PHP.net compromised and redirecting to Magnitude exploit kit

Google detected a malware on PHP.net website, the internal team confirmed that the website was compromised and redirecting to a Magnitude exploit kit.

php.net website was serving malware, the alert was launched by Google’s Safe Browsing service that alerted internet users.  Subsequent investigation confirmed that some of the project’s servers did get compromised, attackers succeeded to infect it injecting malicious JavaScript code (userprefs.js) some pages of the website.

Security experts from Barracuda have shared a PCAP file that shows the malicious behavior, the attackers were able to inject a malicious iframe in the PHP.net website that was redirected to an Exploit Kit. The obfuscated JavaScript “userprefs. js” inserts a hidden iframe into the webpage, which points out from an external site serving malware.

Once the users visited the infected page the code started for automatic detection of vulnerable plug-ins within the only desktop browsers, and the serving of malicious SWF files. The PHP team is investigating on the attack, they confirmed that the servers which hosted the php.net, static.php.net and git.php.net domain, and the server hosting bugs.php.net have been compromised.

“We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full,” they shared. 

PHP team has migrated all services to new servers to grant the continuity of services during the investigation phase, it also remarked that only a small portion of website users was infected.

“JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013,” they shared, adding that over the next few days they will force a password reset of php.net users.

Fabio Assolini, a researcher at Kaspersky Lab, revealed that attackers used the Magnitude Exploit Kit and dropped a variant of the Tepfer information-stealing Trojan due its efficiency and low AV detection rate. At the time of the attacks, the malware was detected by only five of 47 antivirus programs.

“An analysis of the pcap file suggests the malware attack worked by exploiting a vulnerability in Adobe Flash, although it’s possible that some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications, Martijn Grooten, a security researcher for Virus Bulletin”  reported Arstechnica.

The following information provided by the official update published on the website:

“As it’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (includingbugs.php.net and wiki.php.net) in the next few hours.” 

To summarize, the situation right now is that:

• JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
• Neither the source tarball downloads nor the Git repository were modified or compromised.
• Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
• SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.

In the next few days php .net users will have their passwords reset as part of incident response procedure.

“Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.”

Pierluigi Paganini

(Security Affairs –  malware, php. net)