Threat actors have recently managed to gain control of PHP’s Git repository by implementing two back doors to the code. However, the analysts have reported that till now, there is no information on how the attack took place or performed.
PHP is an open-source general-purpose computer manuscript language, which is especially suitable for web development and can be embedded in HTML.
The syntax of PHP draws on the characteristics of popular computer languages such as C, Java and Perl, and is easy for general programmers to learn.
The primary purpose of PHP is to allow web developers to quickly write dynamic pages, but PHP is also used in many other fields, especially in the development of web applications.
RCE backdoor planted on PHP Git server
The attack was supposedly made on behalf of two chief programmers of PHP, Rasmus Lerdorf and Nikita Popov. Here, the programmers affirmed that they don’t know exactly how it happened, but they told everything that indicates that the Git server git.php.net was attacked, and here the execution was not made from any infected Git account.
The back doors that were planted on the PHP Git server by the attackers only to attack websites and apps that are running PHP.
PHP is run on 79.1% of all websites, so all the website owners should perform a PHP upgrade after the back door was posted. If the attacker manages to exploit the flaw, then he/she could send an HTTP request on a vulnerable site and gain control over the website.
Since the exploit has not been released, so, the probability of the websites getting affected is very diminutive.
The exploit could only be executed if a distinct HTTP header contained a string containing the text “Zerodium”. It’s a well-known American information security company, but it’s not yet clear whether there is really a link with Zerodium.
However, it is unlikely that Zerodium was actually responsible for the attack, as it might be a diversion attempt made by the threat actor to divert the researchers.
Apart from this, the security experts at the PHP team is still investigating the whole matter closely and will soon conclude that how this incident happened and the code was sent to the server.
In the meantime, the team has also decided to migrate the PHP official codebase to GitHub, as the Git server could no longer be maintained by itself.
PHP formerly used GitHub as a backup repository to copy data only from its own server, so with this server migration to GitHub, some developers have to request new pledges. While Nikita also asserted that every developer in the organization is required to enable two-step verification.