PHP Git Server Hacked – Attackers Insert Secret Backdoor to Its Source Code

Threat actors have recently managed to gain control of PHP’s Git repository by implementing two back doors to the code. However, the analysts have reported that till now, there is no information on how the attack took place or performed.

PHP is an open-source general-purpose computer manuscript language, which is especially suitable for web development and can be embedded in HTML. 

The syntax of PHP draws on the characteristics of popular computer languages ​​such as C, Java and Perl, and is easy for general programmers to learn. 

The primary purpose of PHP is to allow web developers to quickly write dynamic pages, but PHP is also used in many other fields, especially in the development of web applications.

RCE backdoor planted on PHP Git server

The attack was supposedly made on behalf of two chief programmers of PHP, Rasmus Lerdorf and Nikita Popov. Here, the programmers affirmed that they don’t know exactly how it happened, but they told everything that indicates that the Git server was attacked, and here the execution was not made from any infected Git account.

The back doors that were planted on the PHP Git server by the attackers only to attack websites and apps that are running PHP. 

PHP is run on 79.1% of all websites, so all the website owners should perform a PHP upgrade after the back door was posted. If the attacker manages to exploit the flaw, then he/she could send an HTTP request on a vulnerable site and gain control over the website. 

Since the exploit has not been released, so, the probability of the websites getting affected is very diminutive. 

The exploit could only be executed if a distinct HTTP header contained a string containing the text “Zerodium”. It’s a well-known American information security company, but it’s not yet clear whether there is really a link with Zerodium. 

However, it is unlikely that Zerodium was actually responsible for the attack, as it might be a diversion attempt made by the threat actor to divert the researchers.

Apart from this, the security experts at the PHP team is still investigating the whole matter closely and will soon conclude that how this incident happened and the code was sent to the server.

In the meantime, the team has also decided to migrate the PHP official codebase to GitHub, as the Git server could no longer be maintained by itself.

PHP formerly used GitHub as a backup repository to copy data only from its own server, so with this server migration to GitHub, some developers have to request new pledges. While Nikita also asserted that every developer in the organization is required to enable two-step verification.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago