Official PHP website confirms server compromise

The official website for the PHP scripting language has confirmed that hackers compromised two of its servers

The official website for the PHP scripting language widely used for web development has revealed that hackers compromised two servers operated by

The method used to compromise the servers and use them to host malicious code to install malware on visitors’ computers is still unknown, according to a statement posted on the website.

The update comes after it emerged that JavaScript malware was served to users from 22 to 24 October 2013.

But claimed only a “small percentage” of users were affected and emphasises that users of PHP are unaffected. There is no indication that any of the code maintained on the site was compromised, said

“This is solely for people committing code to projects hosted on or,” it said.

All affected services have been migrated to secure servers, and a new secure sockets layer (SSL) certificate has been issued as a precautionary measure, making websites temporarily unavailable.

"All user passwords have also been reset, but neither the source tarball downloads nor the Git repository were modified or compromised,” confirmed.

The compromise was discovered by Google's safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits.

Traces of the malicious JavaScript code served to some visitors were captured and posted online by Hacker News.

Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.

Independent security analyst Graham Cluley said exploit kits such as Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software.

“This doesn’t, of course, explain how the website managed to become compromised in the first place,” Cluley wrote in a blog post.

“Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit."



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

1 comment


Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: