14 DAY TRIAL // On Thursday, we reported that Google started flagging php.net, the official website of the PHP scripting language, as hosting suspicious content. After analyzing the incident, The PHP Group has determined that two of their servers had been hacked and set up to serve malware.
According to The PHP Group’s own analysis, the hackers compromised the server that hosts php.net, git.php.net, and static.php.net, and the one that hosts bugbs.php.net.
Services have been migrated to new, secure servers. In addition, since the attackers may have accessed the private key for the php.net SSL certificate, the certificate has been revoked.
PHP users are not affected by the breach. However, the passwords of individuals committing code to svn.php.net and git.php.net have been reset.
PHP developers are confident that their Git repository has not been impacted. Currently, it’s unknown how the cybercriminals managed to hack the PHP servers.
It appears that a piece of JavaScript malware was served between October 22 and October 24. However, The PHP Group says that only a small percentage of php.net users are impacted.
What’s interesting about this incident is the fact that, initially, The PHP Group was almost certain that Google’s warning was a false positive.
Additional details on this incident will be made available most likely next week.
Security researchers from Trustwave, Panda Security, Avast, Barracuda Networks and other companies have analyzed the attack. Kaspersky’s Fabio Assolini has identified a malicious iframe pointing to the Magnitude Exploit Kit that had been set up to serve the Tepfer Trojan, a piece of ransomware that’s designed to encrypt files.
Panda’s Bart Blaze has also analyzed some of the payloads served in this attack. In addition to ransomware, he has also identified versions of Fareit, ZeroAccess and ZeuS.