Menu
PHP.net compromised and used to attack visitors

PHP.net compromised and used to attack visitors

Attackers injected malicious JavaScript code into the site, redirecting some visitors' browsers to Flash exploits

Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.

Hackers managed to inject malicious JavaScript code into a file on the php.net site called userprefs.js. The code made requests to a third-party website that scanned visitors' browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.

One of Barracuda's research tools detected and captured attack traffic from php.net late Tuesday evening, according to Peck.

The exploits served during the attack came in the form of malicious SWF files, so they most likely targeted vulnerabilities in Adobe Flash Player. However, Barracuda's researchers are still conducting their analysis and haven't identified yet exactly which vulnerabilities were targeted, Peck said.

It's also not clear what the program installed by the exploits does or if it's part of a known malware family. The only thing Peck could say about it is that it tries to connect to around three dozen different command-and-control servers around the world and successfully establishes communication with four of them.

The php.net site was blacklisted early Thursday by Google Safe Browsing, a service used by Google Search, Google Chrome and Mozilla Firefox to prevent users from visiting malicious websites. As a result, Chrome and Firefox users who tried to access php.net over the course of several hours Thursday were warned that the site contained malware.

The PHP Group, which maintains the php.net website and the PHP distribution packages, initially thought the warning was the result of a Google Safe Browsing detection error. "It appears Google has found a false positive and marked all of http://php.net as suspicious," Rasmus Lerdorf, the creator of PHP, said on Twitter.

But a more in-depth investigation revealed that the userprefs.js file had been modified repeatedly as a result of an intrusion, the PHP Group said in a message on php.net. "We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers," the group said, adding that there's no evidence of the compromise extending to the PHP distribution files.

Barracuda Networks released a packet capture file that includes the exploits and malware distributed during the attack so that other researchers can also analyze them.

It's not clear if the attackers targeted php.net because of its large number of visitors or because most of those visitors are developers. The Amazon-owned website analytics company Alexa ranks php.net as the 228th-most-visited site in the world.

PHP developers can be valuable targets for attackers because their computers usually contain intellectual property like source code and other sensitive information, including log-in credentials for websites they maintain. Many developers are also likely to visit php.net from company-issued computers, and compromising those computers could allow attackers to access corporate networks.

The number of users affected by the attack was likely limited by the fact that the rogue code added to userprefs.js was periodically removed by an existing synchronization process that restored the file to its original state.

"Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute," Lerdorf said via email. "But yes, if someone got redirected to a strange place when visiting php.net they should take normal anti-virus precautions."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusionExploits / vulnerabilitiesBarracuda NetworksThe PHP Group

Featured

Slideshows

Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments