PHP.net confirms server breach after Google flags them for malware

Hours after Google’s Safe Browsing initiative flagged the website for malware, PHP.net confirmed that two of their servers were compromised and used to attack visitors. However, the administrators are still not sure how the attackers accessed the servers.

[PHP.net flagged for malware by Google, researchers confirm it was no false positive]

The admission follows a lengthy debate over whether or not Google incorrectly flagged the domain, and after several people connected to PHP.net said they could find nothing malicious about the file in question, a JavaScript that was determined to have been altered in order to embed malicious iFrames.

According to Google’s initial report on Thursday, there were only four pages on PHP.net serving the malicious JavaScript file (userprefs.js), which was modified with seemingly selective obfuscated code that targeted desktop users, but ignored those on mobile devices. However, the stance that Google was wrong in their assessments has since changed:

“… the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time,” a status update on PHP.net explained.

Further, the SSL certificate used on PHP.net was revoked out of caution, and a new one was assigned a short time after. All affected services on the two compromised servers have been migrated, and it has been confirmed that the Git repository was not compromised.

Long before the admission of a breach, security experts were certain that Google’s flag was no false positive. Barracuda Labs released a pcap (packet capture) file, showing clear signs of malicious activity, including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded. Later in the evening, Fabio Assolini, from Kaspersky Labs, reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit, and it was attempting to drop an information-stealing Trojan called Tepfer.

Additional research from Trustwave’s Spider Labs confirmed the Shockwave (Flash) exploit attempt, but they also discovered that the script was targeting CVE-2013-2551, an Internet Explorer flaw discovered by exploit clearinghouse VUPEN during this year’s Pwn2Own competition at CanSecWest.

[Poor design fosters hacker attacks of websites running PHP]

It’s unknown how many users may have been infected by the rogue JavaScript, but PHP.net says the malicious code was active from October 22, until it was discovered and removed on October 24. The attack window is small, but PHP.net is in the top 250 domains on the Internet, according to Alexa rankings, so the pool of potential victims is massive.

PHP.net user accounts will have their passwords reset over the next few days, if the account is used to commit code to any projects. A full post-mortem of the incident is expected sometime next week.