PHP.net Compromised

D

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,354
From Slashdot: http://it.slashdot.org/story/13/10/24/1858200/phpnet-compromised

"The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."
Click to expand...

Here is a update on PHP.net: http://php.net/archive/2013.php#id2013-10-24-1

A quick update on the status of php.net: On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging.

It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.

We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers. The highest priority is obviously the source code integrity and after a quick:

Code: 
git fsck --no-reflog --full --strict

on all our repos plus manually checking the md5sums of the PHP distribution files we see no evidence that the PHP code has been compromised. We have a mirror of our git repos on github.com and we will manually check git commits as well and have a full post-mortem on the intrusion when we have a clearer picture of what happened.
Click to expand...

Edit: Also see Rasmus Lerdorf tweets: https://twitter.com/rasmus
 
Thanks, Ditto, for this in-depth report. I don't believe DirectAdmin pulls anything from php.net automatically, but I've sent a note to John to be sure to follow if they end up telling us any code was compromised.

Jeff
 
We are probably not affected by this hack, however as they still don't know how one of their files had been compromised we should be sure it wasn't though php or any other software they use which we also use.
 
I actually noticed that the other day, I thought my browser was wrong :)
As Jeff said, we keep copies of the php tar.gz files on our files servers, and they don't automatically pull.
I'll keep my eyes open, but I don't currently see any way that this would affect us.

John
 
There is a new update on php.net: A further update on php.net http://php.net/archive/2013.php#id2013-10-24-2

To summarise, the situation right now is that:
  • JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
  • Neither the source tarball downloads nor the Git repository were modified or compromised.
  • Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
  • SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
Click to expand...
 
You must log in or register to reply here.
Back
Top