UPDATED 16:41 EDT / OCTOBER 24 2013

NEWS

PHP.net Compromised, Caught Potentially Spreading Malware

For a short time today, it appears that something managed to compromise the PHP.net web pages and alter some of the JavaScript present to spread malware. Earlier today, Barracuda Labs quickly published a blog post researching the hits and speculating about what happened.

Earlier today Google’s stop-badware system caught this as well and flagged php.net as distributing malware, warning users who’s browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we’d share to remove all doubt.

The first notice that something had gone wrong was that Google Chrome and other browsers using the Safe Browsing system began to emit alarms (not StopBadware, who receive information from Google and run a campaign to address the problem of malware.) Today the site detected at least 3 Trojans and noted that it had seen similar software across other websites—this isn’t common for JavaScript malware, which may pull bits of itself form other websites to work more swiftly.

A Google employee posted to Hacker News about the situation, suggesting that this was no false alarm. Pierrefar wrote:

I work at Google and was the one who posted on our forums about this.

What our systems found was definitely a compromised JS file, and others on this thread have posted something similar to what we saw. This is not a false positive.

The Google Groups discussion in question about the detection of malware went on into some detail about how to deal with this sort of situation. Including that it appears that the infection cleared up fairly quickly—but probably not quick enough and likely head to a lot of secondary infections of vulnerable browsers visiting the site.

Currently, a great deal of speculation is going around about how PHP.net became compromised. Developers often form into cliques that surround “language-wars” when it comes to instability, incompatibility, or even security issues related to particular implementations of different languages. This a certain amount of anti-PHP sentiment has surfaced. Yet, without word from the administrators of PHP.net themselves and a postmortem of the infection, it will all be hot air.

Current status of PHP.net

In response to the malware problem, PHP.net migrated the servers that hosted the affected JavaScript clean servers (removing the issue).

The postmortem so far seems to have some interesting developments including that the malware appears to have been tied to a file that had been modified locally but then clobbered by an rsync cron job. As a result, the malware could only hit visitors during particular windows (after alteration, before clobber.) Also as a result, it made it difficult for administrators to detect the problem if they looked while it was clobbered.

If this story gets any more interesting, we will be sure to revisit it.

[Editors note: Article changed slightly to mention that the JavaScript servers have been moved to clean severs, not that the site was put on static pages. Confusion over static.php.net being the serer name where JS is stored, not a static page server.]


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU