Someone tried to sneak a backdoor into code used by 80% of the internet

Garikai Dzoma Avatar

On Sunday evening the PHP team reported that someone had tried to create a backdoor into the popular project. They tried to sneak in two malicious commits but alert devs thwarted the attempts. It’s not clear who wanted to do this.

What is PHP?

PHP is a popular scripting language that powers as much as 80% of the internet’s websites. It’s not exactly as sexy or trendy as JavaScript, and it’s many libraries or Python, and the fancy AI it uses but sits hidden behind the scenes quietly doing the Lord’s work. Techzim and all the news sites and blogs you know for example are built using WordPress and PHP.

This makes the PHP project, which makes the server interpreter that runs this software, an important scalp. Their wider usage dwarfs that of Solar Winds which was leveraged by unknown hackers last year to do extensive breaches into the US government’s and a host of other companies’ servers.

If a hacker manages to sneak in malicious code into the PHP interpreter the world becomes their oyster, the damage they can do is incalculable. They would be able to get into pretty much any network on earth including big companies like Apple, Google. The value of such a coup would be worth billions-possibly more.

How the breach happened

It’s not clear how this happened, but those who run the PHP project suspect the hackers got into the project by hacking into the server on which the PHP project is hosted. They then attempted to sneak in their malicious code by impersonating some respected members of the PHP contributor community and attempting to disguise their code commits as minor “typo” fixes.

The PHP project was using its own private server to host the project but after the breach, they have decided to switch over to Microsoft owned GitHub. They already use a piece of software known as Git to keep track of changes made to the PHP software, so the switch to GitHub will have minimum impact, but it will enhance security.

FOSS vigilance killed the breach in it’s crib

PHP is Free and Open Source Software which is also widely developed and reviewed, so it’s unlikely this breach was ever going to work, and it seems whoever did this had a feeling but they tried anyway. The malicious code is not even disguised maybe somebody just wanted to see how long it would take people to identify the code.

However, even such unsophisticated breaches can be leveraged to do widespread damage as illustrated in the Solar Winds attack. It’s possible that a badly secured server was easily breached as part of the attack vector. In the end substantial damage was done.

In this case the attack took place in public view there was slim chance of the attacker getting away with it. Using Git you can easily tell which lines of code have been added/changed or deleted. Not even trusted members of the community can circumvent that. What if one of them was paid by a malicious actor to sneak it a backdoor? Paranoia drives the FOSS community and the feeble commit was rolled back quickly. The malicious actor attempted to reintroduce the back door again.

Nothing to worry about

Ultimately the attack ended before it even began if we can even call it an attack. However, the whole incident highlights the value of FOSS. It also shows how you need to be vigilant with every piece of software you deploy as an organization. Every mundane thing you install can be turned into a weapon.

You need to guard your security jealously and make sure you do your own audits. Just because something is popular doesn’t mean it’s safe. It actually means that it’s a potential target-a very valuable potential target.

3 comments

  1. sg

    that thing saying php 8 released its so confusing

    1. Garikai Dzoma

      Hi, I don’t understand what you mean here.

      1. Anonymous

        He/She means, the first iteration of PHP version 8.0 was made available to the public last year in November. That image you used for the article makes it seem like your article is about the recent release of PHP ver 8.0 (which it isn’t) and even if it were, your article would still be a couple of months late to the party. And no it doesn’t help that the written title says something else while the image says something else. Clean up the image next time. Just saying….

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.