On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because there were some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious, but it was actually written to do exactly that so we were quite certain it was a false positive.
It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google’s crawler caught one of these small windows where the wrong file was being served.
The php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time.
All affected services have been migrated off those servers. PHP.net team have verified that their Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
To summarize, the situation right now is that:
- JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
- Neither the source tarball downloads nor the Git repository were modified or compromised.
- Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
- SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
Over the next few days :
- php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.
Source : http://php.net