Official PHP website hacked, spreads malware infection

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

The php.net website, the official home of the open-source PHP programming language, has been hacked and used to spread malware to visitors.

The first indication that many users will have had that anything was wrong was when Google’s Safe Browsing service began to pop-up an alert indicating that it had found the site was serving up malicious scripts, as was reported on Thursday by Softpedia.

Google Safe Browsing alert on php.net. Source: Softpedia

Initially, many people’s reaction was that the warning was likely to be a false positive. However, a statement on php.net has now confirmed that malware was being spread from the site from Tuesday 22 October until the 24th.

Sign up to our free newsletter.
Security news, advice, and tips.

PHP statement about malware infection

Part of the statement reads:

To summarise, the situation right now is that:

* JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
* Neither the source tarball downloads nor the Git repository were modified or compromised.
* Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
* SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.

Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the php.net website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.

InfectionExploit kits like Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software – a major incentive to keep your patches up-to-date.

This doesn’t, of course, explain how the php.net website managed to become compromised in the first place. Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit.

Of course, PHP is a development language used behind-the-scenes by many millions of websites across the net. Fortunately, there is no indication that any of the code maintained on the site was compromised.

The site says it will publish a full post mortem on the security incident in the near future, probably next week, and that users should follow @official_php on Twitter for updates.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.