Report on compromise GIT repository and PHP project database

Published The first results of the analysis of the incident associated with the detection of the Git-repository of the PHP project of two malicious commits with a backdoor activated when sending a request with specially decorated User Agent header. During the study of the traces of attacking activities, it was concluded that the Git.php.NET server directly was placed by the Git repository was not hacked, but the database was complicated with the project records of the project developers.

It is not excluded that the attackers were able to Download the database of users stored in the DBMS on the Master.php.net server. The contents of Master.php.net has already been transferred to the new Main.php.NET server installed from scratch. All developers passwords used to access the PHP.NET infrastructure were reset and initiated the process of their shift through a special form password recovery. The repositories git.php.net and svn.php.net remain available in read-only mode (the development is transferred to github).

After the detection of the first malware committed through the Lerdroph Rasmus account, the founder of PHP, it was assumed that his account and Nikita Popov was hacked, one of the key developers PHP, highlighted the changes and blocked the commit rights for the problem account. After some time, the awareness came that the blocking did not make sense, since without verification of commits for digital signature, any participant with access to the PHP-SRC repository could make a change, substituting the fictitious name of the author.

Next, the attackers sent a malicious commit on behalf of Nikita himself. Through the analysis of the Gitolite service logs used to organize access to the repositories, an attempt was made to determine the participant who really makes changes. Despite the included accounting of all commits, there were no records for two malicious changes. It became clear that the infrastructure compromise takes place, since the commits are added directly, bypassing the connection through Gitolite.

The Git.php.NET server was quickly disabled, and the primary repository is translated into GitHub. It was missed from view of the fact that to access the repository other than SSH using Gitolite there was another input that allows you to send commits via HTTPS. In this case, the git-http-backend

/Media reports.