PHP's Git Server Hacked To Distribute Backdoors Via PHP Source Code

PHP’s Git Server Hacked To Distribute Backdoors Via PHP Source Code

Malicious Git repository commits for PHP signed off by attackers under names of known developers and maintainers infect victims with a remote code execution backdoor.

On February 28, bad actors made two malicious commits to the php-src Git repository maintained by the PHP team on their server. The threat actors had signed these commits as if these had been made by Rasmus Lerdorf and Nikita Popov, a PHP author and legitimate PHP contributor.

PHP is the server-side programming language that powers nearly 80% of the websites on the Internet. 

The attackers published a mysterious change upstream in the malicious commits. They commented they did a minor typographical correction to “fix typo.” 

Having taken a closer look at the added line 370 where zend_eval_string function is called, the researchers found the added line plants a backdoor that allows Remote Code Execution on a website running the infected version of PHP.

A developer Michael Voříšek was the first to point out the malicious commit.

“This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’,” said PHP developer Jake Birchall.

In an email exchange with BleepingComputer, PHP maintainer Nikita Popov told:

“The first commit was found a couple hours after it was made, as part of routine post-commit code review. The changes were rather obviously malicious and reverted right away,” Popov told BleepingComputer.

The commits were signed off as coming from Rasmus Lerdorf and Nikita Popov. On Git, it is possible to sign-off a commit under someone else’s name and then upload the forged commit to the remote Git server.

Ina an official announcement, PHP maintainers said this issue stemmed from the compromised server, and not from a compromise of an individual Git account.

As a precaution, PHP maintainers migrated the official PHP source code repository to GitHub.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical,” announced Popov.

Developers interested in contributing to the PHP project now need to join PHP organization on GitHub. The instructions are provided in the PHP’s security announcement.

PHP mountaineers assured that code with malicious commits had been distributed: 

“The changes were on the development branch for PHP 8.1, which is due to release at the end of the year,” Popov further told BleepingComputer.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.