Just when you thought web servers have the security software blankets more competently implemented to than ordinary consumers do with their antivirus and personal firewall solutions, hackers have discovered that abusing a directive from a PHP configuration allows them to insert damaging code in sites hosted on VPS (Virtual Private Servers) or dedicated servers that have just been compromised without the webmaster being alerted to it. It’s all about modifying the PHP.INI files on hacked Web servers so that malware gets activated to show infected iframes to your site visitors.
This technique was discovered by the Sucuri Security, a California-based web security firm that has investigated numerous infected websites showing malicious iframes inserted to their site pages. A security researcher at the firm David Dede posted on a blog Thursday saying: “We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added: auto_append_file = “0ff”.”
Based on the PHP manual, the auto_append_file directive will point to a file that gets automatically parsed and acts as the server directive equivalent to the require() function in the PHP language. The “Off” string in the offending PHP directive specifies the path to a file, namely /tmp/0ff, which hackers create on the compromised servers to contain the malicious iframe.
None of the files residing in the website directory is altered which makes it difficult for webmasters to trace the source of the malicious code. Dede adds that their investigation only gave them access to a few dozen servers carrying this type of malware, “but doing our crawling we identified a few thousand sites with a similar malware, so we assume they are all hacked the same way”.
Sucuri believes that while they only inspected dedicated and VPS servers so far, they can’t discount the possibility that shared servers used for low-cost hosting can be similarly compromised.
Elad Sharf from another web security firm Websense confirms that the technique has already been prevalent for several months. “This is one of many mass injection campaigns that we know about and follow.” He suggests that affected webmasters delete the file pointed to by the auto_append_file directive as well as scan their servers, patch all server-based security software and perform regular backups as part of their routine preventive measures against intrusions.