EDIT2: Php.net has released a second statement. Systems compromised, they’re still not sure how. New SSL certificates being generated. Looks like they’re doing cleanup the right way.
EDIT: Update and first official comments from php.net
One of our research tools flagged php.net as distributing malware. The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website, instead of ad network vector that we typically see in more popular sites.
According to Alexa, php.net is the 228th most visited site in the world, so it is likely that quite a few systems were compromised while it was serving up malware.
Earlier today Googles stop-badware system caught this as well and flagged php.net as distributing malware, warning users who’s browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we’d share to remove all doubt.
We’re a week or two away from launching a new tool to allow for better visualization and exploration of malicious sites, so stay tuned, but for now here is a link to the pcap for those of you who’d like to analyze it.
A few interesting parts:
PE File download starts at packet 300
DNS requests to zivvgmyrwy.3razbave.info at packet 158
Malicious SWF files at packets 177 and 180, the latter successful
What some end users saw:
Crashing browser to
Stay safe out there.