Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and virtual private servers (VPS) that have been compromised.
The technique was identified by Web security firm Sucuri Security while investigating several infected websites that had a particular malicious iframe injected into their pages.
“We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added: ;auto_append_file = “0ff”,” Sucuri security researcher David Dede said in a blog post on Thursday.
According to the PHP manual, the auto_append_file directive specifies the name of a file that is automatically parsed after the main file. This is the server-wide equivalent of the PHP require() function.
The “Off” string from the rogue php.ini directive is actually the path to a file, namely /tmp/0ff, which is created by the attackers on the compromised servers and contains the malicious iframe.
This malicious trick makes it hard for webmasters to pinpoint the source of the unauthorized code, since none of the files in their web directory are actually altered.
“We only got access to a few dozen servers with this type of malware, but doing our crawling we identified a few thousand sites with a similar malware, so we assume they are all hacked the same way,” Dede said.
Even though Sucuri only inspected VPS and dedicate servers so far, the researcher doesn’t dismiss the possibility that some shared servers, like those used for low-cost hosting, might have been compromised in the same manner.
Attacks using this technique have already been running for several months, said Elad Sharf, a security researcher at Web security firm Websense. “This is one of many mass injection campaigns that we know about and follow.”
Sharf recommended that webmasters remove the file name from the auto_append_file setting and scan their servers for other infections using security software. Patching all software that runs on their servers and performing regular backups is fundamentally important, he said.
Denis Sinegubko, an independent security researcher and creator of the Unmask Parasites website scanner, couldn’t confirm the “auto_append_file” attacks, but said that he has seen other rogue php.ini modifications in the past.
“All critical configuration files should be under version control. Not only does it help to spot unwanted changes, but also easily restore files to their clean state,” Sinegubko said. Scanning the Web server, ftp and other available logs for suspicious activity is also something that server administrators should do on a regular basis, he added.
Sinegubko’s advice for owners of infected websites who use shared hosting servers and can’t find anything suspicious under their account, is to check if other sites hosted on the same server were also compromised.
Another method is to create an empty .php file in the topmost directory and scan its corresponding URL with one of the several free online website scanners. If any of these checks return a positive result, webmasters should contact their hosting provider and inform them about the problem, Sinegubko said.