for a match on a URL that literally has 5014466727/ or does this represent some string of other characters?

There is base64 in other parts of the compromise, but I don't know whether that is relevant in this specific code.

Answer 1

RewriteRule ^5014466727/(.*)$ jabez-darla.php [QSA,L]

...this rule is looking for a match on a URL that literally has 5014466727/

Yes, as closetnoc stated in comments, this is simply a literal string of (seemingly random) digits at the start of the URL.

Since the captured group (ie. (.*)) does not appear to be used in the substitution (or in any preceding RewriteCond directives), the pattern ^5014466727/(.*)$ is equivalent to ^5014466727/.

The seemingly random number (which might be unique per site/hack) is probably just to make this harder to find in the search engines.