Earlier today Google’s stop-badware system caught this as well and flagged php.net as distributing malware, warning users who’s browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we’d share to remove all doubt.
A Google employee posted to Hacker News about the situation, suggesting that this was no false alarm. Pierrefar wrote:
I work at Google and was the one who posted on our forums about this.
What our systems found was definitely a compromised JS file, and others on this thread have posted something similar to what we saw. This is not a false positive.
The Google Groups discussion in question about the detection of malware went on into some detail about how to deal with this sort of situation. Including that it appears that the infection cleared up fairly quickly—but probably not quick enough and likely head to a lot of secondary infections of vulnerable browsers visiting the site.
Currently, a great deal of speculation is going around about how PHP.net became compromised. Developers often form into cliques that surround “language-wars” when it comes to instability, incompatibility, or even security issues related to particular implementations of different languages. This a certain amount of anti-PHP sentiment has surfaced. Yet, without word from the administrators of PHP.net themselves and a postmortem of the infection, it will all be hot air.
Current status of PHP.net
The postmortem so far seems to have some interesting developments including that the malware appears to have been tied to a file that had been modified locally but then clobbered by an rsync cron job. As a result, the malware could only hit visitors during particular windows (after alteration, before clobber.) Also as a result, it made it difficult for administrators to detect the problem if they looked while it was clobbered.
If this story gets any more interesting, we will be sure to revisit it.