1. Forum
  2. Usenet
  3. ALT.HACKER

  • PHP repo compromised [twice], moved to github

    From Big Bad Bob@21:1/5 to Big Bad Bob on Tue Mar 30 12:41:18 2021
    On 2021-03-30 12:35, Big Bad Bob wrote:
    Similarly, FreeBSD ports have tarballed source with MD5 and size
    checksums that disallow installing modified source.

    and SHA256, which is really the one I meant to say [MD5 is still there
    though for older ones at least, I just had a brainfart that's all]



    --
    (aka 'Bombastic Bob' in case you wondered)

    'Feeling with my fingers, and thinking with my brain' - me

    'your story is so touching, but it sounds just like a lie'
    "Straighten up and fly right"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Big Bad Bob@21:1/5 to All on Tue Mar 30 12:35:45 2021
    https://www.theregister.com/2021/03/29/php_repository_infected/

    This one's pretty new... from 3/28

    "The main code repository for PHP, which powers nearly 80 per cent of
    the internet, was breached to add malicious code and is now being moved
    to GitHub as a precaution."

    <quote>
    "Yesterday (2021-03-28) two malicious commits were pushed to the php-src
    repo from the names of Rasmus Lerdorf and myself. We don't yet know how
    exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git
    account)," said PHP maintainer Nikita Popov, who works with the PHP team
    at JetBrains.
    </quote>

    and the nature of the breech:

    "This line executes PHP code from within the useragent HTTP header, if
    the string starts with 'zerodium'"

    No doubt malicious "visitors" would be from tor or botnet IP addresses.

    "The code was inserted under the misleading name 'Fix typo' and claimed
    to be signed off by Rasmus Lerdorf, the creator of PHP"

    And, it gets better...

    "Popov reverted the code, which was then restored by a criminal seven
    hours later, using Popov's name. The backdoor survived for one hour
    before being again removed."

    The article continues on, saying it's being investigated, etc.

    Also, from Popov's statement:

    "We have decided that maintaining our own git infrastructure is an
    unnecessary security risk, and that we will discontinue the git.php.net
    server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net."

    worth mentioning:

    "The brief appearance of malicious code in the official repository does
    not mean it will make its way into many of those servers. PHP is most
    often installed from distribution repositories."

    Similarly, FreeBSD ports have tarballed source with MD5 and size
    checksums that disallow installing modified source. So unless you DL
    the bleeding edge from the repo and build it yourself, it's unlikely
    you're affected.


    (I'm glad they were paying attention when this happened)


    --
    (aka 'Bombastic Bob' in case you wondered)

    'Feeling with my fingers, and thinking with my brain' - me

    'your story is so touching, but it sounds just like a lie'
    "Straighten up and fly right"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)