It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google’s crawler caught one of these small windows where the wrong file was being served.
All affected services have been migrated off those servers. PHP.net team have verified that their Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
To summarize, the situation right now is that:
- Neither the source tarball downloads nor the Git repository were modified or compromised.
- Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
- SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
Over the next few days :
- php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.
Source : http://php.net