Here is what caused the Hack to PHP Source Code git Server
Key Takeaways
The PHP git server hack was caused by compromised https-based authentication and insecure password storage using MD5 hashes, highlighting the importance of ai safety and security measures such as using secure protocols like TLS and bcrypt for password storage. The hack was mitigated by migrating to a new system with updated security measures, including parameterized queries and secure password storage.
Full Transcript
so two weeks ago the php git server has been gotten called hacked and two nasty malicious commits have been made to the php source code and it's essentially it's a root kit and not really a route it's just a remote code execution uh back door and it's stolen the phps also thank god they found it after two hours otherwise i have been in a disaster imagine this nasty uh root uh remote causes execution get in the wild and suddenly a free backdoor all of a sudden to every php server will be made all right so uh the php maintenance have responded because previously we didn't know what caused it what was source of the hack php maintainers are responding with detailed analysis so how about we jump into it and discuss so let's read this blurb from nikita popov one of the maintainers of the php source code and um how about we discuss hi everyone i would like to provide an update regarding the get the php.net security incident to briefly summarize the most important information uh first bullet we no longer believe that get.php.net server has been compromised okay so that's that's a relief but what's what's going on however it is possible that the master the php.net user database leaked okay so that's kind of worse do you think about it master.php.net has been migrated to a new system uh to a new system main.php.net all php.net passwords have been reset go to blah blah blah blah to reset your password so if you're one of the php maintainers you probably got this email so you have to reset your password essentially get the php.net and svn.php.net are both read only now but will remain available for the time being in order to to go on before we go on this this might have seemed confusing a little bit git essentially it's a server it's a free tool that's developed by linus travolt the one who developed linux and you can essentially build any kind of vehicle on top of git so one vehicle was ssh where to authenticate you build get all the kit commands through the ssh how does that work well you put you create a public private key pair you put the public key on the server so the public key or your public key belong to the server will your public key exist on the server and then your private key you keep it tucked in on your machine and when you want to establish a connection through get what will happen is you take your private key sign subserver message send it to the server and the server will use your public key to decrypt that because that's how asymmetric encryption works and all of a sudden we trust you simple no password nothing the other approach is to use digest authentication through https right and and to do that you have to have some sort of a database obviously with the set of passwords that sits somewhere on the back end with an http server because hey it's https so you need some sort of a web server to serve you all this stuff so that's another method of authentication which is kind of to be honest it's not really recommended but because like passwords you have to remember your passwords and they are insecure they can be hacked you have to store them somewhere in the back end what happened here is that the actual public key through ssh which is the most exercise path through the php source code that is fine that has never been touched because they have all sort of a logging and monitoring was through this service that's called get to light so they they monitor this stuff they're being looking at this stuff but they completely forgot that they actually have an https based authentication to the major source code right and that looks like that has been uh essentially compromised so let's read through this and then discuss so nikita continues here says something i was not aware of at off at the time is that get the php.net intentionally support pushing changes not only via ssh using the ghetto light infrastructure and public key cryptography but also via https the latter did not use get to light that that explained that didn't have any logs or any fingerprints of this two comments that have happened right and instead used get http uh back end behind apache to digest authentication against the master.php.net user database i'm not sure why password-based authentication was supported in the first place as it is much less secure than public key authentication and then they go ahead and show the actual logs and everything that happened the other thing that i did not mention here is like there are two pieces let's go it's not only the https on top of apache 2 that is the problem look let me read this and let's discuss but look at this the master.php.net system which is used for authentication and various management tasks was running very old code and very old operating system and php version so some kind of vulnerability would not be terribly surprising we have made a number of changes to increase the security of this system right so they not only there is an existing system it looks like it has been forgotten just another reason big role reports like this shouldn't really need to manage uh their own get report that's my opinion i think just like i think that they mentioned the php maintenance mission is like you know what this is not worth it let's move to github it's just like it's way better to outsource this responsibility to someone who's better handled to do this thing while we focus on writing code that's our main goal i mean curl have more moved their stuff to to the to github as well and many other open source major open source uh software so that's only yeah i know people have their problems with microsoft but let's think about it it's just it's not worth it to maintain your own let's go let's go right okay what they did to increase the security of the system that they have master.php.net was migrated to a new system running php8 and renamed to main.php.net as we read earlier among other things the new system supports tls 1.2 that made me laugh a little bit let me read this again for you so so you guys if in case you missed it among other things the new system supports tls 1.2 that means the old system actually didn't support the ls 1.2 it supports ts 1.1 and 1.0 which we have discussed many time in this channel that they are just stop using them they are so easy to break and pretty much all browsers stopped connecting to back ends that supports these tls 1.0 or 1.1 essentially all right especially if that's your preferred option right uh sites