Feeds

PHP.net breach: Concern over safety of source code

Poisoned well pondered

5 things you didn’t know about cloud backup

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.

“Our biggest concern is, of course, the integrity of our source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”

The current version of PHP, which was released last week, is 5.3.6.

All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository.

The advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate. PHP maintainers hadn't responded to a request for comment at time of writing.

Word of the attack began circulating on Friday on underground web forums monitored by researchers from France-based Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email to The Reg. The attacker “then used a privilege escalation exploit to take complete control of the host system.”

Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.

The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. And the unauthorized code was detected within 10 minutes. Nonetheless, the incident prompted concern.

“Its not a great feeling to have your account hacked into, but I do wonder what the intentions were,” Magnusson wrote. “Maybe just an credentials check, which was supposed to be followed by evil commits if noone had spotted the first one? The Chinese government trying to introduce security holes so they can break into PHP websites?”

PHP is an extremely popular language that allows developers to create webpages with dynamically generated content. In 2007 it formed the underpinnings for 20 million domains, according to figures attributed to Netcraft. Websites including Facebook, Yahoo, Wikipedia and WordPress use it extensively.

The attacks aren't the first to hit repositories for a popular open-source software project. In December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's account passwords and may have given the attacker unfettered administrative access. In May, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' machines. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?