{"id":36699,"date":"2021-04-28T17:44:32","date_gmt":"2021-04-28T17:44:32","guid":{"rendered":"https:\/\/www.vmengine.net\/2021\/04\/28\/php-shakes-the-web-git-server-hacked\/"},"modified":"2025-05-23T17:31:29","modified_gmt":"2025-05-23T17:31:29","slug":"php-shakes-the-web-git-server-hacked","status":"publish","type":"post","link":"http:\/\/temp_new.vmenginelab.com\/en\/2021\/04\/28\/php-shakes-the-web-git-server-hacked\/","title":{"rendered":"PHP Shakes the Web: Git Server Hacked"},"content":{"rendered":"
\n
\n
\n
\n
Hackers hack the git.php.net Git server and introduce a backdoor into the source code <\/div>\n<\/p><\/div>\n
\n
\n

The Attack<\/strong><\/p>\n

PHP has also come under fire from web hackers, who were the victim of the attack on a GIT server. According to the information disclosed through the official PHP release<\/a> , two malicious commits were sent as Nikita Popov and Rasmus Lerdorf, compromising git.php.net.
PHP immediately decided to stop the server and push any future changes to GitHub instead of git.php.net.<\/p>\n

The two malicious commits were inserted into the source code as “fix typos”, i.e. passing them off as simple spelling corrections made by the developers.<\/p>\n

In addition, the code also included the
\n zend_eval_string<\/strong>
\n<\/em> instruction used by the attacker to install the backdoor that would then allow him to execute remote code execution (RCE) on any website that executed the tampered code.<\/p>\n

Probably the recent attack on SolarWinds’ Orion alerted PHP which, from the beginning, intervened to limit the damage of the hacker attack. In fact, the recent attack on U.S. government agencies and the attack on PHP seem to have the same matrix. Even in the case of SolarWinds, the vulnerability of the platform had allowed the source code to be modified, allowing hackers to execute the code directly remotely.<\/p>\n<\/div><\/div>\n

\n
\n

How to ward off this type of attack<\/strong><\/p>\n

PHP’s first request to its users was to use GitHub for edits, or to join the organization if they weren’t.<\/p>\n

The huge advantage of using platforms like GitHub or CodeCommit<\/a> is that, almost always, the attack surface would boil down to simply stealing credentials from the victim’s PC. Whereas, in the case of PHP, a vulnerability in Git has been exploited, or a “too permissive” configuration of it.<\/p>\n

Amazon Web Services<\/a> offers the CodeCommit service that takes care of the security of your Git repository. Customers generally use private repositories that are not visible to the public even in read-only mode. CodeCommit integrates with AWS IAM to manage access across users, roles, groups, and access policies. Proper management of these elements allows you to keep access to the repository safe (always after theft of credentials and passwords). In addition, CodeCommit does not allow the use of public repositories<\/a> such as GitHub or GitLab, or its own Git server.
So in the case of PHP it wouldn’t have been usable because it’s free software that needs to be visible to the community.<\/p>\n<\/div><\/div>\n

\n
\n
The Fantacalcio.it platform is also among the customers that successfully uses services such as AWS CodeCommit.<\/div>\n<\/div>\n
See the Fantacalcio.it case study <\/a><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Hackers hack the git.php.net Git server and introduce a backdoor into the source code The Attack PHP has also come under fire from web hackers, who were the victim of the attack on a GIT server. According to the information disclosed through the official PHP release , two malicious commits were sent as Nikita Popov […]<\/p>\n","protected":false},"author":6,"featured_media":33095,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,1374],"tags":[3304,4603,4604,4154,2979],"class_list":["post-36699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","category-the-analysis","tag-amazon-web-service-en","tag-git-en","tag-git-server-hacked","tag-hacker-attack","tag-php-en"],"aioseo_notices":[],"jetpack_featured_media_url":"http:\/\/temp_new.vmenginelab.com\/wp-content\/uploads\/2021\/04\/cybercrime-cyber-security-KL4J2UG-min-scaled.jpg","amp_enabled":true,"_links":{"self":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/comments?post=36699"}],"version-history":[{"count":1,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36699\/revisions"}],"predecessor-version":[{"id":41591,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36699\/revisions\/41591"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media\/33095"}],"wp:attachment":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media?parent=36699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/categories?post=36699"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/tags?post=36699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}