like ssl labs will give you a lower score if you have those enabled to begin with because an ssl stripping attack or ssl downgraded that can easily happen and downgrade a ts 1.2 down to a zs111 which is not recommended essentially so that's bad essentially that's good which means you should no longer see tls version warning when accessing this site so they were using essentially getting this warming as we said like with firefox uh chrome they essentially stopped all together uh allowing you to connect to back-ends that only support the s 1.0 and 1.1 and obviously ssl3 and all that old stuff the implementation has been moved towards using parameterized queries to be more confident that sql injection cannot occur wow all right so they they there's a lot of other stuff that they're trying to make guesses at what leaked the database they didn't know it's like they are assuming the database got leaked and they have all these by the way uh the passwords in the database i didn't read that part but they are using they are storing the passwords as md5 passwords are now stored using bcrypt instead of md5 and i talked about these different concepts in the channel check out this video i talk about five ways you can store the passwords in the backend from the less secure to the most secure by actually not storing them let's secure is actually installing the plain text then you move to salting then b crept and salt within password and hashing simple hash all that stuff right previously password were stored in a format compatible with tv digest authentication essentially a plain md5 hash to support hdb digest that dodges has to be md5 apparently i didn't know that which was required for http authentication on get.php.net and svn.php earth now has been as i think the the the previous um version management right i never used it but i think i i remember it was very popular right git has essentially replaced fian altogether as get uh as get.php.net has been made read only as a result of this incident we decided to make svn.php.net read only as well and thus remove the need to store password in insecure formats that's because of the http digester only a small handful of pecl extensions were still using the svn server and svn servers okay like they're saying that there are very few services that have been essentially affected by this guys all right so what did we learn from this we learned that i wouldn't manage my own git server at all that's what i learned definitely i'll definitely remain i'll even host it on on github or git labs or bitbucket or anything any service that takes care of security and management form because these are a very critical piece of infrastructure that to get right you need a lot of resources if you don't have the resources if you have these resources by all means of course you have to use them but if you don't might be worth investing in such service right just push all this stuff and don't worry about maintaining this and i don't see a point of even supporting https authentication when it comes of get let me know guys if i'm wrong and if you there is absolutely a use case where you don't you just can't use ssh and you need uh https i mean all my jenkins job use public key uh cryptography to authenticate with my own git server at work at least the the local good server that we have at work we always use a public key encryption it's just easier right is that the prompt and remember okay what's the password all right guys that's it for me today i'm gonna see you in the next one you guys stay awesome goodbye
Original Description
Two weeks ago the PHP source code git server got hacked and two malicious commits were made to the source code. Since then the PHP maintainers identified the source of the hack, let us discuss
🎙️Listen to the Backend Engineering Podcast
https://husseinnasser.com/podcast
🏭 Backend Engineering Videos
https://backend.husseinnasser.com
💾 Database Engineering Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2
🏰 Load Balancing and Proxies Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQVMeBmWI2AhxULWEeo7AaMC
🏛️ Software Archtiecture Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQXNP6mQchJVP3S-3oKGEuw9
📩 Messaging Systems
https://www.youtube.com/playlist?list=PLQnljOFTspQVcumYRWE2w9kVxxIXy_AMo
Become a Member
https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join
Support me on PayPal
https://bit.ly/33ENps4
Stay Awesome,
Hussein
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Hussein Nasser · Hussein Nasser · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
Channel Update - New Book, New Job, New Videos
Hussein Nasser
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
Javascript by Example - The Vook
Hussein Nasser
Vlog - Keep your servers close and your database closer
Hussein Nasser
Vlog - Client/Server Programming Languages
Hussein Nasser
Javascript By Example L1E01 - Getting Started
Hussein Nasser
Persistent Connections (Pros and Cons)
Hussein Nasser
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
Happy new Year from IGeometry!
Hussein Nasser
Synchronous v. Asynchronous
Hussein Nasser
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
Relational Database Atomicity Explained By Example
Hussein Nasser
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
What Comes First, User Experience or Software Architecture?
Hussein Nasser
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
Advice for New Software Engineers and Developers
Hussein Nasser
Why JSON is so Popular?
Hussein Nasser
Building Scalable Software - SLA, HS, VS
Hussein Nasser
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
Learn By Doing.
Hussein Nasser
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
My Story
Hussein Nasser
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
Can User Experience Help Build Better Rest API?
Hussein Nasser
Reverse engineering Instagram in flight mode
Hussein Nasser
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
The evolution from virtual machines to containers
Hussein Nasser
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
Canary Deployment (Explained by Example)
Hussein Nasser
No Excuses
Hussein Nasser
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
What is an Asynchronous service?
Hussein Nasser
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
Nodejs Express "Hello, World"
Hussein Nasser
Reverse Engineering Instagram feed
Hussein Nasser
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser
More on: AI Alignment Basics
View skill →Related Reads
📰
📰
📰
📰
atob() can't decode a JWT — the Base64URL gotcha (and the fix)
Dev.to · Daniel Cheong
Why Debugging Made Me a Better Developer
Medium · JavaScript
Mapping Go Domain Errors to HTTP Status Codes at the Boundary
Dev.to · Gabriel Anhaia
The dual-write problem in NestJS, solved with Drizzle: a transactional outbox + idempotent inbox
Dev.to · Rodrigo Nogueira
🎓
Tutor Explanation
DeepCamp AI