Hackers abuse PHP setting to inject malicious code into websites

Posted in Labels: | at 20:24

Hackers modify php.ini files on
compromised Web servers to
hide their malicious activity
from webmasters

By Lucian Constantin | IDG News
Service
Attackers have begun to abuse a
special PHP configuration directive
in order to insert malicious code
into websites hosted on dedicated
and VPS (virtual private servers)
that have been compromised.
The technique was identified by
Web security firm Sucuri Security
while investigating several infected
websites that had a particular
malicious iframe injected into their
pages.

"We’ re finding that entire servers
are being compromised, and the
main server php.ini file (/etc/ php/
php.ini) has the following setting
added: ;auto_ append_file = "0ff ","
Sucuri security researcher David
Dede said.

The "Off " string from the rogue
php.ini directive is actually the
path to a file, namely /tmp/0 ff,
which is created by the attackers
on the compromised servers and
contains the malicious iframe.
This malicious trick makes it hard
for webmasters to pinpoint the
source of the unauthorized code,
since none of the files in their Web
directory are actually altered.
"We only got access to a few
dozen servers with this type of
malware, but doing our crawling
we identified a few thousand sites
with a similar malware, so we
assume they are all hacked the
same way," Dede said.

Read Users' Comments (0)

Android 4.0 Ice Cream Sandwich

Posted in | at 07:04


It seems that no job is safe these days is poached when it comes to smartphone wars. The mighty Google found inspiration not only from IOS, but Windows Phone, WebOS, even in the latest version of Android.
 
Google's Android head Andy Rubin on the scene Wednesday morning in Hong Kong (or late Tuesday evening when the east coast) to Android 4.0 Ice Cream Sandwich (ICS) to enter. Android 4.0 is approximately 11 months after its predecessor, Android 2.3 Gingerbread, and clearly shows that Google works hard to improve its mobile operating system

Android 4.0 is a completely new look. Google's head of design, Matias Eduarte was very proud to be a new font for Android 4.0 show is called Roboto (Styx team jokes, please). It is gratifying, I think, or at least not objectionable. It gives the whole operating system a more Zen-like look at.

Read Users' Comments (0)

Google Launches Dart as a JavaScript Killer

Posted in | at 05:49

Google has launched a preview version of a new Web programming language, called Dart, which the company's engineers hope will address some of the shortcomings of the widely used JavaScript language.
Google's goals for Dart are to create "a structured yet flexible language for Web programming," wrote Lars Bak, who is a software engineer for Google's Dart team, in a blog post officially announcing the language Monday.
Although Bak did not mention JavaScript by name, Dart's capabilities resemble those of JavaScript, though they also address some of the scalability and organizational issues that have been associated with JavaScript. In leaked memos, Google engineers have expressed frustration over "fundamental flaws that cannot be fixed by merely evolving" JavaScript.

Dart is not Google's first foray into creating a new programming language to address the shortcomings of older ones. In 2009, the company debuted Go, which the company's engineers created as an alternative to the complexities of C++, Java and other traditional languages.

Read Users' Comments (0)

Subscribe to: Comments (Atom)