Secret Backdoor was found in PHP’s Git Server Source Code

PHP’s Git Server Compromised

In a recent supply chain hacker attack, the official PHP Git (hit.php.net) server was hacked and the attackers managed to run unauthorized updates and thus insert in its code a malicious backdoor.

PHP's Git Server Compromised

PHP’s Git Server Compromised

 

The attack has apparently taken place on the 23d of March (yesterday) and it seems that the hackers have used the name of the creator of the PHP programming language, Rasmus Lerdorf, and the name of a JetBrains developer, Nikita Popov, while conducting the attack.

According to Nikita Popov, it is most likely that the main git.php.net server was compromised rather than an individual user account.

Measures taken to deal with the attack

At the moment of writing, the PHP maintainers are working on revoking the known changes made to the PHP server and are also checking the repositories for additional changes that may have not been discovered yet. Currently, there’s no clarity on whether any codebase had been downloaded from the server and distributed to third parties before the admins have become aware of the unauthorized changes.

One of the measures taken by the maintainers is migration to GitHub of the code repository which means that, from now on, changes to the code will go directly to GitHub and not to git.php.net. Another precaution will be that, in order to contribute to the PHP project, users (developers) will now have to be verified members of the GitHub organization.

The “dependency confusion” attack model

This hacker attack takes place nearly two months after a newly discovered chain attack model (named “dependency confusion”) was demonstrated by researchers with the aim to warn developers of the potential threat that it represents. The attack model can be used to secretly launch malicious code inside the internal software build, and it relies on the fact that a given piece of software may contain within its code elements from both public and private sources. The way the attack works is the hackers upload a newer version of a private component to the public repository, which results in an automatic update of the user’s software that downloads the malicious code without requiring the user’s permission. 


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment

SSL Certificate

Web Safety Checker

About Us

HowToRemove.Guide is your daily source for online security news and tutorials. We also provide comprehensive and easy-to-follow malware removal guides. Watch our videos on interesting IT related topics.

Contact Us: info@howtoremove.guide

HowToRemove.Guide © 2024. All Rights Reserved.

Exit mobile version