You are here

You are here

PHP backdoored via Git hack: It’s no joke, so don't be a fool

Richi Jennings Your humble blogwatcher, dba RJA
Mr. T

The widely used PHP web scripting language has been made a fool of this week. A hacker added three lines of code in an unsubtle attempt to add an obvious backdoor.

A hilarious prank, perhaps. But the real question is: What else has been added via the same Git vulnerability? Given that about 80% of the web relies on PHP in one way or another, this is a serious and urgent question.

Like many such projects, PHP runs on a shoestring, yet it’s critical infrastructure around the world. In this week’s Security Blogwatch, we’re never gonna give you up.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Panorama.

PHP Group will close its doors

What’s the craic? Ax Sharma harvests spaghetti code—Git server hacked to add backdoors to PHP source code:

Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.

The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet. … According to PHP maintainers, this malicious activity stemmed from the compromised server, rather than compromise of an individual's Git account. [So they] have decided to migrate the official PHP source code repository to GitHub.

"The changes did not make it into any tags or release artifacts. … The changes were on the development branch for PHP 8.1, which is due to release at the end of the year," [said] Popov.

And Catalin Cimpanu erupts like Mount Edgecumbe—Hackers backdoor PHP source code:

The backdoor mechanism was first spotted by Michael Voříšek, a Czech … software engineer. If the malicious code had made it into production, the code would have allowed threat actors to execute their own malicious PHP commands on victims’ servers.

As a result of the security breach, the PHP team decided … its internal Git server was not trustworthy anymore. … In late 2018, hackers also compromised the official website of the PHP PEAR extensions system and hosted a backdoored version of the PHP PEAR package manager for almost six months in an incident that has yet to be explained even today.

PHP FTW? Nikita Popov lives mainly on the island of Lower Caisse:

Two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened [but] we have decided that maintaining our own git infrastructure is an unnecessary security risk.

We're reviewing the repositories for any corruption beyond the two referenced commits. Please contact if you notice anything.

Ding ding ding ding ding. b0llchit rings the Taco Liberty Bell:

When our (dev-)infrastructure is concentrated at one or few sites such as github, then we make ourselves just as or even more vulnerable as when using our own infrastructure. These companies only provide "free" as long as they profit from it.

When the wind changes or new management comes along, then you might be in an even worse situation than before. A breach also has more impact at a centralized place.

Infrastructure costs money and requires a lot of expertise. Yes, it is easy to outsource this. It may even be cheap at first. The costs will come eventually and probably be higher than expected.

What a lair of slop. Mark Randall stops short of blaming Congress:

The PHP project … just doesn't have the funds to dedicate someone to it. … Github is offering its services for free to us, just as it does to everyone else. We'd be silly to pass up the opportunity. If anything, it's just a shame it took an attack to incentivise the move.

PHP's core development team is tiny, its operations team is even smaller, 1 or 2 people at most.

It’s as if Nixon said, “I didn’t do anything wrong, and I won’t do it again.” Here’s Michael Wojcik:

Frankly, the idea that 80 percent of websites … use PHP is already more than a little concerning. If the PHP organization had the resources of Apple I wouldn't feel any better about the language.

Not exactly a subtle commit, though. kenmacd stands amid the rubble of the Space Needle:

I'd say the reason it doesn't hide better is because it's specifically meant not to hide. … The commit was almost certainly never meant to make it in to some server log, it was meant to be seen, and it was.

The vulnerability that is of interest is the one that allowed these commits to be injected … the backdoor into the PHP code repo.

You’ll believe an Adélie penguin can fly. Just like Xavin:

Just another example of why you shouldn't ever try to roll your own security related infrastructure unless you really really know what you are doing.

Think deeper. rsilvergun opens a can of delicious unicorn meat:

Is it just me, or is it terrifying how much of our computing infrastructure is built off these relatively small projects?

Meanwhile, this Anonymous Coward munches on a left-handed BK Whopper:

“We don't yet know how exactly this happened.” My guess: because it was written in PHP.

The foolish moral of the story?

How much of your infrastructure is built on badly funded open-source projects?

And foolishly

Pull the other one, Aunty. It’s got bells on.

Hat tip: Alex Boese’s Top 100 April Fool's Day hoaxes

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 29¾.

This week’s zomgsauce: Tomi Knuutila (cc:by-nc)

Keep learning

Read more articles about: SecurityInformation Security