PHP developer wiki server hacked
According to the development team, access details for a number of accounts were stolen during a hack of the PHP developer wiki server wiki.php.net. Initial investigations have found that no other servers were compromised, but there was concern that the PHP source code might have been modified, as the stolen access data also provides access to the PHP repository.
The developers report that they therefore carried out a detailed code audit and checked every code commit in the subversion repository since version 5.3.5. According to a brief statement on www.php.net, no indication that changes had been made has been detected. The hack exploited a vulnerability in the CMS (DokuWiki), and unknown perpetrators were then able to escalate their privileges by use of a Linux root exploit.
The affected system has been wiped and all developers with access to the repository will be required to change their passwords. wiki.php.net was not accessible last Friday, and French security services provider Vupen spread rumours on Twitter that PHP could contain a backdoor. In a tweet which has since been deleted, Vupen linked to the website of a Chinese hacker who claimed to have modified code in the PHP repository. Rather than having inserted a backdoor, however, the intruder merely added the name 'Wolegequ Gelivable' to the credits in one file.
Although the hacker's posting on his own website is dated 18 March 2011, the change in question was made back in December of last year. The Chinese hacker managed to steal PHP developer Hannes Magnusson's access details and use them to perform the modification described.
The superfluous change was, however, quickly spotted and reverted, as many other PHP developers read emails on the commit. Whether more subtle changes would have been spotted so quickly is certainly a question worth asking. It is unclear whether there is any connection between the two incidents – the PHP development team has not as yet proffered an answer to this question.
- PHP 5.3.6 closes five security holes, a report from The H.