Hackers abuse PHP setting to inject malicious code into websites
Hackers modify php.ini files on
compromised Web servers to
hide their malicious activity
from webmasters
By Lucian Constantin | IDG News
Service
Attackers have begun to abuse a
special PHP configuration directive
in order to insert malicious code
into websites hosted on dedicated
and VPS (virtual private servers)
that have been compromised.
The technique was identified by
Web security firm Sucuri Security
while investigating several infected
websites that had a particular
malicious iframe injected into their
pages.
"We’ re finding that entire servers
are being compromised, and the
main server php.ini file (/etc/ php/
php.ini) has the following setting
added: ;auto_ append_file = "0ff ","
Sucuri security researcher David
Dede said.
The "Off " string from the rogue
php.ini directive is actually the
path to a file, namely /tmp/0 ff,
which is created by the attackers
on the compromised servers and
contains the malicious iframe.
This malicious trick makes it hard
for webmasters to pinpoint the
source of the unauthorized code,
since none of the files in their Web
directory are actually altered.
"We only got access to a few
dozen servers with this type of
malware, but doing our crawling
we identified a few thousand sites
with a similar malware, so we
assume they are all hacked the
same way," Dede said.