“False positive” -debate
Once Google had flagged php.net as suspicious, there was some debate whether the alert was a false positive or not. At first there was a strong rumor, that the alert was actually a false positive. Some links to early debate:
However, eventually it was confirmed [https://news.ycombinator.com/item?id=6603831] that the suspicion was correct. Later PHP itself explained that the malicious version of file userprefs.js was served and hosted by server static.php.net during certain time periods. For most of the time file seemed (and was) legit, which was the reason “false positive” debate.
- Blaze’s Security Blog: http://bartblaze.blogspot.fi/2013/10/phpnet-compromised.html
- Packet capture file by Barracuda labs:
- AlienVault blog: http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit
According to Kaspersky’s researcher [https://twitter.com/assolini/status/393461051150598144], the iframe pointed to a website hosting Magnitude Exploit Kit, which in turn tries to exploit CVE-2013-2551 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2551]
Later PHP confirmed that two servers were compromised and SSL private keys may have been stolen as well. Thus, php.net SSL certificates were revoked. It is still unknown how the attackers were able to compromise the servers.
What we learnt from this story: from normal user’s point of view - keep your software up to date and disable unnecessary plugins. Once again, it was just normal malware that PHP.net was serving - trying to exploit known and patched vulnerabilities. Hence, if everyone just kept their systems up to date, no harm would have been done (to the end users).