The Inquirer-Home

PHP.net hacked and malware injected

Visitors are in a compromised position
Fri Oct 25 2013, 12:16
Hacker's hands on keyboard

VISITORS to the PHP.net website are being advised that they are at risk of malware infection.

A post on its website said that it first became aware of the issue yesterday when Google alerted it to a problem.

It said that when it received the alert about malware it began looking into it, and indeed it apparently is still looking into it. "Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js," it said.

"This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging."

The firm pored over access logs until it found a file that apparently had been altered by someone.

"It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted," it added.

"Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion. We are still investigating how someone caused that file to be changed."

Since then the firm has continued an audit of its systems and has removed two compromised servers from its network. PHP.net users should expect to receive password change notifications in the next couple of days.

Fabio Assolini, a senior security researcher at Kaspersky, said that the exploit used a "malicious iframe pointing to Magnitude Exploit Kit [to drop] a Tepfer Trojan". µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?