Update on PHP.net site malware hack attack

It seems that the breach itself was surprisingly straightforward in approach, rather old-school in fact, with the use of an iFrame injection technique pointing to the Magnitude exploit kit and ultimately dropping a Trojan known as Tepfer onto the visiting computer. Up to date AV scanners should be able to detect if your computer was infected or not, in case you are concerned.

I didn't know about this til now. That is pretty old school.

I haven't heard about PHP.net site being malware hack attack til now. I think I been really busy.

I think someone (hacker) read your article:

Are PHP SuperGlobals putting Web applications at risk?

and to proof a point how php is vulnerable. Someone like this happened.

Thanks for information about PHP officials sites, it is very useful for us for learning purpose.

Thanks for the heads up! Make everyone aware of this. Thanks!

Thanks for the info.

really good one...liked it i am always using that website for learning purpose

Thanks for the info.

nice one...

While the hack happened 3 months ago, the above really did not cover it completely,
The Trojan Tepfer only infects Windows PCs. It pretends to be svchost.exe, Win32.exe or other Windows-only application that keeps attempting to entice users to open something, thus infecting themselves.

Normally, w/ Tepfer, the infection vector is via eMail with a malicious attachment. In this case it appears that the exploit vector was Javascript/Flash, using an iframe, the javascript got put into server memory and kept replacing this code in memory after the cron job ran that removed the malicious code and replaced it with the good code. Those two servers were pulled offline while a new SSL key was enabled.

Thanks to Google for catching this one. The payload would have only worked on Windows PC.

About Tepfer specifically:

Tepfer infects Windows machines ONLY. (No proof of any Linux or MacIntosh computers getting infected)
Some side effects of an infection are (c/o : http://www.yac.mx/en/guides/trojan-horse-guides/20131203-how-to-remove-Trojan/Tepfer-E-through-yac-virus-removal-tool.html:)

    Trojan/Tepfer-E may keep opening up cmd exe, notepad exe, calc exe, word exe;
    Trojan/Tepfer-E is really difficult to be traced and removed.
    Trojan/Tepfer-E creates high resource-consuming files.
    Steal sensitive data like passwords, credit card, bank account information,etc
    Trojan/Tepfer-E often takes up high resources and strikingly slows down your computer speed.

About iframes:

Thanks to W3School (http://www.w3schools.com/html/html_iframe.asp), we know that an iframe uses a src="" stmt, while this is usually a website, a htm or html file. And of course Javascript files are loaded when those .html files load (userperfs.js for example).

I also checked into that infection vector: iFrames + Tepfer + Javascript + exploit for more information. Again it appears that its Windows ONLY.

About MacBook Pros: (non-issue)

http://www.clamxav.com/BB/viewtopic.php?t=3326&p=18252 ~ Macbook pro user was getting false positive on infection until he removed the report created from his Anti-virus program. One responder mentioned being careful about using quarantine or deleting files and worth a read.

In a nut shell, this could not happen for a MacBook Pro user. My guess is the same for a Linux user, but lets look at a couple more sites to be sure.

Per arstechnica, (http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/) the infection vector was an exploit vulnerability in Adobe Flash.

The arstechnica article also suggests that it might be possible that some victims were targeted by vulnerabilities in Java, Internet Explorer or other applications (...wtf, other applications, they really did not know ~ did they.) The article mentions Java, but I could not confirm any Java infections, which would be my only concern for Linux, from Java. Too many cloud sites depend on Java these days.

Per LavaSoft (http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/lavasoft-security-bulletin-may-2013), the focus appeared to be only Windows PCs. Check it out if you want to read about how it infects .DLL files via JavaScript via iFrames and the top 20 Malicious programs infected on Windows PC.

Thankfully a non-issue for Linux and MacIntosh PCs. Gotta love Linux/Unix operating systems.

For users of WINE, if you only play the non-Linux windows-ONLY game in Wine and get out of wine when done with the game, than surfing the web with Linux only, its still a non issue.

The best explanation I came across is from infosecurity-magazine (http://www.infosecurity-magazine.com/view/35261/google-blocks-phpnet-claims-it-serves-malware/) and Jamie Biasco of AlienVault "The server redirects the browser to a server that makes another redirection very likely depending on the plugins detected on the victim," writes Blasco. The destination is a server (incidentally, one already flagged by AlienVault as malicious) that appears to host the Magnitude exploit kit. If successful, the exploit kit installs the information stealing Tepfer trojan (also known as Fareit)".

Alienvault (http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit) stats that the payload is Win32 EXE.

If you are not a Windows OS user, this exploit would have been of no concern.

Thanks for your info. its usefull.

Thanks