Posts Tagged ‘PHP’

Cyber criminals offer malware for Nginx, Apache Web servers

Thursday, December 26th, 2013

A new malware program that functions as a module for the Apache and Nginx Web servers is being sold on cybercrime forums, according to researchers from security firm IntelCrawler.

The malware is called Effusion and according to the sales pitch seen by IntelCrawler, a start-up firm based in Los Angeles that specializes in cybercrime intelligence, it can inject code in real time into websites hosted on the compromised Web servers. By injecting content into a website, attackers can redirect visitors to exploits or launch social engineering attacks.

The Effusion module works with Nginx from version 0.7 up to the latest stable version, 1.4.4, and with Apache running on 32- and 64-bit versions of Linux and FreeBSD. ModulModules extend Apache’s and Nginx’s core functionality.

The malware can inject rogue code into static content of certain MIME types, including JavaScript and HTML, and in PHP templates at the start, end or after a specific tag. Attackers can push configuration updates and control code modifications remotely.

Filters can also be used to restrict when the injection happens. Effusion supports filtering by referrer header, which can be used to target only visitors that come from specific websites; by User-Agent header, which can be used to target users of specific browsers and by IP address or address range.

The malware can check whether it has root access, something that could allow the attackers greater control over the underlying system. It can also delete the injected content when suspicious processes are detected in order to hide itself, Andrey Komarov, IntelCrawler’s CEO, said via email.

The Effusion authors offer precompiled builds for $2,500 per build and plan to vet buyers, Komarov said. This suggests they’re interested in selling it only to a limited number of people so they can continue to offer support and develop the malware at the same time, he said.

While this is not the first malware to function as an Apache module, it is one of the very few so far to also target Nginx, a high-performance Web server that has grown considerably in popularity in recent years.

According to a December Web server survey by Internet services firm Netcraft, Nginx is the third most widely used Web server software after Apache and Microsoft IIS, and has a market share of over 14%. Because it’s built to handle high numbers of concurrent connections, it is used to host heavily trafficked websites including Netflix, Hulu, Pinterest, CloudFlare, Airbnb,, GitHub and SoundCloud.


Unique malware evades sandboxes

Thursday, December 19th, 2013

Malware used in attack on PHP last month dubbed DGA.Changer

Malware utilized in the attack last month on the developers’ site used a unique approach to avoid detection, a security expert says.

On Wednesday, security vendor Seculert reported finding that one of five malware types used in the attack had a unique cloaking property for evading sandboxes. The company called the malware DGA.Changer.

DGA.Changer’s only purpose was to download other malware onto infected computers, Aviv Raff, chief technology officer for Seculert, said on the company’s blog. Seculert identified 6,500 compromised computers communicating with the malware’s command and control server. Almost 60 percent were in the United States.

What Seculert found unique was how the malware could receive a command from a C&C server to change the seed of the software’s domain generation algorithm. The DGA periodically generates a large number of domain names as potential communication points to the C&C server, thereby making it difficult for researchers and law enforcement to find the right domain and possibly shutdown the botnet.

“What the attackers behind DGA did is basically change the algorithm on the fly, so they can tell the malware to create a new stream of domains automatically,” Raff told CSOonline.

When the malware generates the same list of domains, it can be detected in the sandbox where security technology will isolate suspicious files. However, changing the algorithm on demand means that the malware won’t be identified.

“This is a new capability that didn’t exist before,” Raff said. “This capability allows the attacker to bypass sandbox technology.”

Hackers working for a nation-state targeting specific entities, such as government agencies, think tanks or international corporations, would use this type of malware, according to Raff. Called advanced persistent threats, these hackers tend to use sophisticated attack tools.

An exploit kit that served five different malware types was used in compromising two servers of, a site for downloads and documentation related to the PHP general-purpose scripting language used in Web development. Google spotted four pages on the site serving malicious JavaScript that targeted personal computers, but ignored mobile devices.

The attack was noteworthy because of the number of visitors to, which is in the top 250 domains on the Internet, according to Alexa rankings.

To defend against DGA.Changer, companies would need a tool that looks for abnormal behavior in network traffic. The malware tends to generate unusual traffic by querying lots of domains in search of the one leading to the C&C server.

“Because this malware will try to go to different domains, it will generate suspicious traffic,” Raff said.

Seculert did not find any evidence that would indicate who was behind the attack.

“This is a group that’s continuously updating this malicious software, so this is a work in progress,” Raff said.


Hackers compromise official PHP website, infect visitors with malware

Friday, October 25th, 2013

Maintainers of the open-source PHP programming language have locked down the website after discovering two of its servers were hacked to host malicious code designed to surreptitiously install malware on visitors’ computers.

The compromise was discovered Thursday morning by Google’s safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits. Traces of the malicious JavaScript code served to some visitors were captured and posted to Hacker News here and, in the form of a pcap file, to a Barracuda Networks blog post here. The attacks started Tuesday and lasted through Thursday morning, PHP officials wrote in a statement posted late that evening.

Eventually, the site was moved to a new set of servers, PHP officials wrote in an earlier statement. There’s no evidence that any of the code they maintain has been altered, they added. Encrypted HTTPS access to websites is temporarily unavailable until a new secure sockets layer certificate is issued and installed. The old certificate was revoked out of concern the intruders may have accessed the private encryption key. User passwords will be reset in the coming days. At time of writing, there was no indication of any further compromise.

“The systems team have audited every server operated by, and have found that two servers were compromised: the server which hosted the, and domains and was previously suspected based on the JavaScript malware, and the server hosting,” Thursday night’s statement read. “The method by which these servers were compromised is unknown at this time.”

According to a security researcher at Kaspersky Lab, Thursday’s compromise caused some visitors to download “Tepfer,” a trojan spawned by the Magnitude Exploit Kit. At the time of the attacks, the malware was detected by only five of 47 antivirus programs. An analysis of the pcap file suggests the malware attack worked by exploiting a vulnerability in Adobe Flash, although it’s possible that some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications, Martijn Grooten, a security researcher for Virus Bulletin, told Ars.

Grooten said the malicious JavaScript was served from a file known as userprefs.js hosted directly on one of the servers. While the userprefs.js code was served to all visitors, only some of those people received an additional payload that contained malicious iframe tags. The HTML code caused visitors’ browsers to connect to a series of third-party websites and eventually download malicious code. At least some of the sites the malicious iframes were pointing to were UK domains such as, which appeared to have their domain name system server settings compromised so they resolved to IP addresses located in Moldova.

“Given what Hacker News reported (a site serving malicious JS) to some, this doesn’t look like someone manually changing the file,” Grooten said, calling into question an account officials gave in their initial brief statement posted to the site. The attackers “somehow compromised the Web server. It might be that has yet to discover that (it’s not trivial—some webserver malware runs entirely in memory and hides itself pretty well.)”

Ars has covered several varieties of malware that target webservers and are extremely hard to detect.

In an e-mail, PHP maintainer Adam Harvey said PHP officials first learned of the attacks at 6:15am UTC. By 8, they had provisioned a new server. In the interim, some visitors may have been exposed.

“We have no numbers on the number of visitors affected, due to the transient nature of the malicious JS,” Harvey wrote. “As the news post on said, it was only visible intermittently due to interactions with an rsync job that refreshed the code from the Git repository that houses The investigation is ongoing. Right now we have nothing specific to share, but a full post mortem will be posted on once the dust has settled.”


Attackers target unpatched PHP bug allowing malicious code execution

Tuesday, May 8th, 2012

Installing this 13-line patch is one of the steps security researchers suggest webmasters follow immediately to prevent attacks that exploit an unpatched vulnerability in the PHP scripting language.

A huge number of websites around the world are endangered by an unpatched vulnerability in the PHP scripting language that attackers are already trying to exploit to remotely take control of underlying servers, security researchers warned.

The code-execution attacks threaten PHP websites only when they run in common gateway interface (CGI) mode, Darian Anthony Patrick, a Web application security consultant with Criticode, told Ars. Sites running PHP in FastCGI mode aren’t affected. Nobody knows exactly how many websites are at risk, because sites also must meet several other criteria to be vulnerable, including not having a firewall that blocks certain ports. Nonetheless, sites running CGI-configured PHP on the Apache webserver are by default vulnerable to attacks that make it easy for hackers to run code that plants backdoors or downloads files containing sensitive user data.

Making matters worse, full details of the bug became public last week, giving attackers everything they need to locate and exploit vulnerable websites.

“The huge issue is the remote code execution, and that’s really easy to figure out how to do,” Patrick said. “If I as an attacker found it existed on a particular site, it would be exciting because I own everything. It’s the kind of vulnerability where it’s probably not super prevalent, but if it’s there, it’s not a minor thing.”

According to security researcher Ryan Barnett, exploits are already being attempted against servers that are part of a honeypot set up by Trustwave’s Spider Labs to detect Web-based attacks. While some of the Web requests observed appear to be simple probes designed to see if sites are vulnerable, others contain remote file inclusion parameters that attempt to execute code of the attacker’s choosing on vulnerable servers.

“Because this is honeypot stuff and we’re not actually running all of these live applications, we can’t be sure what I’m showing actually would work,” Barnett told Ars. “We just wanted to show that yes, bad guys are actively scanning for this.”

In a series of Twitter dispatches made in response to this article, blogger Trevor Pott said he’s seeing a dozen such attack attempts every hour against smaller websites including his own, They appear to be made by infected computers located in the US and China for the purpose of seeding them with malware used in drive-by download attacks.

What’s more, the open-source Metasploit framework used by hackers and penetration testers to exploit known vulnerabilities has been updated to include the exploit, providing a point-and-click interface for remotely carrying out the code execution attacks. Making matters worse, an update that PHP maintainers released late last week to patch the hole can easily be bypassed, leaving vulnerable websites at risk even after applying the fix.

Patrick said websites that run PHP in CGI mode should install the update anyway and then follow several steps to mitigate their exposure, including applying a second patch published last week by researchers on Barnett’s post also includes steps webmasters can follow to protect themselves against exploits.

HD Moore, the CSO of Rapid7 and the Metasploit chief architect who wrote the PHP-CGI module, agreed with Patrick that the percentage of sites vulnerable to the bug is probably small. But he went on to say the installed base of PHP is so big and the damage to those who are susceptible to attack is so large that admins should take immediate steps to lock down their systems right away. He also said it’s likely that attacks could last for months or years because of the difficulty many administrators have in updating.

“I wouldn’t be surprised if we continue to see this bug exploited in the wild for two or three years, because it will take a while for people to patch their systems,” he told Ars. “There are a lot crusty old boxes out there running old versions of PHP, and if those are configured as CGI it’s going to affect it.”


Breaches galore as Cryptome hacked to infect visitors with malware

Friday, February 17th, 2012

A breach that caused to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.

Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

“It is not yet clear how the attacker got past Network Solutions (our ISP)’s security which has been pretty good,” Young wrote in an e-mail to Ars. “A security expert sent a message just minutes ago which included a security scan of Cryptome which indicated the attacker likely knew how to bypass NetSol’s security with sophisticated tricks.”

The security expert said an exploit of the PHP management system gave attackers highly privileged write access to the Cryptome server’s document root. The attack was likely carried out by an automated script that swept large swaths of the Internet for vulnerable Web servers.

If the vulnerability that was exploited resides in the software Network Solutions provides its customers, other websites may be compromised by the same attack, said the security researcher, who asked to be identified as Lifeguard. A spokesman for Network Solutions didn’t immediately respond to requests for comment. Network Solutions customers who have recently experienced security breaches are encouraged to contact this reporter.

According to security firm Symantec, the Blackhole Toolkit exploits vulnerabilities in a variety of software packages running on Microsoft’s Windows operating system. The PHP code on Cryptome’s servers specifically excluded infecting machines using IP addresses from Google, presumably to keep the infection from coming to the attention of the company’s antimalware defenses. Indeed, Google’s safe browsing diagnostics for Cryptome showed no reports of compromise.

Word of the compromise came as at least five other high-profile sites and services were also reported to have had their security breached. They include government websites for Mexico and the state of Alabama, the Dutch ISP KPN, the UK arm of Ticketmaster, and the Microsoft store in India. Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government’s CIA website and then backed away from the claim.


