Nikita Popov, a PHP maintainer, posted an update regarding how the source code was compromised and corrupted by the insertion of malicious code. Popov blames a user database leak, rather than an issue with the server itself.
The PHP code repository was compromised toward the end of last month, when code was inserted and then left in place, to enable the creation of a backdoor into any web server running it.
The code was initially committed using the name of Rasmus Lerdorf, the creator of PHP. It was removed and was recommitted under Popov’s name.
The PHP team originally thought that the server hosting the repository was broken into. However, Popov says that the team no longer believes that the git.php.net server has been compromised. However, he says that it is possible that the master.php.net user database had a leakage.
The server they are talking about uses gitolite to facilitate git hosting and Popov says that the two commits bypassed the gitolite infrastructure entirely, leading him to suspect that the server may have been compromised.
That is why the PHP repository on GitHub was promoted to be the primary one, as it will take time to fix the problem and set up a new server.
What does the team think it is?
The best guess now is that the user database leaked. However, this theory may not hold water, since logs show that someone tried to guess usernames. Once they found the right one, authentication was quick.
Popov says that the user database was part of very old code on a very old operating system/PHP version and that a vulnerability would not come as a surprise.
The actions taken include resetting all passwords and correcting the code used to set parameters for queries, to stop SQL injection attacks.