The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Attackers Sought to Compromise PHP Source Code

by Chris Brook on Monday March 29, 2021

Contact Us
Free Demo
Chat

Two malicious commits over the weekend have forced the group in charge of PHP to discontinue its internal Git server.

An unknown hacker on Sunday added a backdoor to the code repository for PHP, the popular open source server-side scripting language.

Nikita Popov, a PHP developer and maintainer, said Sunday that two commits were made to the php-src repository, one in his name and another in Rasmus Lerdorf's - who helped PHP get off the ground in 1995 - name.

To make the commits, Popov believes the attacker compromised PHP's main Git server, which is self-hosted, not a user account.

“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov said in an email disclosing the news to the PHP mailing list on Sunday night.

As compromises sometimes do, the incident sounds like it prompted a change from within. Because of the malicious commits, Popov says the project will move away from its git server and instead amend its repositories on GitHub so they're canonical.

Previously the repositories were mirrors. Going forward changes will be pushed directly to GitHub, instead of surfacing on git.php.net. Also going forward, write access to repositories will be done through GitHub too; admins will have to have two factor authentication enabled, something which should add an additional level of protection.

The malicious commits are still viewable on GitHub and can be seen here and here.

While a line in one of the malicious updates to the code says "REMOVETHIS: sold to zerodium, mid 2017," Chaouki Bekrar, Zerodium's CEO, insists the mention is just trolling and that likely whoever found the exploit "burned it for fun."

While it's unclear how the attack took place, it's not a huge surprise that the commits showed up under Popov and Ledorf’s names; it is possible using source code version control systems like Git to commit changes under the names of people other than yourselves.

A PHP developer Jake Birchall, was one of the first to acknowledge on GitHub that the change could result in the execution of PHP code.

"This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," Birchall told Michael Voříšek on GitHub Sunday night.

It's worth noting there was never any immediate danger to users because of the commits; they were found following a code review and reverted soon after.

Still, PHP is one of the most popular server-side programming languages; its behind 79.1% of websites across the internet, according to W3Techs, a service that aggregates information on website technology. That means that anything that could jeopardize the language, including a seemingly stealthy supply chain compromise like this one, if left unchecked, could have an impact on the rest of the internet.

Tags: hacks

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.