PHP.net compromised and used to attack visitors
Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.
One of Barracuda’s research tools detected and captured attack traffic from php.net late Tuesday evening, according to Peck.
The exploits served during the attack came in the form of malicious SWF files, so they most likely targeted vulnerabilities in Adobe Flash Player. However, Barracuda’s researchers are still conducting their analysis and haven’t identified yet exactly which vulnerabilities were targeted, Peck said.
It’s also not clear what the program installed by the exploits does or if it’s part of a known malware family. The only thing Peck could say about it is that it tries to connect to around three dozen different command-and-control servers around the world and successfully establishes communication with four of them.
The php.net site was blacklisted early Thursday by Google Safe Browsing, a service used by Google Search, Google Chrome and Mozilla Firefox to prevent users from visiting malicious websites. As a result, Chrome and Firefox users who tried to access php.net over the course of several hours Thursday were warned that the site contained malware.
The PHP Group, which maintains the php.net website and the PHP distribution packages, initially thought the warning was the result of a Google Safe Browsing detection error. “It appears Google has found a false positive and marked all of http://php.net as suspicious,” Rasmus Lerdorf, the creator of PHP, said on Twitter.
But a more in-depth investigation revealed that the userprefs.js file had been modified repeatedly as a result of an intrusion, the PHP Group said in a message on php.net. “We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers,” the group said, adding that there’s no evidence of the compromise extending to the PHP distribution files.
Barracuda Networks released a packet capture file that includes the exploits and malware distributed during the attack so that other researchers can also analyze them.
It’s not clear if the attackers targeted php.net because of its large number of visitors or because most of those visitors are developers. The Amazon-owned website analytics company Alexa ranks php.net as the 228th-most-visited site in the world.
PHP developers can be valuable targets for attackers because their computers usually contain intellectual property like source code and other sensitive information, including log-in credentials for websites they maintain. Many developers are also likely to visit php.net from company-issued computers, and compromising those computers could allow attackers to access corporate networks.
The number of users affected by the attack was likely limited by the fact that the rogue code added to userprefs.js was periodically removed by an existing synchronization process that restored the file to its original state.
“Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute,” Lerdorf said via email. “But yes, if someone got redirected to a strange place when visiting php.net they should take normal anti-virus precautions.”