When Google’s Safe Browsing service said
that programming site PHP.net was hosting and serving malware, it
sparked furious discussion – but the site investigated, and has since
admitted the infection, and moved to clean servers.
“The Google Webmaster Tools were initially quite delayed in showing
the reason why and when they did it looked a lot like a false positive,
but we kept digging,” the site said, but admitted that it had been
serving a drive-by Javascript exploit.Samples of the malware were posted in a discussion on Hacker News – and various posters discussed the “stealth” techniques used to avoid detection. .
PHP is an open-source programming language used on millions
of websites. Google’s initial warning flagged just four out of 1500
pages analyzed, according to The Register. The site’s team are still not clear how many visitors have been affected.
“It’s possible some victims were targeted by attacks that exploited
Java, Internet Explorer, or other applications,” said Martijn Grooten, a
security researcher for Virus Bulletin, speaking to Ars Technica.Grooten said that only some visitors to the site received the “extra” malicious payload, which caused browsers to connect to malicious sites and dowload code. The sites were UK domains which had domain name system server settings compromised, and resolved to IP addresses in Moldova.
“”Given what Hacker News reported (a site serving malicious
JS) to some, this doesn’t look like someone manually changing the
file,” Grooten said, in an interview with Ars Technica.
Grooten suggests that perhaps someone “somehow compromised the web
server. It might be that php.net has yet to discover that (it’s not
trivial—some webserver malware runs entirely in memory and hides itself
pretty well.)”CSS Online reported widespread speculation that the incident was a “watering hole” attack, designed to lure developers and infect their systems.
PHP has promised, “a full post-mortem on the intrusion when we have a clearer picture of what happened.”
No comments:
Post a Comment