Attackers place back door in Official PHP Git Repo

Attackers implemented a backdoor in PHPā€™s official Git repository, with two commits made on Sunday, March 28th, 2021. The commits appeared to be ā€œminor adjustmentsā€ but actually enabled remote code execution.

The Attack Details

The malicious commits were made under the names of Rasmus Lerdorf and Nikita Popov, two well-known PHP developers. The backdoor code was designed to execute when an HTTP header contained the specific string ā€œzerodiumā€ - a reference to the company known for purchasing software exploits.

The exploit could only be run if this specific header was present, allowing attackers to execute arbitrary code on any server running the compromised PHP version.

Quick Discovery and Response

The malicious commit was quickly discovered and officially reverted. Critically, the commit did not enter a production release, minimizing potential impact on websites worldwide.

Investigation Findings

Nikita Popovā€™s statement on the incident:

ā€œWe donā€™t yet know how exactly this happened, but everything points towards a compromise of the git.php.net serverā€

This suggested a server-level compromise rather than individual developer account breaches.

Actions Taken

The PHP teamā€™s response included:

  1. Immediate reversion of the malicious commits
  2. Moving source code to GitHub as a precaution
  3. Making Git repositories read-only and declaring them ā€œcanonicalā€
  4. Recommending two-step verification for all developers

Key Points

  • Zerodium connection: The use of ā€œzerodiumā€ in the exploit code is notable, as Zerodium is a company that purchases high-value exploits
  • Limited impact: There is very little chance websites were actually affected due to the quick detection and removal
  • Supply chain attack: This represents a serious attempt to compromise millions of PHP installations worldwide
  • Infrastructure security: The incident highlights the importance of securing development infrastructure

Lessons for the Community

This incident emphasizes:

  • The critical importance of code review and monitoring
  • The value of rapid incident response
  • The need for robust security on development infrastructure
  • The benefits of transparency in handling security incidents

The PHP teamā€™s quick action and transparent communication prevented what could have been a catastrophic supply chain attack affecting millions of websites globally.