Forgot your password?
typodupeerror
Security Open Source

PHP.net Compromised 189

Posted by timothy
from the stay-safe-out-there dept.
An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."
This discussion has been archived. No new comments can be posted.

PHP.net Compromised

Comments Filter:
  • by Zachariah Day (2882443) on Thursday October 24, 2013 @03:38PM (#45227555)
    Let me guess, they got in through a PHP vulnerability?
  • by c0d3g33k (102699) on Thursday October 24, 2013 @03:38PM (#45227565)

    ... it introduced visitors to PHP.

      • Almost every language in common use has some stupid ideas in it that make one want to slap the makers. (Although maybe Php deserves 2 slaps.) A lot of it is stretch marks from growth. Any successful language (usage-wise) that's been around a while will probably have battle scars. New languages don't have enough features, and mature languages have convoluted features due to growth and the maturing process.

      • by narcc (412956)

        Know what's sad? You don't know how awful that page really is. You actually think it contains something of value.

        Here's a fun exercise. From that pile of garbage, make a list of points of fact, eliminating any point that is opinion.

        Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.

        Still think PHP is a "fractal of bad design"?

        It looks like he got rid of the NaN != NaN nonsense poi

  • by SmallFurryCreature (593017) on Thursday October 24, 2013 @03:48PM (#45227709) Journal

    I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

    But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.

    Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.

    But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...

    Oh wait.

    I can predict the future, I am going to die a bitter and angry nerd.

    • Security. If you do it right, everyone thinks you have wasted your time. If you do it wrong, it is all your fault. - SmallFurryCreature

      Thanks for the new quote.

    • I can predict the future, I am going to die a bitter, lonely and angry nerd.
    • by freeze128 (544774)

      But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it... Oh wait. I can predict the future, I am going to die a bitter and angry nerd.

      At least you will have lots of company in the afterlife.

    • by styrotech (136124)

      I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

      Ruby? Don't you mean Rails? That wasn't a problem with the Ruby itself. Just like Wordpress bugs are not PHP bugs. I'm deliberately not including application bugs - the track

      • by narcc (412956)

        PHP has been objectively worse than practically every other language.

        Objectively, you say?

        Give it a go. How is it "objectively" worse than other popular languages?

        This ought to be hilarious!

        • by styrotech (136124)

          Note the context you neglected was core language design mistakes rather than implementation mistakes. Implementation mistakes while bad can generally be fixed without breaking anything. PHP has had more than it's fair share of those too.

          Compared with other languages I've used over the last 15yrs, PHP has been the standout one that seems to have to put convenient but insecure by design functionality (eg register_globals, magic_quotes etc) on a long many year cycle of recommending against using it, deprecatin

          • by narcc (412956)

            So you don't actually have an answer then.

            Color me surprised.

            "There was this one feature that was a potential security hole that has been disabled by default for more than a decade!" Doesn't exactly make your case!

            I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect.

            Languages with security issues they've been forced to fix? What's the comment size limit again? Do languages with massive security issues "by design" that cannot be fixed without fundamentally changing the language count as well?

            Pitiful. If you don't like PHP, fine. All I ask is that you don'

            • by styrotech (136124)

              It seems you are the one without an answer. Where are your examples that show other popular languages to be as bad as PHP has been then?

              The view that PHP doesn't have a comparatively shoddy security record is the extraordinary claim here and the one that needs evidence. I could just as well ask that your personal preference doesn't get in the way of you being rational and objective.

              As I said, I'll gladly retract my statement - just show me how other popular languages are as bad or worse.

    • by dkleinsc (563838) on Thursday October 24, 2013 @07:05PM (#45229733) Homepage

      I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.

      You know, I'm going to have to disagree with you on this one.

      I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.

      By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.

      And that is why, in this paper [iseclab.org], a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.

    • by Alarash (746254)
      C#/.NET hasn't have had a vulnerability in a long time. I know it's not popular around here because "Micro$oft durr durr" but it's a great language and a great framework. Run Mono if you don't like Microsoft.
    • by X.25 (255792)

      I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

      But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.

      Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.

      But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...

      Oh wait.

      I can predict the future, I am going to die a bitter and angry nerd.

      I use Perl.

      How do I fit in here?

  • by sl4shd0rk (755837) on Thursday October 24, 2013 @04:09PM (#45228007)

    It's nice to finally have some company down here in the basement.
    -Java Plugin

    • What is this, 2007? They hit rock bottom and broke through. Java is in the 9th circle of hell at the moment.
  • From php.net:

    It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.

    I'm idly curious if Google even

    • by Anonymous Coward on Thursday October 24, 2013 @06:35PM (#45229511)

      I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.

      See also: https://news.ycombinator.com/item?id=6604251

      I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.

      However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.

      This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.

      And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...

    • That doesn't like a denial that they were hacked, only that there was some confusion when they looked at the suspect file and found nothing wrong with it because it had been reverted.
    • by vilanye (1906708)

      Why should Google apologize because the php.net maintainers are idiots?

  • Uh oh... (Score:5, Funny)

    by edibobb (113989) on Thursday October 24, 2013 @09:54PM (#45230595) Homepage
    I happened to update php on my web server today. Did I get some additional free software out of the deal?

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...