PHP.net compromised and used to attack visitors

Attackers injected malicious JavaScript code into the site, redirecting some visitors' browsers to Flash exploits

Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.

Hackers managed to inject malicious JavaScript code into a file on the php.net site called userprefs.js. The code made requests to a third-party website that scanned visitors' browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.

One of Barracuda's research tools detected and captured attack traffic from php.net late Tuesday evening, according to Peck.

The exploits served during the attack came in the form of malicious SWF files, so they most likely targeted vulnerabilities in Adobe Flash Player. However, Barracuda's researchers are still conducting their analysis and haven't identified yet exactly which vulnerabilities were targeted, Peck said.

It's also not clear what the program installed by the exploits does or if it's part of a known malware family. The only thing Peck could say about it is that it tries to connect to around three dozen different command-and-control servers around the world and successfully establishes communication with four of them.

The php.net site was blacklisted early Thursday by Google Safe Browsing, a service used by Google Search, Google Chrome and Mozilla Firefox to prevent users from visiting malicious websites. As a result, Chrome and Firefox users who tried to access php.net over the course of several hours Thursday were warned that the site contained malware.

The PHP Group, which maintains the php.net website and the PHP distribution packages, initially thought the warning was the result of a Google Safe Browsing detection error. "It appears Google has found a false positive and marked all of http://php.net as suspicious," Rasmus Lerdorf, the creator of PHP, said on Twitter.

But a more in-depth investigation revealed that the userprefs.js file had been modified repeatedly as a result of an intrusion, the PHP Group said in a message on php.net. "We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers," the group said, adding that there's no evidence of the compromise extending to the PHP distribution files.

Barracuda Networks released a packet capture file that includes the exploits and malware distributed during the attack so that other researchers can also analyze them.

It's not clear if the attackers targeted php.net because of its large number of visitors or because most of those visitors are developers. The Amazon-owned website analytics company Alexa ranks php.net as the 228th-most-visited site in the world.

PHP developers can be valuable targets for attackers because their computers usually contain intellectual property like source code and other sensitive information, including log-in credentials for websites they maintain. Many developers are also likely to visit php.net from company-issued computers, and compromising those computers could allow attackers to access corporate networks.

The number of users affected by the attack was likely limited by the fact that the rogue code added to userprefs.js was periodically removed by an existing synchronization process that restored the file to its original state.

"Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute," Lerdorf said via email. "But yes, if someone got redirected to a strange place when visiting php.net they should take normal anti-virus precautions."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusionExploits / vulnerabilitiesBarracuda NetworksThe PHP Group

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?