PHP maintainer Nikita Popov have released a report after an unknown actor pushed backdoored code onto the official PHP Git repository.
The maintainers of the PHP programming language have issued an update regarding the security incident that came to light late last month, stating that the actors may have gotten hold of a user database containing their passwords to make unauthorized changes to the repository.
The PHP code repository was compromised two weeks ago with the insertion of code that, if left in place, would have enabled a backdoor into any web server running it. The code was initially committed in the name of Rasmus Lerdorf, creator of PHP. After it was removed, it was recommitted under Popov’s name.
This was initially treated as a compromise of the git.php.net server. Further investigation into the incident has revealed that the commits were a result of pushing them using HTTPS and password-based authentication. This leading them to suspect a possible leak of the master.php.net user database.
We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked,Nikita Popov said
The team suspects that a database leak gave the malicious attacker access to the passwords. However they also made several attempts to guess usernames.
While we don’t have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked, although it is unclear why the attacker would need to guess usernames in that case,Nikita Popov explained
The update includes information on a series of changes made to improve security. Above all, the master.php.net has been migrated to a new system, main.php.net.
In response to the incident, all php.net passwords have been reset. In addition, the use of the git.php.net server has been discontinued in favor of GitHub. Expected, steps have been taken to make master.php.net more secure. Passwords are now stored using bcrypt after previously being stored in a format compatible with HTTP Digest authentication.
You can check out the full announcement here.