PHP Infiltrated with Backdoor Malware
Reading Time: 1 Minute
The PHP project on Sunday announced that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. They were discovered before they went into production.
PHP is a widely used open-source scripting language often used for web development. It can be embedded into HTML. The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers, Rasmus Lerdorf and Nikita Popov, according to a message sent by Popov to the project’s mailing list on Sunday. He added that he didn’t think it was simple case of credential theft.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” he explained.
In response to the hack, PHP is moving its servers to GitHub, making them canonical.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov explained. “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net…This change also means that it is now possible to merge pull requests directly from the GitHub web interface.”
He also noted that PHP is reviewing all of its repositories for any corruption beyond the two commits that were found.
“We are lucky that the malicious commits were detected before reaching production systems,” said Craig Young, principal security researcher at Tripwire, via email. “Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply-chain attack and must have robust processes in place to detect and reject suspicious commits.”
Weaponizing the Software Supply Chain
Making use of open-source repositories as a vehicle to compromise websites and applications is not uncommon.
See Also: Information Security Tool: Chameleon
And in December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two of its software packages offline after they were found to be laced with malware.
Source: https://threatpost.com
(Click Link)