PHP developers and maintainers are considering a version of a possible data leak, as a result of which the attackers placed a backdoor in the main repository.
Last month, PHP developers and maintainers warned that unknown individuals have pushed two malicious commits to the php-src Git repository maintained by the PHP team at git.php.net.The attackers claimed that they were simply trying to “fix a typo” and signed these commits with the names of well-known PHP developers and maintainers: Rasmus Lerdorf and Nikita Popov.
As it turned out, the attackers were trying to inject a backdoor into the PHP codebase. If the malicious code entered the production environment, it would allow attackers to execute their own commands on the victims’ servers.
Fortunately, the malicious commits did not last even a few hours in the code: they were promptly noticed and removed. In addition, as a precautionary measure, the PHP maintainers decided to completely move the official repository to GitHub, and promised to stop supporting git.php.net.
As Nikita Popov has now reported, the version of the git.php.net compromise, which the experts adhered to earlier, has already been ruled out. A version of the user DB leak from master.php.net is now considered. The investigation showed that the commits were sent using HTTPS and password-based authentication, so there was a suggestion that the master.php.net database was compromised.
As a result, the developers moved master.php.net to the new main.php.net system with TLS 1.2 support, and also reset all existing passwords, and now passwords will be stored using bcrypt instead of MD5.