On October 24th, 2013, the PHP development team learned that two of the servers that run the community website php.net had been compromised for brief periods of time between October 22nd and October 24th. The attack vector that allowed the intruders into these servers almost certainly was unrelated to PHP itself. While a PHP-based attack vector can’t be entirely ruled out, other attack vectors – potentially compromised access credentials – are more likely scenarios. The servers in question are accessible by many members of the PHP developer community, and it’s enough for just one of them to have his or her access credentials compromised for an attacker to successfully wage these attacks.
Zend customers and Zend Server users are not impacted by this attack on the php.net website. We provide our customers with a fully supported PHP runtime environment, which is distributed with Zend Server. Zend continuously delivers critical functionality fixes and security fixes to customers when such issues are identified.
More technical details:
As a precautionary step, the services hosted on these servers have been moved to separate, newly secured servers. The PHP team now continues analyzing the severity and scope of the break-in. The team has already verified that no hidden commits were made to the PHP source code repository, and are in the process of reviewing public commits.
The PHP development team will publish a full post-mortem once its analysis is complete.
You can also get updates from the official php.net Twitter: @official_php