Update on php.net malware

posted in Announcements and tagged on by .

On October 24th, 2013, the PHP development team learned that two of the servers that run the community website php.net had been compromised for brief periods of time between October 22nd and October 24th. The attack vector that allowed the intruders into these servers almost certainly was unrelated to PHP itself. While a PHP-based attack vector can’t be entirely ruled out, other attack vectors – potentially compromised access credentials – are more likely scenarios. The servers in question are accessible by many members of the PHP developer community, and it’s enough for just one of them to have his or her access credentials compromised for an attacker to successfully wage these attacks.

Zend customers and Zend Server users are not impacted by this attack on the php.net website. We provide our customers with a fully supported PHP runtime environment, which is distributed with Zend Server. Zend continuously delivers critical functionality fixes and security fixes to customers when such issues are identified.

More technical details:

After gaining access, the attackers altered a certain JavaScript file served by these servers to contain malicious code. Every time that happened, automated scripts restored the correct, malware-free version within minutes; but apparently the intruder re-altered the file several times.

As a precautionary step, the services hosted on these servers have been moved to separate, newly secured servers. The PHP team now continues analyzing the severity and scope of the break-in. The team has already verified that no hidden commits were made to the PHP source code repository, and are in the process of reviewing public commits.

The PHP development team will publish a full post-mortem once its analysis is complete.

You can also get updates from the official php.net Twitter: @official_php

The following two tabs change content below.


    • cabdriverjim

      Paragraph #2 makes me never want to send money to Zend again. It’s nice that your products were not affected but it is kinda crappy to throw the php.net community under the bus trying to make yourselves look good.

    • Pingback: dorioplincets()

    • Anonymous

      Where is that post mortem after all these months?