compromised and used to attack visitors

Attackers injected malicious JavaScript code into the site, redirecting some visitors' browsers to Flash exploits

Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.

Hackers managed to inject malicious JavaScript code into a file on the site called userprefs.js. The code made requests to a third-party website that scanned visitors' browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.

One of Barracuda's research tools detected and captured attack traffic from late Tuesday evening, according to Peck.

The exploits served during the attack came in the form of malicious SWF files, so they most likely targeted vulnerabilities in Adobe Flash Player. However, Barracuda's researchers are still conducting their analysis and haven't identified yet exactly which vulnerabilities were targeted, Peck said.

It's also not clear what the program installed by the exploits does or if it's part of a known malware family. The only thing Peck could say about it is that it tries to connect to around three dozen different command-and-control servers around the world and successfully establishes communication with four of them.

The site was blacklisted early Thursday by Google Safe Browsing, a service used by Google Search, Google Chrome and Mozilla Firefox to prevent users from visiting malicious websites. As a result, Chrome and Firefox users who tried to access over the course of several hours Thursday were warned that the site contained malware.

The PHP Group, which maintains the website and the PHP distribution packages, initially thought the warning was the result of a Google Safe Browsing detection error. "It appears Google has found a false positive and marked all of as suspicious," Rasmus Lerdorf, the creator of PHP, said on Twitter.

But a more in-depth investigation revealed that the userprefs.js file had been modified repeatedly as a result of an intrusion, the PHP Group said in a message on "We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers," the group said, adding that there's no evidence of the compromise extending to the PHP distribution files.

Barracuda Networks released a packet capture file that includes the exploits and malware distributed during the attack so that other researchers can also analyze them.

It's not clear if the attackers targeted because of its large number of visitors or because most of those visitors are developers. The Amazon-owned website analytics company Alexa ranks as the 228th-most-visited site in the world.

PHP developers can be valuable targets for attackers because their computers usually contain intellectual property like source code and other sensitive information, including log-in credentials for websites they maintain. Many developers are also likely to visit from company-issued computers, and compromising those computers could allow attackers to access corporate networks.

The number of users affected by the attack was likely limited by the fact that the rogue code added to userprefs.js was periodically removed by an existing synchronization process that restored the file to its original state.

"Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute," Lerdorf said via email. "But yes, if someone got redirected to a strange place when visiting they should take normal anti-virus precautions."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionBarracuda NetworkssecurityThe PHP GroupExploits / vulnerabilitiesspywaremalware

More about Adobe SystemsAmazon Web ServicesBarracuda NetworksGoogleMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts