Once the users visited the infected page the code started for automatic detection of vulnerable plug-ins within the only desktop browsers, and the serving of malicious SWF files. The PHP team is investigating on the attack, they confirmed that the servers which hosted the php.net, static.php.net and git.php.net domain, and the server hosting bugs.php.net have been compromised.
“We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full,” they shared.
PHP team has migrated all services to new servers to grant the continuity of services during the investigation phase, it also remarked that only a small portion of website users was infected.
Fabio Assolini, a researcher at Kaspersky Lab, revealed that attackers used the Magnitude Exploit Kit and dropped a variant of the Tepfer information-stealing Trojan due its efficiency and low AV detection rate. At the time of the attacks, the malware was detected by only five of 47 antivirus programs.
“An analysis of the pcap file suggests the malware attack worked by exploiting a vulnerability in Adobe Flash, although it’s possible that some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications, Martijn Grooten, a security researcher for Virus Bulletin” reported Arstechnica.
The following information provided by the official update published on the website:
“As it’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (includingbugs.php.net and wiki.php.net) in the next few hours.”
To summarize, the situation right now is that:
- Neither the source tarball downloads nor the Git repository were modified or compromised.
- Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
- SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
In the next few days php .net users will have their passwords reset as part of incident response procedure.
“Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.”
(Security Affairs – malware, php. net)