Hackers Compromised PHP Git Server and Pushed Two Malicious Commits

  • Hackers managed to compromise a PHP Git repo server and attempted to plant backdoors.
  • The developers caught the malicious commits and reversed them before further damage was done.
  • The contribution model will now change, and developers will have to verify as PHP members on Github.

Yesterday, open-source software developer and PHP contributor Nikita Popov posted a warning on the project’s mailing list, informing everyone about two malicious commits that were pushed to the php-src Git repository by hackers. The commits were made from the names of Nikita Popov and Rasmus Lerdorf, but the signs indicate that the actors actually compromised the git.php.net server, not the accounts of the developers. To mitigate the risk, the server that was compromised will be discontinued, and the repositories on GitHub will be upgraded from their mirror role to becoming canonical now.

The good thing is that the two commits were caught right on the day they happened, so the changes didn’t get to find their way to the main branch. Of course, the investigation on what and how exactly has happened is still underway, and all PHP repositories are being thoroughly reviewed for anything that may have been missed. People who participate as contributors or testers are urged to report anything weird they see to “security@php.net”.

Source: Github

As for what the two commits did exactly, both were supposed to be “fixing a minor typo”, but they did a lot more than that. In summary, the added lines allow arbitrary PHP code execution from within the useragent HTTP header if the string starts with ‘zerodium’. So, this is basically an attempt to plant a backdoor, which seems to have failed miserably though.

Other PHP contributors are now asking as a precautionary security measure for the future to require the signing of all commits. It is possible that this will be introduced, although it could be optional for less critical repositories like the one for documentation. Others also call for the prohibition of all direct pushes, as the risks involved in this practice far outweigh the benefits.

Finally, and according to the initial warning message, all contributors will now need to be a part of the PHP organization on GitHub and have 2FA enabled. If you’re interested in joining, send an email to “niki@php.net”.

NBA 2023 Live Stream: How to Watch Basketball Online from Anywhere
The wait is almost over, and basketball fans worldwide can finally look forward to the start of the 2023/24 NBA season. The...
How to Watch 2023 NHL Without Cable: Live Stream Hockey Games Online from Anywhere
The 2023/24 season of the National Hockey League is finally upon us, and fans are gearing up to watch the hard-hitting action...
NFL 2023 Live Stream: How to Watch Football Online from Anywhere
The 104th season of the National Football League is already underway, and we anticipate some thrilling action in the coming months. The...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari