EDIT2: Php.net has released a second statement. Systems compromised, they're still not sure how. New SSL certificates being generated. Looks like they're doing cleanup the right way.
EDIT: Update and first official comments from php.net
One of our research tools flagged php.net as distributing malware. The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website, instead of ad network vector that we typically see in more popular sites.
According to Alexa, php.net is the 228th most visited site in the world, so it is likely that quite a few systems were compromised while it was serving up malware.
Earlier today Googles stop-badware system caught this as well and flagged php.net as distributing malware, warning users who's browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we'd share to remove all doubt.
We're a week or two away from launching a new tool to allow for better visualization and exploration of malicious sites, so stay tuned, but for now here is a link to the pcap for those of you who'd like to analyze it.
A few interesting parts:
PE File download starts at packet 300
DNS requests to zivvgmyrwy.3razbave.info at packet 158
Malicious SWF files at packets 177 and 180, the latter successful
What some end users saw:
Crashing browser to
Stay safe out there.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.
Some people were hypothesizing that it was a false pos.
The pcap file shows this UDP traffic: (pretty diverse, huh?)
These addresses had back and forth udp communications.
124.43.201.66 SRI LANKA
190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF
202.29.179.251 THAILAND
24.142.33.67 CANADA
These addresses were sent udp but never answered back
105.129.8.196 MOROCCO
112.200.137.206 PHILIPPINES
113.162.57.138 VIET NAM
114.207.201.74 KOREA, REPUBLIC OF
118.175.165.41 THAILAND
121.73.83.62 NEW ZEALAND
153.166.2.103 JAPAN
178.34.223.52 RUSSIAN FEDERATION
182.160.5.97 MONGOLIA
185.12.43.63 MONTENEGRO
186.55.140.138 URUGUAY
186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF
187.245.116.205 MEXICO
197.228.246.213 SOUTH AFRICA
197.7.33.65 TUNISIA
202.123.181.178 LAO PEOPLE’S DEMOCRATIC REPUBLIC
203.81.69.155 MYANMAR
212.85.174.80 SLOVENIA
218.186.195.105 SINGAPORE
219.68.96.128 TAIWAN, PROVINCE OF CHINA
31.169.11.208 KAZAKHSTAN
37.237.75.66 IRAQ
37.243.218.70 SAUDI ARABIA
46.40.32.154 SERBIA
5.102.206.178 ISRAEL
5.12.127.206 ROMANIA
5.234.117.85 IRAN, ISLAMIC REPUBLIC OF
5.254.141.186 SWEDEN
70.45.207.23 PUERTO RICO
72.252.207.108 UNITED STATES
78.177.67.219 TURKEY
79.54.68.43 ITALY
84.202.148.220 NORWAY
92.245.193.137 SLOVAKIA
93.116.10.207 MOLDOVA, REPUBLIC OF
95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
95.68.74.55 LATVIA
Nice article! Important point, though: StopBadware is an independent nonprofit organization. Google gives their data to us, not the other way around! Google’s Safe Browsing technology caught the suspicious code on php dot net. We don’t curate a blacklist or make malware warnings.
this is strange that it went unnoticed until google found the issue.
We had also got same alerts from google earlier when we tried to access php.net
I just extracted the exe from the PCAP you provided using wireshark and foremost. The filename and MD5 are as follows:
852c225ab9898102f2aee6b8d2abc501 00000000.exe
Running the MD5 through virustotal returns “file not found” I am uploading the file to virustotal right now to see if its something known.
Thanks a lot for helping the community by providing the pcap file – very useful!
my guess for the reason behind this is someone cracked credentials acquired from a database obtained via the recent vbulletin exploiting spree, and found php devs reusing credentials thus permitting them access to the box to carry out these actions