This Sunday, March 28, hackers gained access to the internal Git repository of the PHP programming language and managed to add a backdoor to its source code. We are talking about the most widely used server-side language on the entire web and estimated to be in use in 79.1% of all websites.
As explained on the PHP mailing lists, the attack inserted two malicious changes to the php-src repository, and although the cause is still unknown and an investigation is ongoing, everything points to the official git.php.net server being compromised.
The backdoor mechanism was first detected by Michael Voříšek, a software engineer from Czech Republic. If this malicious code had made it into production, it could allow hackers to execute their own malicious PHP commands on victims’ servers.
Some experts believe that it is possible that the attackers wanted to be discovered, or that it was a bug hunter because of the “messages” he left in the code. In order to trigger the execution of the malicious code, the attacker had to send an HTTP request to a vulnerable server with a user agent starting with the string “zerodium”.
Zerodium is a famous cybersecurity platform specialized in the acquisition and sale of zero-day exploits. Zerodium has already stated that it had nothing to do with this, so it is thought that whoever hacked the code was not looking to be subtle at all, but their intentions are not known.
In addition to this, the attackers added a message in one of the parameters of the function it executes: “REMOVETHIS: sold to zerodium, mid 2017”. Clearly seeking to imply or reference the company in this, but no one knows if anything was sold to zerodium in 2017 let alone what it was.
In the PHP chats on Stack Overflow there is a lot of conjecture. Some believe it could have been a “poor attempt” at white hat hacking, while others even point to a “completely inept skript-kiddie”.
While the investigation continues and a more thorough review of the PHP source code is underway, it has been decided that maintaining a proprietary Git infrastructure is an unnecessary security risk and therefore the git.php.net server is to be discontinued.
From now on the repositories on GitHub that were previously only mirrors will become the main repository, so changes should be submitted directly to GitHub instead of git.php.net.
The malicious code that was added to the source code was done through the accounts of two of the PHP core team members, Rasmus Lerdorf and Nikita Popov, but both have already expressed that they were not involved. In addition, the team uses two-factor authentication for their accounts, so they believe it was a crucial bug in the main Git server rather than a breach of an individual account.
Although the incident was quickly resolved, in practice it would have affected a small portion of systems using PHP servers, as it is usual for most of them to take a long time to upgrade to the latest version.
This is another problem that has been plaguing the web for some time, how a huge percentage of web sites on the Internet use an unsupported version of PHP, and although it has improved in recent years, still almost 40% of all web sites that use PHP use an old and unsupported version.