30 March 2021

PHP’s Git server compromised to plant backdoors in PHP source code


PHP’s Git server compromised to plant backdoors in PHP source code

An unknown malicious actor has compromised the official PHP Git repository in attempt to add backdoors to the code base of the PHP project.

According to PHP programming language developer and maintainer Nikita Popov, the incident took place last Saturday, on March 28. He said that two malicious commits were pushed to the php-src repository in both his name and that of PHP creator Rasmus Lerdorf.

“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov explained, adding that the maintainers decided to discontinue the git.php.net server because “maintaining our own git infrastructure is an unnecessary security risk.”

“This means that changes should be pushed directly to GitHub rather than to git.php.net,” Popov said.

The malicious commits were disguised as benign typographical errors that needed to be corrected, however, taking a closer look at the line 370 where zend_eval_string function is called contributors noticed that the code actually adds a backdoor that allows malicious code execution on a website running the vulnerable PHP version. The malicious code is executed from within the useragent HTTP header, if the string starts with 'zerodium', the name of a well-known exploit seller.

Commenting on the situation, Zerodium's chief executive Chaouki Bekrar labeled the culprit as a “troll” and said that his company has “nothing to do with this.”

“Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun,” Bekrar tweeted.

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021