Hackers attack the PHP.net repository servers
March 22, 2011
The official source code maintainers of the PHP programming language spent the past couple of days carefully analyzing their source code for malicious modifications and numerous changes done to the code after discovering that Internet security on one of their servers had been breached. It took them a few days to discover that the server had been breached.
The overall compromise of wiki.php.net allowed the hackers to steal numerous account credentials that could be used to easily access the PHP repository, the maintainers wrote in a brief note. They continue to investigate the details of the breach, which exploited a security vulnerability in the Wiki software itself and a separate security hole in the Linux operating system.
The website has been down since at least March 18.
“Of course, our biggest concern here is the overall integrity and the reliability of our PHP source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since version 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”
The current version of PHP, which was released last week, is 5.3.6. All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository, as that is standard procedure when there is any kind of server that was compromized.
However, the advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate.
The PHP maintainers of the source code hadn't responded to a request for comment at the time this news story was published.
Word of the attack began circulating on Friday on underground Internet security forums monitored by researchers from Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a security vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email.
The attacker “then used a privilege escalation exploit to take complete control of the server.”
Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.
The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. The incident prompted concern, not just with the code maintainers but also in the Linux and the Internet security community.
“Its not a good feeling to have your account hacked into, but I do wonder what their initial intentions were in the first place. Maybe just an credentials check, which was supposed to be followed by evil commits if none had spotted the first one? The Chinese government is trying to introduce security holes so they can break into PHP websites?,” wrote one of the maintainers.
Overall, PHP is an extremely popular language that allows programmers and developers to create interactive web sites with databases and dynamically generated content. Internet properties such as Facebook, Yahoo, Wikipedia, WordPress and millions of other websites use PHP extensively as their main foundation.
And those attacks aren't the first to hit major code repositories for a popular open-source software project. Just last December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's main account passwords and may have given the attacker unlimited administrative access.
The in May 2010, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' computers.
Everyone in the Internet security community knows very well that any computer or server system is only as good as its login credentials and the passwords used. Strong and complex passwords with a minimum of 12 to 14 characters that utilize upper and lower case letters, as well as numbers and ponctuation characters are just the beginning. Additionally, passwords need to be changed every 30 days at a minimum and should always be stored in a safe place if they need to be written down. And everytime a person or team member leaves your company or your department, that person's password needs to be immediately replaced to prevent future access to your data.
Source: The PHP.net Code Repository.
You can link to the Internet Security web site as much as you like.