More details published on the incident, although the attacker remains unidentified

PHP officials released a post-mortem report after an unknown actor pushed backdoor code to the official PHP Git scripting language repository.

As previously stated by The daily sip, an attacker made two commits in the php-src repo which contained a backdoor allowing remote code execution (RCE).

They are believed to have gained access to the core server, which allowed them to crash the backdoor under the guise of a minor change made on behalf of a maintainer.

Last night (April 6), manager Nikita Popov released more details about the attack and said the team no longer believed the git.php.net server was compromised, but the master user database. .php.net had been leaked.

CONTEXT Backdoor crashed in PHP Git repository after server hack

The update includes information on a series of changes made to improve security, including the fact that master.php.net has been migrated to a new system, main.php.net.

All php.net passwords have been reset and users must request a new one through the “forgot password” function.

Popov also revealed that git.php.net and svn.php.net are now read-only “but will remain available for now”.

Deep dive

After first suspecting that PHP co-creator Rasmus Lerdorf’s account had been compromised, Popov said she investigated the installation of PHP giolite to determine which account pushed the malicious code.

It was then that she realized that there was no entry for the two malicious commits, meaning they completely bypassed the gitolite infrastructure.

“This has been interpreted as probable evidence of a server compromise,” Popov wrote.

The team then shut down the git.php.net server and migrated to GitHub as the repository host.

Learn about the latest database security news

Popov also found that git.php.net intentionally supports push changes not only through SSH.
but also via HTTPS.

“The latter did not use gitolite, but was instead used behind the Apache2 Digest authentication against the master.php.net user database.”

Popov added, “Based on the access logs, we can determine that validations were successfully transmitted using HTTPS and password authentication.”

Unclear entry point

The team suspects that a database leak gave the malicious attacker access to passwords, although they also repeatedly attempted to guess usernames, with Popov writing that ” it is not known why the attacker would need to guess the usernames in this case ”.

In light of a possible leak, changes have been made including the migration to master.php.net, which runs PHP 8, and the introduction of support for TLS1.2.

Popov also noted that the implementation has been moved to using parameterized queries, “to be sure that SQL injections cannot occur.”

Passwords are now stored using bcrypt having previously been stored in a format compatible with HTTP Digest authentication – “essentially a simple md5 hash” – which was required for HTTP authentication on git.php.net and svn .php.net.

More details on the changes can be found in Popov’s notice.

YOU MAY ALSO LIKE UC Berkeley Confirms Data Breach, Becomes Latest Accellion Cyber ​​Attack Victim