PHP.net Compromised

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday October 24, 2013 @07:36AM from the stay-safe-out-there dept.

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

13 of 189 comments (clear)

Min score:

Reason:

Sort:

Oh the irony by killerzax · 2013-10-24 07:38 · Score: 5, Funny

Let me guess, they got in through a PHP vulnerability?
1. Re:Oh the irony by ArcadeMan · 2013-10-24 07:49 · Score: 5, Funny
  
  It's Microsoft's fault. The URL for PHP is php.net, which means it's .NET and hence the reason for being compromised.
  The malware was distributed via Javascript, which has Java in its name, which means it's also Oracle's fault.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
It was already a dangerous site to visit ... by c0d3g33k · 2013-10-24 07:38 · Score: 5, Funny

... it introduced visitors to PHP.
1. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-24 08:23 · Score: 4, Insightful
  
  Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.
  Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.
  Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.
  The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.
  I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.
  And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):
  
  Facebook uses a special version of it.
  Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.
2. Re:It was already a dangerous site to visit ... by csnydermvpsoft · 2013-10-24 08:43 · Score: 4, Interesting
  
  It's not that hard to be careful - just avoid the com.sun.* and sun.* namespaces. Eclipse even filters those out (of autocomplete and Organize Imports) in the default configuration.
3. Re: It was already a dangerous site to visit ... by Spudley · 2013-10-24 09:04 · Score: 4, Insightful
  
  Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.
  Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.
  
  --
  (Spudley Strikes Again!)
4. Re: It was already a dangerous site to visit ... by AuMatar · 2013-10-24 09:29 · Score: 4, Insightful
  
  That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
I can predict the future by SmallFurryCreature · 2013-10-24 07:48 · Score: 5, Insightful

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
Oh wait.
I can predict the future, I am going to die a bitter and angry nerd.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:I can predict the future by dkleinsc · 2013-10-24 11:05 · Score: 4, Informative
  
  I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.
  You know, I'm going to have to disagree with you on this one.
  I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.
  By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.
  And that is why, in this paper, a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
Re:You Sound Like One Of Those by ArcadeMan · 2013-10-24 07:54 · Score: 4, Funny

Here's a better URL without all the superfluous Web 2.0 crap around it.

--
Get free satoshi (Bitcoin) and Dogecoins
Re:You Sound Like One Of Those by narcc · 2013-10-24 09:51 · Score: 4, Insightful

Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?

--
Required reading for internet skeptics
Re:So it wasn't hacked, and Google fucked up... by Anonymous Coward · 2013-10-24 10:35 · Score: 4, Informative

I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.
See also: https://news.ycombinator.com/item?id=6604251
I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.
However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.
This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.
And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...
Uh oh... by edibobb · 2013-10-24 13:54 · Score: 4, Funny

I happened to update php on my web server today. Did I get some additional free software out of the deal?