Attackers place back door in Official PHP Git Repo
Attackers implemented a backdoor in PHPās official Git repository, with two commits made on Sunday, March 28th, 2021. The commits appeared to be āminor adjustmentsā but actually enabled remote code execution.
The Attack Details
The malicious commits were made under the names of Rasmus Lerdorf and Nikita Popov, two well-known PHP developers. The backdoor code was designed to execute when an HTTP header contained the specific string āzerodiumā - a reference to the company known for purchasing software exploits.
The exploit could only be run if this specific header was present, allowing attackers to execute arbitrary code on any server running the compromised PHP version.
Quick Discovery and Response
The malicious commit was quickly discovered and officially reverted. Critically, the commit did not enter a production release, minimizing potential impact on websites worldwide.
Investigation Findings
Nikita Popovās statement on the incident:
āWe donāt yet know how exactly this happened, but everything points towards a compromise of the git.php.net serverā
This suggested a server-level compromise rather than individual developer account breaches.
Actions Taken
The PHP teamās response included:
- Immediate reversion of the malicious commits
- Moving source code to GitHub as a precaution
- Making Git repositories read-only and declaring them ācanonicalā
- Recommending two-step verification for all developers
Key Points
- Zerodium connection: The use of āzerodiumā in the exploit code is notable, as Zerodium is a company that purchases high-value exploits
- Limited impact: There is very little chance websites were actually affected due to the quick detection and removal
- Supply chain attack: This represents a serious attempt to compromise millions of PHP installations worldwide
- Infrastructure security: The incident highlights the importance of securing development infrastructure
Lessons for the Community
This incident emphasizes:
- The critical importance of code review and monitoring
- The value of rapid incident response
- The need for robust security on development infrastructure
- The benefits of transparency in handling security incidents
The PHP teamās quick action and transparent communication prevented what could have been a catastrophic supply chain attack affecting millions of websites globally.