The php.net website, the official home of the open-source PHP programming language, has been hacked and used to spread malware to visitors.
The first indication that many users will have had that anything was wrong was when Google’s Safe Browsing service began to pop-up an alert indicating that it had found the site was serving up malicious scripts, as was reported on Thursday by Softpedia.
Initially, many people’s reaction was that the warning was likely to be a false positive. However, a statement on php.net has now confirmed that malware was being spread from the site from Tuesday 22 October until the 24th.
Part of the statement reads:
To summarise, the situation right now is that:
* Neither the source tarball downloads nor the Git repository were modified or compromised.
* Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
* SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the php.net website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.
Exploit kits like Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software – a major incentive to keep your patches up-to-date.
This doesn’t, of course, explain how the php.net website managed to become compromised in the first place. Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit.
Of course, PHP is a development language used behind-the-scenes by many millions of websites across the net. Fortunately, there is no indication that any of the code maintained on the site was compromised.
The site says it will publish a full post mortem on the security incident in the near future, probably next week, and that users should follow @official_php on Twitter for updates.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.