Hackers briefly managed to gain control of PHP’s Git repository. Two backdoors were added to the code. So far, there is no information on how the attack succeeded.
PHP is free software, and therefore its source code is public, and anyone can download it and consult it in its official Git repository. However, only a few developers of the official project can modify that code to include new functions and fix bugs.
Although the details of the attack are not yet known, it is known that the attackers posed as two PHP developers, using their rights to modify the code. In fact, one of those affected is the creator of PHP, Rasmus Lerdorf.
Everything indicates that it was not a fortuitous attack but that it was planned since the attackers managed to modify the code to include a “backdoor.” Specifically, a server that uses the modified code will allow remote code execution.
The backdoor is triggered by the string “Zerodium.” This is the name of a well-known exploit dealer. However, it is unlikely that Zerodium was actually responsible for the attack.
The only good news is that this malicious code did not last long on the official server. The first modification was detected a couple of hours later, thanks to a routine check that is carried out with all updates.
Affected are only people who have checked out the Git code of PHP within a short period of time and installed it on a publicly accessible server.
Although the investigation of the facts is still ongoing, PHP developer Nikita Popov informed the community about the incident in an email and immediately announced that the development of PHP will take place on Github in the future. It was decided that “maintaining our own Git infrastructure is an unnecessary security risk,” says Popov.
So far, PHP has used a combination of the software Gitolite and a self-developed access system called Karma. According to Popov, everything indicates that the Git hosting server has been compromised and that it is not an attack on individual accounts.
In addition, more restrictions have been imposed for those who want to participate in the project, including measures such as two-step authentication.