PHP.net used to distribute malware

peterw · Oct 25, 2013

PHP.net was used to distribute maleware.

Code:

We are continuing to work through the repercussions of the php.net malware issue described in a news post earlier today. As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time.

All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.

As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.

To summarise, the situation right now is that:

- JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
- Neither the source tarball downloads nor the Git repository were modified or compromised.
- Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
- SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.

GIANT_CRAB · Oct 25, 2013

Wew. Luckily mailing list wasn't leaked out.

wlanboy · Oct 25, 2013

Neither the source tarball downloads nor the Git repository were modified or compromised.

That would be a killer.

But good to know that his was webserver only.

LiamCyrus · Oct 25, 2013

What does it say about a language when its own developers can't even keep it secure?

Not much, but that won't stop ignorant people from using this as another reason to hate on the actual PHP language itself. IIRC, the exploit pack that the hackers used only affected ancient browsers anyway, so it's a blessing that nothing more malicious occured.

GIANT_CRAB · Oct 25, 2013

LiamCyrus said:
What does it say about a language when its own developers can't even keep it secure?

Not much, but that won't stop ignorant people from using this as another reason to hate on the actual PHP language itself. IIRC, the exploit pack that the hackers used only affected ancient browsers anyway, so it's a blessing that nothing more malicious occured.

Securing a server has absolutely nothing to do with PHP's security.

If you're a developer for the PHP team, that doesn't necessary means you're dealing with the server security.

Its most likely the SysAdmin that is dealing with the server security and not the PHP developers.

Nevertheless, PHP isn't a god-tier language.

However, every programming language has their advantages and flaws, you can't just go around saying "LOL PHP IS BULLSHIT AND USELESS" and "LOL VB IS FOR RETARDS".

I'm pretty sure even VB has its own advantages too.

LiamCyrus · Oct 25, 2013

GIANT_CRAB said:
Securing a server has absolutely nothing to do with PHP's security.

If you're a developer for the PHP team, that doesn't necessary means you're dealing with the server security.

Its most likely the SysAdmin that is dealing with the server security and not the PHP developers.

Nevertheless, PHP isn't a god-tier language.

However, every programming language has their advantages and flaws, you can't just go around saying "LOL PHP IS BULLSHIT AND USELESS" and "LOL VB IS FOR RETARDS".

I'm pretty sure even VB has its own advantages too.

That's exactly what I was getting at. People will misunderstand this as the language being at fault here, when in reality it's just poor coding (i'm assuming the vuln. was in their code).

GIANT_CRAB · Oct 25, 2013

LiamCyrus said:
That's exactly what I was getting at. People will misunderstand this as the language being at fault here, when in reality it's just poor coding (i'm assuming the vuln. was in their code).

The method by which these servers were compromised is unknown at this time.

It could be their servers were hacked or these hackers injected the JS code or something else.

Can't assume anything yet.

InertiaNetworks-John · Nov 24, 2013

Yikes!!

drmike · Nov 24, 2013

PHP and a vulnerability. Ho hum, another year online.

Wait this time they are delivering it directly to users/customers.

Hey I expect better. PHP is kind of the utility layer for web programming. So prevalent.

Lucky someone noticed in such a short time. Probably overly diligent user. Thank god for ADD scab picking fidgety dorks without girlfriends.

peterw · Nov 25, 2013

drmike said:
PHP and a vulnerability. Ho hum, another year online.

Cause: Bad sysadmins and not bad php.

Wintereise · Nov 25, 2013

peterw said:
Cause: Bad sysadmins and not bad php.

PHP itself is just fine, indeed.

The extremely low entry curve is PHP's bane, sadly. Every moderately computer literate guy is now 'programming,' thus the issues

Soylent · Dec 19, 2013

Wintereise said:
PHP itself is just fine, indeed.

The extremely low entry curve is PHP's bane, sadly. Every moderately computer literate guy is now 'programming,' thus the issues

This phenomenon is in no way limited to PHP.

PHP.net used to distribute malware

peterw

New Member

GIANT_CRAB

New Member

wlanboy

Content Contributer

LiamCyrus

Member

GIANT_CRAB

New Member

LiamCyrus

Member

GIANT_CRAB

New Member

InertiaNetworks-John

Inertia Networks, LLC

drmike

100% Tier-1 Gogent

peterw

New Member

Wintereise

New Member

Soylent

New Member