PHP: This site may Harm Your Computer

October 24, 2013

php_may_harm_your_computerSome time yesterday, Google’s Safe Browsing service detected malware on PHP’s main site, php.net. As a result, if you visit it right now in a browser that uses Google’s Safe Browsing list, like Chrome or Firefox, you will get a warning message and when viewing it in Google serps, you will see the ‘This site may harm your computer’ warning.

I use php a great deal and think that a lot of the dislike/feelings people have against the language are misplaced, but I do see the humor in the warning message showing up when you search for ‘php.’

Were PHP’s Server’s Compromised?

Ramsus, as well as a few others involved with PHP, have stated on Twitter and in a Google Groups thread that the file in question, ‘userprefs.js,’ was not compromised. In a Tweet from this morning, rasmus said ‘They[Google] point to a js code injection which was deliberate’

However, in the same Google Groups thread, someone from Google indicated the userprefs.js file had changed and on YCombinator, someone found a version of the file in their cache which had what appeared to be an obfuscated javascript payload in it. The same google employee also later posted on the YCombinator thread, stating quite clearly that it was not a false positive and that the obfuscated version was similar to what they found.

I checked a number of PHP mirrors and while I did find two different versions of userprefs.js, neither were the obfuscated version.

Will update this post with some more later, as it becomes available.

Update 2013-10-24 13:00: As of now, the warning message is no longer appearing when doing a google search and visiting the site doesn’t result in an warning, so it appears that the Php.net has been removed from the safe browsing list. Haven’t seen an update from Ramsus or others with any more details yet.

Update 2013-10-24 17:00: An update has been posted to PHP’s News Section and confirm that they were compromised. They state that an rsync job was reverting changes being made to userprefs.js, presumably because the local server was compromised. An initial code review has been preformed and they don’t think the PHP source was compromised, but are working on a more thorough review and post mortem.

Update 2013-10-26: Another update has been posted to PHP’s main website. They state that two servers were compromised, likely between 10/22/2013 and 10/24/2013. During this time, they served up javascript malware. The servers were responsible for hosting php.net, static.php.net, git.php.net, and bugs.php.net, but they do not think the php source or any of the downloads were compromised. They have reset their SSL certificate, as well as migrated to new servers, and are looking into the cause of the issue.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s