Git internal Servers Breached and Hackers Add Backdoor to Source Code on PHP

Posted on by Dawna M. Roberts in News April 02, 2021

 Another in an ongoing series of hackers attacking developer resources, last week The Bleeping Computer reported that the PHP Git repository was hacked in an attempt to add a backdoor to the PHP source code. 

What Happened?

Yesterday two maliciously tainted files were uploaded to and signed by two actual PHP developers (Rasmus Lerdorf and Nikita Popov) to appear legitimate.

The files were core PHP code which is scary since almost 80% of the internet runs off PHP code. The Bleeping Computer said that the hackers posted a comment implying that the upload was to fix a “typo” in the code.

According to The Bleeping Computer instead of a fix, line “370 where zendevalstring function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.”

Michael Voříšek is the first person to notice the code issue, which uses the useragent HTTP header to execute malicious code. The Bleeping Computer interviewed Nikita Popov by email, and the developer said that
“The first commit was found a couple of hours after it was made, as part of routine post-commit code review. The changes were rather obviously malicious and reverted right away.”

How Has PHP Responded?

An investigation showed that the hackers had not compromised the developer accounts but the server itself, which was alarming. As a result, PHP has decided to migrate official PHP code to GitHub and decommission their server altogether. PHP officials commented that “While the investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk and that we will discontinue the server.”

Popov further commented that “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.” They also noted that all changes and updates going forward will be updated to GitHub directly and that any contributing developers must be added to the PHP organization on GitHub.

Anyone interested can read the full security announcement here. Those who will be joining must have 2-factor authentication turned on in their GitHub account.

The company is examining all code committed to the server to look for any additional compromised files. Because of the quick discovery and response, PHP does not believe that the malicious code made it into “any tags or release artifacts.”

The affected files were part of a development version of PHP 8.1 that won’t be released to the public until later this year.

What is PHP?

PHP is a server-side programming language used for building websites and web applications. It was developed in 1994 by Rasmus Lerdorf, a Danish-Canadian programmer. The acronym originally stood for “Personal Home Page” but was later changed to “HP: Hypertext Preprocessor.”

PHP is the backbone for many content management systems (WordPress, Drupal, Joomla, etc.). PHP only works on servers with it installed. Most hosting companies support PHP. PHP is open-source and free to use.

PHP is relatively easy to learn as opposed to other programming languages. It is regularly updated and well supported, which makes it a popular choice among new developers. PHP works seamlessly with MYSQL, and you can also use it with other databases like Postgres, Oracle, MS SQL Server, and ODBC, among others. It can easily be integrated within HTML code, making it light and easy to use.

Roughly 20 million websites and applications use PHP code. Due to its wide use and gaining popularity, the attack on PHP source code is extremely alarming. Had the new version been rolled out with malicious code included, millions of potential victims could have been affected. Thankfully, PHP has a process in place for new commits that checks every line of code for anything suspicious. This time, the crisis was averted.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!