When Google’s Safe Browsing service said that programming site PHP.net was hosting and serving malware, it sparked furious discussion - but the site investigated, and has since admitted the infection, and moved to clean servers.
“The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive, but we kept digging,” the site said, but admitted that it had been serving a drive-by Javascript exploit.
Samples of the malware were posted in a discussion on Hacker News - and various posters discussed the “stealth” techniques used to avoid detection. .
PHP is an open-source programming language used on millions of websites. Google’s initial warning flagged just four out of 1500 pages analyzed, according to The Register. The site’s team are still not clear how many visitors have been affected.
“It's possible some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications,” said Martijn Grooten, a security researcher for Virus Bulletin, speaking to Ars Technica.
Grooten said that only some visitors to the site received the “extra” malicious payload, which caused browsers to connect to malicious sites and dowload code. The sites were UK domains which had domain name system server settings compromised, and resolved to IP addresses in Moldova.
“"Given what Hacker News reported (a site serving malicious JS) to some, this doesn't look like someone manually changing the file," Grooten said, in an interview with Ars Technica.
Grooten suggests that perhaps someone "somehow compromised the web server. It might be that php.net has yet to discover that (it's not trivial—some webserver malware runs entirely in memory and hides itself pretty well.)"
CSS Online reported widespread speculation that the incident was a “watering hole” attack, designed to lure developers and infect their systems.
PHP has promised, “a full post-mortem on the intrusion when we have a clearer picture of what happened.”