The “Off” string from the rogue php.ini directive is actually the path to a file, namely /tmp/0ff, which is created by the attackers on the compromised servers and contains the malicious iframe.