The official website for the PHP scripting language widely used for web development has revealed that hackers compromised two servers operated by php.net.
The method used to compromise the servers and use them to host malicious code to install malware on visitors’ computers is still unknown, according to a statement posted on the website.
But php.net claimed only a “small percentage” of users were affected and emphasises that users of PHP are unaffected. There is no indication that any of the code maintained on the site was compromised, said php.net.
“This is solely for people committing code to projects hosted on svn.php.net or git.php.net,” it said.
All affected services have been migrated to secure servers, and a new php.net secure sockets layer (SSL) certificate has been issued as a precautionary measure, making php.net websites temporarily unavailable.
Read more about exploit kits
- Blackhole and Cool exploit kit suspect arrested
- Researcher: Exploit kits revolutionize automated malware production
- Exploit kits evolved: How to defend against the latest attack toolkits
- Researchers begin analyzing Black Hole exploit kit revisions
- Fake Firefox update delivers malware, exploit kits
- Phoenix Exploit Kit responsible for mass WordPress compromises
- Do WebKit exploits escalate risk of Web browser attacks?
The compromise was discovered by Google's safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits.
Kaspersky security researcher Fabio Assolini confirmed the infection, saying that hackers had managed to inject a malicious iFrame into the php.net website, pointing to the Magnitude exploit kit, which then – in turn – dropped the Tepfer Trojan horse onto visiting computers.
Independent security analyst Graham Cluley said exploit kits such as Magnitude attempt to turn vulnerabilities on computers to their advantage, exploiting security holes in the likes of Adobe Flash, Java, different internet browsers and other software.
“This doesn’t, of course, explain how the php.net website managed to become compromised in the first place,” Cluley wrote in a blog post.
“Clearly something went badly wrong if the hackers were able to inject their malicious script into the site, causing every visitor to be silently targeted by the Magnitude exploit kit."