Whilst investigating one of the compromised sites involved in a web attack uncovered this week, I noticed some PHP scripts that had been added to the page.
You can see the start of an obfuscated malicious script that was added in the attack (detected as Troj/Unif-B). But above that, are several PHP additions, each one using the
file_get_contents() function to read the contents of a remote file, before echoing it back to the page. For this method to succeed, the
allow_url_fopen configuration option within the PHP configuration on the compromised site has to be enabled (it is by default).
Perhaps unsurprisingly, the text files loaded by the PHP contain a list of malicious iframes. So, to the victim, the effect is much the same – browsing the page results in the loading of malicious content from multiple domains. For security vendors, this is just another little trick used by the bad guys in order to evade detection.