Unidentified agents broke into the official Git server for the PHP programming language and sent unauthorized updates to insert a secret backdoor into the source code. The modification occurred through two malicious commits (definitive uploads), sent to the self-hosted repository “php-src”, on the server git.php.net. The action was taken yesterday, March 28, by people who illegally used the names of developers Rasmus Lerdorf, one of the PHP authors, and Nikita Popov, a software developer on Jetbrains and also a PHP administrator.
Around 8 pm Brasília, Popov published a statement explaining the occurrence: “Yesterday (2021-03-28) two malicious commits were sent to php-src repo with the names of Rasmus Lerdorf and me. We still don’t know exactly how it happened, but everything points to a compromise on the git.php.net server (instead of compromising an individual git account). While While the investigation is still ongoing, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and we are going to discontinue the git.php.net server. Instead, the repositories on GitHub, which used to be just mirrors, will become canonical. This means that changes should be sent directly to GitHub instead of going to git.php.net.
Although previous write access to the repositories was done through our in-house karma system, you now need to be part of the php organization on GitHub. If you are not yet part of the organization, or do not have access to a repository to which you should have access, contact me at [email protected] with your php.net and GitHub account names, as well as the permissions you are currently losing. Organization member
requires 2FA to be enabled. This change also means that it is now possible to merge pull requests
directly from the GitHub web interface. We are reviewing the repositories for any corruption beyond the two referenced commits. Get in touch with [email protected] if you notice something“.
The changes were reported as “Correcting a typo”, in an attempt to mislead, involved provisions for the execution of arbitrary PHP code. “This line executes the PHP code from within the HTTP useragent header (” HTTP_USER_AGENTT “), if the string starts with ‘zerodium'”, said PHP developer Jake Birchall. In addition to reverting the changes, PHP maintainers are reviewing the repositories. It is not clear whether the adulterated code base was downloaded and distributed before the changes were detected and reversed.
With international news agencies
.
Source: CisoAdvisor
