Backdoor Pushed in PHP Git Repository Following Server Hack
So Far, It Is Unknown Who the Attacker Was or How They Published the Commits Since They Were Uploaded Under Legitimate Maintainers’ Names.
On March 28th, the server used to distribute the PHP programming language was compromised, allowing for remote code execution (RCE). According to PHP developers Rasmus Lerdorf and Nikita Popov, the attacker added a backdoor to source code that would have made websites vulnerable to complete takeover.
Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).
According to a Web Technology Surveys study, PHP is used by almost 80% of websites, including all WordPress sites.
The hack was discovered on Sunday night by developers Markus Staab, Jake Birchallf, and Michael Voříšek as they investigated a commit made a day before. The update, which was intended to fix a typo, was made under Lerdorf’s name. Shortly after the first discovery, Voříšek spotted the second malicious commit, which was made under Popov’s account name. It was aimed to revert the previous typo fix by pushing backdoor code.
Following the compromise, Popov said that PHP maintainers evaluated their standalone Git infrastructure as an expendable security risk. Hence, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Moving on, all PHP source code changes will be made directly to GitHub rather than to git.php.net.
While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub. If you are not part of the organization yet, or don’t have access to a repository you should have access to, contact me at nikic@php.net with your php.net and GitHub account names, as well as the permissions you’re currently missing. Membership in the organization requires 2FA to be enabled.
The two commits gave the code the code-injection capability to visitors with the word “zerodium” in an HTTP header. Zerodium is a US company known for buying and selling zero-day exploits. This has sparked conversation online as it is still unknown who is responsible for the attack.
However, Zerodium CEO Chaouki Bekrar denied the company was involved in any way, describing the real attackers as “trolls”.
An investigation is currently underway.