Most security/technology guys are probably aware by now that PHP’s website php.net was compromised and injected with JavaScript malware this week. The malware was originally detected by Google Safe Browsing. On Thursday 24 Oct 2013, Google began to warn that PHP.net contains malware. This post basically describes the case on high level and refers to another articles which provide further details.
“False positive” -debate
Once Google had flagged php.net as suspicious, there was some debate whether the alert was a false positive or not. At first there was a strong rumor, that the alert was actually a false positive. Some links to early debate:
- https://twitter.com/rasmus/status/393258147025932288
- https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D
However, eventually it was confirmed https://news.ycombinator.com/item?id=6603831 that the suspicion was correct. Later PHP itself explained that the malicious version of file userprefs.js was served and hosted by server static.php.net during certain time periods. For most of the time file seemed (and was) legit, which was the reason “false positive” debate.
Analysis
A couple of sources have reviewed and analyzed the malicious code. It turned out that the JavaScript code created a hidden iframe, which loaded a third-party website containing an exploit kit. The exploit kit tried to exploit vulnerabilities in Java, Flash and Silverlight implementations. Details available at the following links:
- Blaze’s Security Blog: http://bartblaze.blogspot.fi/2013/10/phpnet-compromised.html
- Packet capture file by Barracuda labs: http://barracudalabs.com/downloads/5f810408ddbbd6d349b4be4766f41a37.pcap
- AlienVault blog: http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit
According to Kaspersky’s researcher, the iframe pointed to a website hosting Magnitude Exploit Kit, which in turn tries to exploit CVE-2013-2551
Summary
Later PHP confirmed that two servers were compromised and SSL private keys may have been stolen as well. Thus, php.net SSL certificates were revoked. It is still unknown how the attackers were able to compromise the servers.
What we learnt from this story: from normal user’s point of view - keep your software up to date and disable unnecessary plugins. Once again, it was just normal malware that PHP.net was serving - trying to exploit known and patched vulnerabilities. Hence, if everyone just kept their systems up to date, no harm would have been done to the end users.