- Nov 5, 2011
- 5,855
Hackers abuse PHP setting to inject malicious code into websites topic here ..
InfoWorld.com: Hackers modify php.ini files on compromised Web servers to hide their malicious activity from webmasters: http://www.infoworld.com/d/security/hackers-abuse-php-setting-inject-malicious-code-websites-182586
Quote:
'Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and VPS (virtual private servers) that have been compromised.
The technique was identified by Web security firm Sucuri Security while investigating several infected websites that had a particular malicious iframe injected into their pages.'
' "We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added: ;auto_append_file = "0ff"," Sucuri security researcher David Dede said ..'
'Denis Sinegubko: "All critical configuration files should be under version control. Not only does it help to spot unwanted changes, but also easily restore files to their clean state," Sinegubko said. Scanning the Web server, ftp and other available logs for suspicious activity is also something that server administrators should do on a regular basis, he added.
Sinegubko's advice for owners of infected websites who use shared hosting servers and can't find anything suspicious under their account, is to check if other sites hosted on the same server were also compromised.
Another method is to create an empty .php file in the topmost directory and scan its corresponding URL with one of the several free online website scanners. If any of these checks return a positive result, webmasters should contact their hosting provider and inform them about the problem, Sinegubko said.'
.
InfoWorld.com: Hackers modify php.ini files on compromised Web servers to hide their malicious activity from webmasters: http://www.infoworld.com/d/security/hackers-abuse-php-setting-inject-malicious-code-websites-182586
Quote:
'Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and VPS (virtual private servers) that have been compromised.
The technique was identified by Web security firm Sucuri Security while investigating several infected websites that had a particular malicious iframe injected into their pages.'
' "We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added: ;auto_append_file = "0ff"," Sucuri security researcher David Dede said ..'
'Denis Sinegubko: "All critical configuration files should be under version control. Not only does it help to spot unwanted changes, but also easily restore files to their clean state," Sinegubko said. Scanning the Web server, ftp and other available logs for suspicious activity is also something that server administrators should do on a regular basis, he added.
Sinegubko's advice for owners of infected websites who use shared hosting servers and can't find anything suspicious under their account, is to check if other sites hosted on the same server were also compromised.
Another method is to create an empty .php file in the topmost directory and scan its corresponding URL with one of the several free online website scanners. If any of these checks return a positive result, webmasters should contact their hosting provider and inform them about the problem, Sinegubko said.'
.
