PHP.net Compromise

Oct 24, 13 PHP.net Compromise

EDIT2:  Php.net has released a second statement. Systems compromised, they’re still not sure how. New SSL certificates being generated. Looks like they’re doing cleanup the right way.

EDIT:  Update and first official comments from php.net

One of our research tools flagged php.net as distributing malware. The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website, instead of ad network vector that we typically see in more popular sites.

According to Alexa, php.net is the 228th most visited site in the world, so it is likely that quite a few systems were compromised while it was serving up malware.

Earlier today Googles stop-badware system caught this as well and flagged php.net as distributing malware, warning users who’s browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we’d share to remove all doubt.

We’re a week or two away from launching a new tool to allow for better visualization and exploration of malicious sites, so stay tuned, but for now here is a link to the pcap for those of you who’d like to analyze it.

A few interesting parts:

PE File download starts at packet 300

DNS requests to zivvgmyrwy.3razbave.info at packet 158

Malicious SWF files at packets 177 and 180, the latter successful

 

What some end users saw:

phpnet_quanted.png

Crashing browser to

phpnet_quanted.png.png

 

Stay safe out there.

 

 

7 Comments

  1. Some people were hypothesizing that it was a false pos.
    The pcap file shows this UDP traffic: (pretty diverse, huh?)

    These addresses had back and forth udp communications.
    124.43.201.66 SRI LANKA
    190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF
    202.29.179.251 THAILAND
    24.142.33.67 CANADA

    These addresses were sent udp but never answered back
    105.129.8.196 MOROCCO
    112.200.137.206 PHILIPPINES
    113.162.57.138 VIET NAM
    114.207.201.74 KOREA, REPUBLIC OF
    118.175.165.41 THAILAND
    121.73.83.62 NEW ZEALAND
    153.166.2.103 JAPAN
    178.34.223.52 RUSSIAN FEDERATION
    182.160.5.97 MONGOLIA
    185.12.43.63 MONTENEGRO
    186.55.140.138 URUGUAY
    186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF
    187.245.116.205 MEXICO
    197.228.246.213 SOUTH AFRICA
    197.7.33.65 TUNISIA
    202.123.181.178 LAO PEOPLE’S DEMOCRATIC REPUBLIC
    203.81.69.155 MYANMAR
    212.85.174.80 SLOVENIA
    218.186.195.105 SINGAPORE
    219.68.96.128 TAIWAN, PROVINCE OF CHINA
    31.169.11.208 KAZAKHSTAN
    37.237.75.66 IRAQ
    37.243.218.70 SAUDI ARABIA
    46.40.32.154 SERBIA
    5.102.206.178 ISRAEL
    5.12.127.206 ROMANIA
    5.234.117.85 IRAN, ISLAMIC REPUBLIC OF
    5.254.141.186 SWEDEN
    70.45.207.23 PUERTO RICO
    72.252.207.108 UNITED STATES
    78.177.67.219 TURKEY
    79.54.68.43 ITALY
    84.202.148.220 NORWAY
    92.245.193.137 SLOVAKIA
    93.116.10.207 MOLDOVA, REPUBLIC OF
    95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
    95.68.74.55 LATVIA

  2. Nice article! Important point, though: StopBadware is an independent nonprofit organization. Google gives their data to us, not the other way around! Google’s Safe Browsing technology caught the suspicious code on php dot net. We don’t curate a blacklist or make malware warnings.

  3. this is strange that it went unnoticed until google found the issue.
    We had also got same alerts from google earlier when we tried to access php.net

  4. JimmyBob /

    I just extracted the exe from the PCAP you provided using wireshark and foremost. The filename and MD5 are as follows:
    852c225ab9898102f2aee6b8d2abc501 00000000.exe
    Running the MD5 through virustotal returns “file not found” I am uploading the file to virustotal right now to see if its something known.

  5. Jamie, you should take a look at the JS that was taken from the website. It’s definitely malicious in nature and Google was right to flag the website. http://pastebin.com/XD0KyLxu

  6. Thanks a lot for helping the community by providing the pcap file – very useful!

  7. someone /

    my guess for the reason behind this is someone cracked credentials acquired from a database obtained via the recent vbulletin exploiting spree, and found php devs reusing credentials thus permitting them access to the box to carry out these actions