This Sunday March 28, hackers managed to access the internal Git repository of the PHP programming language and they managed to add a back door to the source code of it. We are talking about the most used server-side language on the entire web and that is estimated to be in use on 79.1% of all websites.
As explained on the PHP mailing lists, the attack inserted two malicious changes into the php-src repository, and although the cause is still unknown and an investigation is underway, everything points to the official git.php.net server being compromised.
Although the attack was detected quickly, it is a huge warning
The rear door mechanism was first detected by Michael Voříšek, a software engineer from the Czech Republic. If this malicious code had made it into production, it could allow hackers to run their own malicious PHP commands on victims' servers.
Some experts they believe that it is possible that the attackers wanted to be discovered, or that it was a bug hunter because of the "messages" he left in the code. What happens is that in order to trigger the execution of the malicious code, the attacker had to send an HTTP request to a vulnerable server with a user agent starting with the string "zerodium".
Zerodium is a famous cybersecurity platform specialized in the acquisition and sale of zero day exploits. Zerodium has already stated that it has nothing to do with this, so it is thought that whoever hacked the code was not seeking to be anything subtle, but their intentions are unknown.
In addition to this, the attackers added a message in one of the parameters of the function it executes: “REMOVETHIS: sold to zerodium, mid 2017"Clearly the intention is to implicate or refer to the company in this, but no one knows if anything was sold to Zerodium in 2017, much less what it was.
There is a lot of guesswork in PHP chats on Stack Overflow. Some believe it could have been a "poor attempt" at white hat hackingwhile others even point to a "completely inept script-kiddie."
PHP moved to GitHub
As research continues and a more thorough review of the PHP source code is being performed, it has been decided that maintaining your own Git infrastructure is an unnecessary security risk and therefore git.php.net server is going to be discontinued.
From now on the repositories on GitHub that were previously only mirrors, will become the mainso changes will need to be pushed directly to GitHub instead of git.php.net.
The malicious code that was added to the source code was made through the accounts of two of the members of the PHP core team, Rasmus Lerdorf and Nikita Popov, but they have already expressed not being involved. What's more, the team uses two-factor authentication for their accounts, which is why they believe it was a crucial bug on the main Git server rather than the violation of some individual account.
Although the incident was quickly resolved, in practice would have affected a small portion of the systems that use PHP servers, since it is usual that most take a long time to update to the latest version.
This is another problem that has plagued the web for a long time, how a huge percentage of the websites on the Internet use a version of PHP that is not supported, and although it has improved in recent years, it still almost 40% of all websites that use PHP use an old and unsupported version.