Hackers added backdoor to PHP source code

Get a free Techzine subscription!

Hackers have managed to hack PHP’s Git server. This has allowed them to add their own code to PHP’s source code. This allows them to gain access to websites that make use of the code.

In a message on their website, the PHP developers say that two malicious commits were performed on the php-src-repo under the names of Rasmus Lerdorf and Nikita Popov. These are two PHP developers. According to them, the issue is a compromised git.php.net server and not hacked Git accounts. The incident is still under investigation.


The code added by the hackers allowed attackers to run their own code on any website that used the compromised PHP code. If the user agent HTTP header, the information a website receives about a connecting computer, begins with the word ‘zerodium’, the code is activated.

Zerodium is a company that sells exploits to governments for research purposes. That company has already emphasised that it has nothing to do with the hack. It is not clear why the hackers referred to the company. The CEO of Zerodium suspects that it is a troll.

Vulnerability removed before rollout

The first rogue commit was made last Saturday under the guise of a typo. The next day an attentive developer noticed it, and the code was reverted. Not much later, the code was added again with a second commit. That code was removed as well. The code did not end up in a production version of the PHP source code, so no website is running compromised code.

Nevertheless, PHP’s developers have decided that maintaining their own git infrastructure is too dangerous. Therefore, the version of the code that is on GitHub will now be the main version of the code. Until now, this was only a mirror.

Tip: Microsoft says Web shell usage by hackers is on the rise