The PHP Group, the collection of developers responsible for maintaining the reference source code and implementation for the popular web scripting language PHP, made the decision to retire their self-maintained code repository server and move to GitHub after an unknown threat actor inserted a backdoor into the core PHP code library through a git pull request. The change, appearing to come from PHP founder Rasmus Lerdorf himself, modified the gzip compression library included in PHP’s source code to look for a misspelled HTTP request header User_Agentt, search for the keyword “zeronium” (more on that word’s significance in a bit), and execute any command appended to it. This change would have enabled an attacker to execute commands on vulnerable servers simply by adding a custom header to HTTP requests in the form of User-Agentt:zeroium<command>
PHP developer Nikita Popov was quick to notice the malicious commit and reverted it 4 hours later, only to have their commit reverted later in the day by seemingly their own account. The PHP Group came to the conclusion that the malicious commits likely originated from a compromise of the server itself instead of individual accounts and decided to pull the plug on hosting their own infrastructure. In a post late Sunday, Popov stated “We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.”
It’s still unclear who pushed the commits, how exactly they did it, or why made no effort to obfuscate the backdoor before inserting it. The malicious code references commercial zero-day exploit developer Zerodium, but the company’s CEO tweeted they had nothing to do with it.
Had the threat actor hidden their exploit better, it could have been devastating. Estimates put PHP usage at nearly 80% of all websites on the internet and having a backdoor built into each of those websites would arguably have an even bigger impact than the recent SolarWinds supply chain attack. Luckily, the malicious code stood out like a sore thumb. That said if you maintain your own git server, pay close attention to code commits until the PHP Group discloses how the threat actor managed to issue commits on what should have been an authentication-protected server.