The main Git repository for the PHP programming language has been moved to GitHub after hackers tried to insert a backdoor into the source code.
Two malicious commits were pushed to the PHP Git code repo on Sunday, March 28, and signed off under the names of PHP creator, Rasmus Lerdorf, and maintainer Nikita Popov.
The original code was restored after the issue was discovered, but then tampered with a second time.
The breach would have created a backdoor in any websites that ran the compromised version of PHP, enabling hackers to perform remote code execution on the site.
Remote code execution enables a malicious actor to exploit vulnerabilities in a system or network via the internet, essentially allowing them to hijack the system in question.
Popov, who works for the PHP development team at JetBrains, said the PHP code base would be moved to GitHub while investigations were still underway into how the breach occurred.
“They were spotted and rectified by Popov, only for bad actors to reinsert the malicious code a few hours later,” said Popov.
“While [an] investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.
“This means that changes should be pushed directly to GitHub rather than to git.php.net.”
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
While the malicious code was spotted before any harm was done, the consequences of a successful attack are worrying when you consider that PHP underpins much of the modern internet
Going forward, developers who require write access to the PHP code base will need to be part of the PHP organization on GitHub, said Popov, which also requires two-factor authentication to be enabled.
SEE: Incident response policy (TechRepublic Premium)
“This change also means that it is now possible to merge pull requests directly from the GitHub web interface,” Popov added.
“We’re reviewing the repositories for any corruption beyond the two referenced commits. Please contact firstname.lastname@example.org if you notice anything.”