Here is what caused the Hack to PHP Source Code git Server

Hussein Nasser · Intermediate ·🔧 Backend Engineering ·5y ago

Key Takeaways

The PHP git server hack was caused by compromised https-based authentication and insecure password storage using MD5 hashes, highlighting the importance of ai safety and security measures such as using secure protocols like TLS and bcrypt for password storage. The hack was mitigated by migrating to a new system with updated security measures, including parameterized queries and secure password storage.

Full Transcript

so two weeks ago the php git server has been gotten called hacked and two nasty malicious commits have been made to the php source code and it's essentially it's a root kit and not really a route it's just a remote code execution uh back door and it's stolen the phps also thank god they found it after two hours otherwise i have been in a disaster imagine this nasty uh root uh remote causes execution get in the wild and suddenly a free backdoor all of a sudden to every php server will be made all right so uh the php maintenance have responded because previously we didn't know what caused it what was source of the hack php maintainers are responding with detailed analysis so how about we jump into it and discuss so let's read this blurb from nikita popov one of the maintainers of the php source code and um how about we discuss hi everyone i would like to provide an update regarding the get the php.net security incident to briefly summarize the most important information uh first bullet we no longer believe that get.php.net server has been compromised okay so that's that's a relief but what's what's going on however it is possible that the master the php.net user database leaked okay so that's kind of worse do you think about it master.php.net has been migrated to a new system uh to a new system main.php.net all php.net passwords have been reset go to blah blah blah blah to reset your password so if you're one of the php maintainers you probably got this email so you have to reset your password essentially get the php.net and svn.php.net are both read only now but will remain available for the time being in order to to go on before we go on this this might have seemed confusing a little bit git essentially it's a server it's a free tool that's developed by linus travolt the one who developed linux and you can essentially build any kind of vehicle on top of git so one vehicle was ssh where to authenticate you build get all the kit commands through the ssh how does that work well you put you create a public private key pair you put the public key on the server so the public key or your public key belong to the server will your public key exist on the server and then your private key you keep it tucked in on your machine and when you want to establish a connection through get what will happen is you take your private key sign subserver message send it to the server and the server will use your public key to decrypt that because that's how asymmetric encryption works and all of a sudden we trust you simple no password nothing the other approach is to use digest authentication through https right and and to do that you have to have some sort of a database obviously with the set of passwords that sits somewhere on the back end with an http server because hey it's https so you need some sort of a web server to serve you all this stuff so that's another method of authentication which is kind of to be honest it's not really recommended but because like passwords you have to remember your passwords and they are insecure they can be hacked you have to store them somewhere in the back end what happened here is that the actual public key through ssh which is the most exercise path through the php source code that is fine that has never been touched because they have all sort of a logging and monitoring was through this service that's called get to light so they they monitor this stuff they're being looking at this stuff but they completely forgot that they actually have an https based authentication to the major source code right and that looks like that has been uh essentially compromised so let's read through this and then discuss so nikita continues here says something i was not aware of at off at the time is that get the php.net intentionally support pushing changes not only via ssh using the ghetto light infrastructure and public key cryptography but also via https the latter did not use get to light that that explained that didn't have any logs or any fingerprints of this two comments that have happened right and instead used get http uh back end behind apache to digest authentication against the master.php.net user database i'm not sure why password-based authentication was supported in the first place as it is much less secure than public key authentication and then they go ahead and show the actual logs and everything that happened the other thing that i did not mention here is like there are two pieces let's go it's not only the https on top of apache 2 that is the problem look let me read this and let's discuss but look at this the master.php.net system which is used for authentication and various management tasks was running very old code and very old operating system and php version so some kind of vulnerability would not be terribly surprising we have made a number of changes to increase the security of this system right so they not only there is an existing system it looks like it has been forgotten just another reason big role reports like this shouldn't really need to manage uh their own get report that's my opinion i think just like i think that they mentioned the php maintenance mission is like you know what this is not worth it let's move to github it's just like it's way better to outsource this responsibility to someone who's better handled to do this thing while we focus on writing code that's our main goal i mean curl have more moved their stuff to to the to github as well and many other open source major open source uh software so that's only yeah i know people have their problems with microsoft but let's think about it it's just it's not worth it to maintain your own let's go let's go right okay what they did to increase the security of the system that they have master.php.net was migrated to a new system running php8 and renamed to main.php.net as we read earlier among other things the new system supports tls 1.2 that made me laugh a little bit let me read this again for you so so you guys if in case you missed it among other things the new system supports tls 1.2 that means the old system actually didn't support the ls 1.2 it supports ts 1.1 and 1.0 which we have discussed many time in this channel that they are just stop using them they are so easy to break and pretty much all browsers stopped connecting to back ends that supports these tls 1.0 or 1.1 essentially all right especially if that's your preferred option right uh sites like ssl labs will give you a lower score if you have those enabled to begin with because an ssl stripping attack or ssl downgraded that can easily happen and downgrade a ts 1.2 down to a zs111 which is not recommended essentially so that's bad essentially that's good which means you should no longer see tls version warning when accessing this site so they were using essentially getting this warming as we said like with firefox uh chrome they essentially stopped all together uh allowing you to connect to back-ends that only support the s 1.0 and 1.1 and obviously ssl3 and all that old stuff the implementation has been moved towards using parameterized queries to be more confident that sql injection cannot occur wow all right so they they there's a lot of other stuff that they're trying to make guesses at what leaked the database they didn't know it's like they are assuming the database got leaked and they have all these by the way uh the passwords in the database i didn't read that part but they are using they are storing the passwords as md5 passwords are now stored using bcrypt instead of md5 and i talked about these different concepts in the channel check out this video i talk about five ways you can store the passwords in the backend from the less secure to the most secure by actually not storing them let's secure is actually installing the plain text then you move to salting then b crept and salt within password and hashing simple hash all that stuff right previously password were stored in a format compatible with tv digest authentication essentially a plain md5 hash to support hdb digest that dodges has to be md5 apparently i didn't know that which was required for http authentication on get.php.net and svn.php earth now has been as i think the the the previous um version management right i never used it but i think i i remember it was very popular right git has essentially replaced fian altogether as get uh as get.php.net has been made read only as a result of this incident we decided to make svn.php.net read only as well and thus remove the need to store password in insecure formats that's because of the http digester only a small handful of pecl extensions were still using the svn server and svn servers okay like they're saying that there are very few services that have been essentially affected by this guys all right so what did we learn from this we learned that i wouldn't manage my own git server at all that's what i learned definitely i'll definitely remain i'll even host it on on github or git labs or bitbucket or anything any service that takes care of security and management form because these are a very critical piece of infrastructure that to get right you need a lot of resources if you don't have the resources if you have these resources by all means of course you have to use them but if you don't might be worth investing in such service right just push all this stuff and don't worry about maintaining this and i don't see a point of even supporting https authentication when it comes of get let me know guys if i'm wrong and if you there is absolutely a use case where you don't you just can't use ssh and you need uh https i mean all my jenkins job use public key uh cryptography to authenticate with my own git server at work at least the the local good server that we have at work we always use a public key encryption it's just easier right is that the prompt and remember okay what's the password all right guys that's it for me today i'm gonna see you in the next one you guys stay awesome goodbye

