Hacker Plants Backdoor Code After Breaching Official PHP Software Repository

An unknown actor has hacked the official PHP Git repository last and inserted a backdoor code disguised as an edit.

The repository maintainer Nikita Popov said the hacker added two commits to the php-src repo which had a backdoor for remote code execution (RCE.)

The hacker reportedly signed the commits as “Fix Typo” under his name and PHP creator Rasmus Lerdorf on March 28.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” said Popov.

PHP developer Jake Birchall explained that since the backdoor commits were signed as a Fix Typo, it went undetected and allowed the execution of an arbitrary PHP code.

This line executes PHP code from within the useragent HTTP header (“HTTP_USER_AGENTT”), if the string starts with ‘zerodium’,” said Birchall. 

Popov said their development team did not know how the breach happened but they speculated that the official git.php.net server was compromised.

The repo maintainers said they are reviewing the repositories for any further tampering but they are also unaware if whether the tampered codebase was downloaded and distributed elsewhere by the hackers. 

As a result of the breach, the development team has decided to migrate permanently to GitHub.

“We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” said Popov.

© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.