Official PHP website confirms server compromise

News

Official PHP website confirms server compromise

Warwick Ashford

The official website for the PHP scripting language widely used for web development has revealed that hackers compromised two servers operated by php.net.

The method used to compromise the servers and use them to host malicious code to install malware on visitors’ computers is still unknown, according to a statement posted on the website.

worm_virus_trojan_290x230_thinkstock.jpg

The update comes after it emerged that JavaScript malware was served to php.net users from 22 to 24 October 2013.

But php.net claimed only a “small percentage” of users were affected and emphasises that users of PHP are unaffected. There is no indication that any of the code maintained on the site was compromised, said php.net.

“This is solely for people committing code to projects hosted on svn.php.net or git.php.net,” it said.

All affected services have been migrated to secure servers, and a new php.net secure sockets layer (SSL) certificate has been issued as a precautionary measure, making php.net websites temporarily unavailable.

"All php.net user passwords have also been reset, but neither the source tarball downloads nor the Git repository were modified or compromised,” php.net confirmed.

The compromise was discovered by Google's safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits.

Traces of the malicious JavaScript code served to some php.net visitors were captured and posted online by Hacker News.

Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the php.net website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.

Independent security analyst Graham Cluley said exploit kits such as Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software.

“This doesn’t, of course, explain how the php.net website managed to become compromised in the first place,” Cluley wrote in a blog post.

“Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy