PHP.net had a bad day yesterday, when its website was flagged by Google as hosting malware.
At first it was suspected that it was a false positive, but further analysis by the web scripting website found that two servers had been hacked and set up to serve malware.
According to PHP.net, its team have audited every server operated by php.net and the servers which hostedwww.php.net, static.php.net and git.php.net domains were found to be compromised. It admitted that it was uncertain of the method by which these servers were compromised, but JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
In its update, it said: “All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read-only mode as services are brought back up in full.
“As it’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.”
PHP.net said that there was no evidence that the PHP code has been compromised, but the initial flag by Google was “quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js”.
Research by Trustwave Spiderlabs found that the malware was tied to the Javascript call on line 21 of the main index.php page, and when this page was accessed on the static.php.net server, there was a conditional injection of obfuscated Javascript code appended to the end of the file.
The Bartblaze blog recommended performing a full scan with your installed anti-virus and eith a second product, as every website can be injected with malicious Javascript.
24 hours on, it seems that PHP.net is getting the thumbs up from Google, as its safe browsing states that “This site is not currently listed as suspicious” and of the 370 pages it inspected, zero were found as malicious.
