Hackers put a back door in a code library that powers 79% of websites

On Sunday some malicious actors tried to install a back door into the PHP code library, a server-side programming language that powers 79% of sites on the internet, including Facebook and Wikipedia.

The attack recalled one of the worst government hacks in history, on SolarWinds, the IT management software used by many government agencies and large U.S. companies. The SolarWinds attackers—widely thought to be employed by Russia’s Foreign Intelligence Service—planted malware in the SolarWinds system that sends out updates to end users.

As in the SolarWinds attack, the PHP hackers targeted the code base of a widely used library so that the changes they made would impact instances of the software run by end users. The hackers attempted to install a back door that would have allowed them to remotely execute changes to the PHP code after it was put into use by websites. Since they might have activated malware, the hackers may have been able to take control of websites, freeze them, or take them offline.

The PHP exploit was first reported by the BleepingComputer blog.

The hackers made two additions to the PHP Git repository on Sunday. The attackers signed the first addition using the name of the PHP library’s creator, Rasmus Lerdorf, and the second was made using the name of well-known PHP maintainer Nikita Popov, likely to avoid suspicion. They also tried to disguise the major change to the code base they proposed as something trivial by labeling the additions “Fix Typo.”

The work of the hackers was discovered and reversed during a standard review process on Sunday. Still, this was no trivial event. Popov said in an email to the PHP developer community that Sunday’s incident was likely the result of the git.php.net server being compromised, rather than just a single Git account.

The PHP maintainers have now decided to migrate the official PHP source code library over to GitHub. “We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov explains in the email.