Original Description

Two weeks ago the PHP source code git server got hacked and two malicious commits were made to the source code. Since then the PHP maintainers identified the source of the hack, let us discuss 🎙️Listen to the Backend Engineering Podcast https://husseinnasser.com/podcast 🏭 Backend Engineering Videos https://backend.husseinnasser.com 💾 Database Engineering Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2 🏰 Load Balancing and Proxies Videos https://www.youtube.com/playlist?list=PLQnljOFTspQVMeBmWI2AhxULWEeo7AaMC 🏛️ Software Archtiecture Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXNP6mQchJVP3S-3oKGEuw9 📩 Messaging Systems https://www.youtube.com/playlist?list=PLQnljOFTspQVcumYRWE2w9kVxxIXy_AMo Become a Member https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join Support me on PayPal https://bit.ly/33ENps4 Stay Awesome, Hussein
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Hussein Nasser · Hussein Nasser · 0 of 60

← Previous Next →
1 Extending ArcObjects (IGeometry) - 01 - Getting Started
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
2 Extending ArcObjects  (IGeometry) - 02 - The Document, The Map and The Layers
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
3 Channel Update - New Book, New Job, New Videos
Channel Update - New Book, New Job, New Videos
Hussein Nasser
4 Learn Programming with VB.NET - 01 - Getting Started
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
5 Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
6 Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
7 Learn Programming with VB.NET - 04 - User Interface
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
8 Learn Programming with VB.NET - 05 - By Value v. By Reference
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
9 Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
10 Learn Programming with VB.NET - 07 - Conditional Statements
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
11 Learn Programming with VB.NET - 08 - Inheritance
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
12 Learn Programming with VB.NET - 09 - Strategy Design Pattern
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
13 Learn Programming with VB.NET - 10 -  How did I learn programming
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
14 IGeometry 2016 Retrospective - Channel Update
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
15 Javascript by Example - The Vook
Javascript by Example - The Vook
Hussein Nasser
16 Vlog - Keep your servers close and your database closer
Vlog - Keep your servers close and your database closer
Hussein Nasser
17 Vlog - Client/Server Programming Languages
Vlog - Client/Server Programming Languages
Hussein Nasser
18 Javascript By Example L1E01 - Getting Started
Javascript By Example L1E01 - Getting Started
Hussein Nasser
19 Persistent Connections (Pros and Cons)
Persistent Connections (Pros and Cons)
Hussein Nasser
20 Javascript By Example L1E02 - Building the Calculator Interface
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
21 Happy new Year from IGeometry!
Happy new Year from IGeometry!
Hussein Nasser
22 Synchronous v. Asynchronous
Synchronous v. Asynchronous
Hussein Nasser
23 Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
24 Show Your Work. Blog, Vlog, Write, Create and Develop!
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
25 Relational Database Atomicity Explained By Example
Relational Database Atomicity Explained By Example
Hussein Nasser
26 Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
27 What Comes First, User Experience or Software Architecture?
What Comes First, User Experience or Software Architecture?
Hussein Nasser
28 Javascript By Example L1E05 -  Evaluate the Calculator Expressions with eval
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
29 Fastest Way to Learn Programming Language or Technology
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
30 Javascript By Example L1E06 -  Fix Leading Zero Bug with Conditions
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
31 Stateful vs Stateless Applications (Explained by Example)
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
32 Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
33 Advice for New Software Engineers and Developers
Advice for New Software Engineers and Developers
Hussein Nasser
34 Why JSON is so Popular?
Why JSON is so Popular?
Hussein Nasser
35 Building Scalable Software - SLA, HS, VS
Building Scalable Software - SLA, HS, VS
Hussein Nasser
36 Vlog (Istanbul) - Datacenter Proximity
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
37 Should Software Engineers Learn Bleeding-Edge Technologies?
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
38 Do Developers Build Bad User Interfaces/Experience?
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
39 Learn By Doing.
Learn By Doing.
Hussein Nasser
40 I Wrote Bad Front-End Code That Broke Chrome
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
41 My Story
My Story
Hussein Nasser
42 Vlog - Horizontal vs Vertical Scaling
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
43 Can User Experience Help Build Better Rest API?
Can User Experience Help Build Better Rest API?
Hussein Nasser
44 Reverse engineering Instagram in flight mode
Reverse engineering Instagram in flight mode
Hussein Nasser
45 The Benefits of the 3-Tier Architecture (e.g. REST API)
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
46 Stateless v. Stateful Architecture (Podcast)
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
47 The evolution from virtual machines to containers
The evolution from virtual machines to containers
Hussein Nasser
48 Proxy vs. Reverse Proxy (Explained by Example)
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
49 Canary Deployment (Explained by Example)
Canary Deployment (Explained by Example)
Hussein Nasser
50 No Excuses
No Excuses
Hussein Nasser
51 Synchronous vs Asynchronous Applications (Explained by Example)
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
52 What is an Asynchronous service?
What is an Asynchronous service?
Hussein Nasser
53 Difference between Client Polling vs Server Push in Notifications
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
54 Software vs. Hardware AdBlockers (Explained by Example)
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
55 HTTP Caching with E-Tags -  (Explained by Example)
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
56 Simple Object Access Protocol Pros and Cons (Explained by Example)
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
57 Nodejs Express "Hello, World"
Nodejs Express "Hello, World"
Hussein Nasser
58 Reverse Engineering Instagram feed
Reverse Engineering Instagram feed
Hussein Nasser
59 Popup Modal Dialog with Javascript and HTML
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
60 MIME and Media Type sniffing explained and the type of attacks it leads to
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser

The PHP git server hack highlights the importance of ai safety and security measures, including secure authentication protocols and password storage. To prevent similar hacks, it's essential to implement secure protocols like TLS and bcrypt, and to regularly update and patch systems. By understanding the technical details of security breaches and analyzing the root causes of security vulnerabilities, developers can develop strategies for mitigating security risks.

Key Takeaways
  1. Implement secure authentication protocols like TLS
  2. Use secure password storage like bcrypt
  3. Regularly update and patch systems
  4. Use parameterized queries to prevent SQL injection
  5. Monitor systems for security vulnerabilities
💡 Insecure password storage and compromised authentication protocols can have severe consequences, including security breaches and data compromise. Implementing secure measures like TLS and bcrypt can help prevent such incidents.

Related Reads

📰
atob() can't decode a JWT — the Base64URL gotcha (and the fix)
Learn how to fix the Base64URL decoding issue with atob() when working with JWTs
Dev.to · Daniel Cheong
📰
Why Debugging Made Me a Better Developer
Debugging improves development skills by teaching problem-solving and code analysis, making you a better developer
Medium · JavaScript
📰
Mapping Go Domain Errors to HTTP Status Codes at the Boundary
Learn to map Go domain errors to HTTP status codes at the boundary for cleaner code and better error handling
Dev.to · Gabriel Anhaia
📰
The dual-write problem in NestJS, solved with Drizzle: a transactional outbox + idempotent inbox
Learn to solve the dual-write problem in NestJS using Drizzle, a transactional outbox and idempotent inbox, to ensure data consistency in event-driven backends
Dev.to · Rodrigo Nogueira
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →