PHP.net compromised, serving up obfuscated content

The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer's web site hxxp://php.net/.

Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google's staff has posted on a number of forums (examples here and here) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain:

The following screen shot shows the decoded obfuscation:

When we look at the resulting JavaScript, we can identify a URL in the .uk TLD space:

The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string "not ready", as shown below:

The code was served just once per IP and was dependent upon correct Referer and UA strings.

The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware.

Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine

Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages:

  • Redirection stage
  • Exploit Kits stage
  • Command and Control URLs

Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.