Recently, some unknown offenders added a backdoor in the source code of the official PHP Git server. The incident has put the websites at risk of complete takeover using tained code. The open-source server codes were used to build websites.
Mainly, the hackers have implemented two malicious contents in the php-src repository. The attackers have smartly planned the attacks and disguised the commits in the name of the PHP creator Rasmus Lerdorf and Nikita Popov (a renowned PHP developer and maintainer).
After detecting the attack, Popov declared in an announcement:
"We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),"
While talking with Bleeping Computer, Popov explained that they discovered the first commit during the regular post-commit code review. Besides, the changes were reverted instantly, before it could harm the operations.
The changes in codes were initially observed by Markus Staab, Michael Voříšek, and Jake Birchall. Voříšek found the code to be tricky, to which he enquired about its function.
Jake Birchall then responded:
"line executes PHP code from within the user agent HTTP header, if the string starts with ‘zerodium’."
Besides, it looks that the attackers were trying to compromise "Zerodium." However, the CEO clarified there the zero-day broker is not involved or has nothing to do with the case.
The company has decided to transit from its own Git infrastructure.
Making it clear, Popov informed:
"While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net,"
The team is certainly upgrading the security. In addition, the developers who wish to contribute, now need to be a member of the GitHub. Also, two-factor authentication has been enabled!
Positively, the PHP team is performing some other security audits to check for any other malicious code or commits.
Cyber attacks are tremendously growing in the world. Digital attackers are targeting companies and affecting different industries.
Let's keep these online attackers away!