PHP's Git Server Hacked To Add Backdoors To PHP Source Code

dotancohen writes:

Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. “The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet,” adds BleepingComputer.

“In the malicious commits [1, 2] the attackers published a mysterious change upstream, ‘fix typo’ under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.”

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. “Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised server, rather than compromise of an individual’s Git account,” reports BleepingComputer. “As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub.”

Friendly Websites