PHP 5.3.10 fixes critical remote code execution vulnerability

Monday, February 6th, 2012

The vulnerability was introduced by the fix for a hash collision denial-of-service flaw

The PHP Group released PHP 5.3.10 on Thursday in order to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform.

The vulnerability is identified as CVE-2012-0830 and was discovered by Stefan Esser, an independent security consultant and creator of the popular Suhosin security extension for PHP.

SecurityFocus classifies the issue as a design error because it was accidentally introduced while fixing a separate denial-of-service (DoS) vulnerability in early January.

That vulnerability is known as CVE-2011-4885 and was disclosed in December 2011 at the Chaos Communication Congress by security researchers Alexander Klink and Julian Wälde.

It affects a number of Web development platforms including PHP, ASP.NET, Java and Python and can be exploited in a so-called hash collision attack. The PHP development team addressed CVE-2011-4885 in PHP 5.3.9, which was released on Jan. 10.

“The fix for the Hash Collision DoS introduced a new directive (max_input_vars) to limit the number of accepted input variables,” said Carsten Eiram, chief security specialist at vulnerability research firm Secunia.

“However, due to a logic error in the “php_register_variable_ex()” function in php_variables.c certain cases are not handled correctly when the number of supplied variables is greater than the imposed limit,” he explained.

This error can be exploited by attackers to remotely execute arbitrary code on a system that runs a vulnerable PHP installation. PHP 5.3.9 along with any older versions for which the hash collision DoS patch was backported, are affected, Eiram said.

Proof-of-concept code that exploits this vulnerability has already been published online, so the likelihood of attacks targeting CVE-2012-0830 are high. Web servers administrators are advised to upgrade to PHP 5.3.10 immediately.


Hackers abuse PHP setting to inject malicious code into websites

Friday, December 23rd, 2011

Hackers modify php.ini files on compromised Web servers to hide their malicious activity from webmasters

Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and VPS (virtual private servers) that have been compromised.

The technique was identified by Web security firm Sucuri Security while investigating several infected websites that had a particular malicious iframe injected into their pages.

“We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added: ;auto_append_file = “0ff”,” Sucuri security researcher David Dede said in a blog post on Thursday.

According to the PHP manual, the auto_append_file directive specifies the name of a file that is automatically parsed after the main file. This is the server-wide equivalent of the PHP require() function.

The “Off” string from the rogue php.ini directive is actually the path to a file, namely /tmp/0ff, which is created by the attackers on the compromised servers and contains the malicious iframe.

This malicious trick makes it hard for webmasters to pinpoint the source of the unauthorized code, since none of the files in their Web directory are actually altered.

“We only got access to a few dozen servers with this type of malware, but doing our crawling we identified a few thousand sites with a similar malware, so we assume they are all hacked the same way,” Dede said.

Even though Sucuri only inspected VPS and dedicate servers so far, the researcher doesn’t dismiss the possibility that some shared servers, like those used for low-cost hosting, might have been compromised in the same manner.

Attacks using this technique have already been running for several months, said Elad Sharf, a security researcher at Web security firm Websense. “This is one of many mass injection campaigns that we know about and follow.”

Sharf recommended that webmasters remove the file name from the auto_append_file setting and scan their servers for other infections using security software. Patching all software that runs on their servers and performing regular backups is fundamentally important, he said.

Denis Sinegubko, an independent security researcher and creator of the Unmask Parasites website scanner, couldn’t confirm the “auto_append_file” attacks, but said that he has seen other rogue php.ini modifications in the past.

“All critical configuration files should be under version control. Not only does it help to spot unwanted changes, but also easily restore files to their clean state,” Sinegubko said. Scanning the Web server, ftp and other available logs for suspicious activity is also something that server administrators should do on a regular basis, he added.

Sinegubko’s advice for owners of infected websites who use shared hosting servers and can’t find anything suspicious under their account, is to check if other sites hosted on the same server were also compromised.

Another method is to create an empty .php file in the topmost directory and scan its corresponding URL with one of the several free online website scanners. If any of these checks return a positive result, webmasters should contact their hosting provider and inform them about the problem, Sinegubko said.