Attackers place back door in Official PHP Git Repo

Attackers implemented a backdoor in PHP’s official Git repository, with two commits made on Sunday, March 28th, 2021. The commits appeared to be “minor adjustments” but actually enabled remote code execution.

The Attack Details

The malicious commits were made under the names of Rasmus Lerdorf and Nikita Popov, two well-known PHP developers. The backdoor code was designed to execute when an HTTP header contained the specific string “zerodium” - a reference to the company known for purchasing software exploits.

The exploit could only be run if this specific header was present, allowing attackers to execute arbitrary code on any server running the compromised PHP version.

Quick Discovery and Response

The malicious commit was quickly discovered and officially reverted. Critically, the commit did not enter a production release, minimizing potential impact on websites worldwide.

Investigation Findings

Nikita Popov’s statement on the incident:

“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server”

This suggested a server-level compromise rather than individual developer account breaches.

Actions Taken

The PHP team’s response included:

  1. Immediate reversion of the malicious commits
  2. Moving source code to GitHub as a precaution
  3. Making Git repositories read-only and declaring them “canonical”
  4. Recommending two-step verification for all developers

Key Points

  • Zerodium connection: The use of “zerodium” in the exploit code is notable, as Zerodium is a company that purchases high-value exploits
  • Limited impact: There is very little chance websites were actually affected due to the quick detection and removal
  • Supply chain attack: This represents a serious attempt to compromise millions of PHP installations worldwide
  • Infrastructure security: The incident highlights the importance of securing development infrastructure

Lessons for the Community

This incident emphasizes:

  • The critical importance of code review and monitoring
  • The value of rapid incident response
  • The need for robust security on development infrastructure
  • The benefits of transparency in handling security incidents

The PHP team’s quick action and transparent communication prevented what could have been a catastrophic supply chain attack affecting millions of websites globally.