VISITORS to the PHP.net website are being advised that they are at risk of malware infection.
A post on its website said that it first became aware of the issue yesterday when Google alerted it to a problem.
"This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging."
The firm pored over access logs until it found a file that apparently had been altered by someone.
"It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted," it added.
"Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion. We are still investigating how someone caused that file to be changed."
Since then the firm has continued an audit of its systems and has removed two compromised servers from its network. PHP.net users should expect to receive password change notifications in the next couple of days.
Fabio Assolini, a senior security researcher at Kaspersky, said that the exploit used a "malicious iframe pointing to Magnitude Exploit Kit [to drop] a Tepfer Trojan". µ
Sign up for INQbot – a weekly roundup of the best from the INQ