PHP Git Servers Compromised As Hackers Plant Secret Backdoor

Posted on March 31, 2021 at 5:30 PM

PHP Git Servers Compromised As Hackers Plant Secret Backdoor

A recent report has revealed that a threat actor had added a backdoor to a PHP programming language source code. According to the report, the incident has caused a flaw on websites that would have led to a complete takeover.

Over the weekend, two updates were sent to the PHP Git server, which would have allowed visitors with not an authorization to execute any code they want. According to the developers, the code execution is possible if a PHP-powered website runs those two updates.

The updates were made under the account names of two popular PHP developers, Nikita Popov and Rasmus Lerdorf.

Popov stated that no one is sure how the hackers were able to compromise the servers, but an investigation is ongoing. He added that the whole situation is coming from the infiltration of the git.php.net server and not from the infiltration of an individual git account.

Zerodium referenced in the attack

The update was allegedly made to correct a typo, with the first update coming before the second. After the developers spotted the first update, Voříšek discovered the second malicious commit, made under Popov’s account name, allegedly reverting the type fix made by the previous malicious update.

It’s not clear why the updates referenced Zerodium, a broker who sells exploits to government agencies for investigation purposes. But the chief executive officer of the company Chaouki Bekrar said investigations revealed Zerodium does not have a hand in the exploit.

 “Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he stated.

He added that the researchers that discovered the vulnerability burned it for fun probably because they didn’t succeed in their attempt to sell to several entities they approached.

Before the recent breach, the PHP Group was in charge of all write access to the repository on a single grit server. They utilized an internally-made system known as Karma.

This offered different access levels and privileges to the users, although it depends on previous contributions, while GitHub was regarded as a smaller repository.

However, the self-hosted repository has been abandoned by the PHP Group and replaced with GitHub.

As a result of the change, GitHub is now regarded as the “canonical” repository. The Karma system is no longer used by the PHP Group.

In its place, contributors are allowed to become part of the PHP organization on GitHub. But for them to make commits, they must log in to their accounts using two-factor authentication.

Git infrastructure is a security risk

After the breach, revealed that the PHP developers stated that the standalone Git infrastructure is an unnecessary security risk.

Consequently, they plan to dissolve the git.php server and establish GitHub as the main source for PHP repositories. In the future, the changes to all PHP source code will not be done on git.php.net but rather directly to the GitHub server.

The hacking incident was revealed publicly by developers Michael Voříšek, Jake Birchallf, and Markus Staab on Sunday evening. It was discovered when they were scrutinizing a commit made the previous day.

HD Moore, Chief executive officer of network discovery platform Rumble, opined that the exploit was carried out by those who are trying to prove a point about their unauthorized access. He stated that the motive of the threat actors wasn’t necessarily to backdoor sites that utilize PHP.

Php.net servers have been compromised in the past

Although php.net servers are considered very strong when it comes to security, the server has had its share of vulnerability issues Apart from this weekend, the server has also been compromised in the past.

The previous incident happened in early 2019 when the threat actors tried to carry out a supply chain attack. The PHP application repository was hit at the time, leading to a temporary shutdown of most of its site. It was discovered that the threat actors planted a malicious code in place of the main package manager.

The PHP group has admitted then that those who have installed PEAR PHP in the last six months may have been affected.

The attacks are worrisome for website owners because PHP runs the majority of the websites. About 8 in 10 websites run PHP, which shows how it can affect millions of sites.

Summary
PHP Git Servers Compromised As Hackers Plant Secret Backdoor
Article Name
PHP Git Servers Compromised As Hackers Plant Secret Backdoor
Description
A recent report has revealed that a threat actor had added a backdoor to a PHP programming language source code. According to the report, the incident has caused a flaw on websites that would have led to a complete takeover.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Aug 30, 2023
Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings
Aug 29, 2023
Compromised routers allowed online criminals to target Pentagon contract site
Koddos

Newsletter

Get the latest stories straight
into your inbox!

Popular Articles

Aug 30, 2023
Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings
Aug 29, 2023
Compromised routers allowed online criminals to target Pentagon contract site
Aug 28, 2023
1.2 million customers of Mom’s Meals were affected after the recent data breach
Aug 28, 2023
How VPNs Can Defend Against the Threat of Hacking
Aug 23, 2023
Terra Developers Shut Down Website Amid A Phishing Campaign

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading