PHP Users Database got Hacked in Recent Source Code Attack

The developers have moved master.php.net to the new main.php.net system with TLS 1.2 support, and also reset all passwords.


PHP developer Nikita Popov posted details of an incident involving a hacking of the official PHP Git repository at the end of last month.

“We no longer believe that the git.php.net server has been compromised. However, there is a possibility that the master.php.net user database will be leaked. Master.php.net is used for authentication and various management tasks, ”explained Nikita Popov, the PHP language developer.

Recall that on March 28 of this year, unknown persons added malicious commits to the PHP repository, disguised as PHP developers Rasmus Lerdorf and Nikita Popov. The commits were offered under the guise of typographical fixes, but in fact changed the PHP source code to implement a remotely managed backdoor.

“Git.php.net supports pushing changes not only over SSH (using the Gitolite framework and public key cryptography), but also over HTTPS. Instead of Gitolite, we used git-http-backend to authenticate Apache 2 Digest to the master.php.net user database, ”Popov explained.

Investigating the incident revealed that the commits were added to the repository via HTTPS and "password-based authentication".

As Popov noted, the attacker made only a few attempts to guess the logins and successfully logged in after finding the correct one. The developer believes that the master.php.net user database has been compromised, but it remains unknown why the attacker had to guess the logins in this case.

For security purposes, the developers have moved master.php.net to the new main.php.net system with TLS 1.2 support, and also reset all existing passwords. As Popov noted, now all passwords are stored using the bcrypt algorithm.