• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Attempted PHP Backdoor Foiled

March 29, 2021 By Marc Laliberte

PHP Code

The PHP Group, the collection of developers responsible for maintaining the reference source code and implementation for the popular web scripting language PHP, made the decision to retire their self-maintained code repository server and move to GitHub after an unknown threat actor inserted a backdoor into the core PHP code library through a git pull request. The change, appearing to come from PHP founder Rasmus Lerdorf himself, modified the gzip compression library included in PHP’s source code to look for a misspelled HTTP request header User_Agentt, search for the keyword “zeronium” (more on that word’s significance in a bit), and execute any command appended to it. This change would have enabled an attacker to execute commands on vulnerable servers simply by adding a custom header to HTTP requests in the form of User-Agentt:zeroium<command>

Git commit

PHP developer Nikita Popov was quick to notice the malicious commit and reverted it 4 hours later, only to have their commit reverted later in the day by seemingly their own account. The PHP Group came to the conclusion that the malicious commits likely originated from a compromise of the server itself instead of individual accounts and decided to pull the plug on hosting their own infrastructure. In a post late Sunday, Popov stated “We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.”

It’s still unclear who pushed the commits, how exactly they did it, or why made no effort to obfuscate the backdoor before inserting it. The malicious code references commercial zero-day exploit developer Zerodium, but the company’s CEO tweeted they had nothing to do with it.

Twitter screenshot

Had the threat actor hidden their exploit better, it could have been devastating. Estimates put PHP usage at nearly 80% of all websites on the internet and having a backdoor built into each of those websites would arguably have an even bigger impact than the recent SolarWinds supply chain attack. Luckily, the malicious code stood out like a sore thumb. That said if you maintain your own git server, pay close attention to code commits until the PHP Group discloses how the threat actor managed to issue commits on what should have been an authentication-protected server.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use