☺ Summer Nights

And city Lights ☺

Friday, October 25, 2013

8:11 AM 0



If you are today trying to visit the php.net website, an official website of the PHP scripting language, you will likely see the above shown result, instead of the original website


Chrome and Firefox is currently flagging the site as "suspicious" and contains malware that can harm your computer.







According to Google's Webmaster Tools, the script at http://static.php.net/www.php.net/userprefs.js was included as suspicious, and Google's Safe Browsing diagnostics for php.net do suggest that malware has been present on the site in the last 90 days:

"Of the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent." 

"Malicious software includes 4 trojan(s). Malicious software is hosted on 4 domain(s), including cobbcountybankruptcylawyer.com/, stephaniemari.com/, northgadui.com/ . 3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stephaniemari.com/,northgadui.com/, satnavreviewed.co.uk/ ." The obfuscated JavaScript "userprefs.js" inserts a hidden iframe into the webpage, which loads content from an external site known for distributing malware. 


KnowldgeHutt.Blogspot.in


This suggests that the website may have been compromised recently. Well, Google's Safe Browsing team will be looking into the issue and we will update this article if we hear anything from Google or PHP site owner.

Update (1:42 PM Thursday, October 24, 2013 GMT): It seems that the issue has been resolved by admins and PHP.net is back as a normal clean website, after removing malicious scripts.

Update: After Security Audit, PHP team found that two servers were compromised for some unknown time. They said that their Git repository was not compromised, and it remains in read only mode as services are brought back up in full.

"As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours." blog post said.

The team concludes that JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013. Now all affected services have been migrated to new secure servers.

.

0 comments