While I was browsing my Twitter timeline today, I saw a tweet by VUPEN security about a possible compromise of PHP.net server(s) and a potential PHP source backdoor.
We are aware of a possible compromise of PHP.NET server(s) and a potential PHP source backdoor. “wiki.php.net” was taken offline
–VUPEN Security
Before I continue, I want to make clear that I don’t have any information regarding the compromise, neither can I state that PHP source code was or wasn’t backdoored, since I have not inspected the code, neither have I reviewed the revision log and the changes committed to PHP source tree. This information is publicly available at http://svn.php.net.
What I can state, though, is that showing this screenshot…
…and claiming that “The picture shows that php.net site was compromised, and hacker backdoored php source” is 100% BULLSHIT.
Anyone with some basic understanding of code can tell you that a modification of a single line of code in the section which shows information about the PHP Group, is obviously NOT a backdoor.
Please, stop spreading things such as “Php.net was compromised, and php source backdoored !” as a fact, when your only “evidence” is the screenshot above.
What is outrageous though, is that I see respected users who post about infosec and have hundreds of followers, spreading this kind of misinformation and they don’t even seem to be joking.
Stop blowing things out of proportion.
[UPDATE]
PHP team announced officially today that their wiki was compromised. Though, after an extensive code inspection, there were no traces of backdoors. Case closed.
[19-Mar-2011]
The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.
We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.
The compromise screenshot is here http://www.wooyun.org/upload/201103/1802132639646348d9f7de85b237397939717814.jpg
It looks like wiki.php.net was hacked ?
The “compromise” screenshot was posted on many sites and blogs, though it originally came from a Chinese site -I think the one you’re linking to.
As I read, wiki.php.net was taken down indeed -and it is still down actually (19/3/2011, 16:10 GMT+2). But the reasons were not officially announced.
The sure thing is that you can’t state anything about compromise or backdoors, by relying on the screenshot above.