PHP’s Git Server hacked - Two Remote Code executions added to the source code, let us discuss

Hussein Nasser · Intermediate ·🔧 Backend Engineering ·5y ago

Key Takeaways

The PHP source code was hacked with two malicious commits adding remote code execution, prompting a move to GitHub for repository management, leveraging GitHub's security features such as two-factor authentication to prevent similar incidents in the future.

Full Transcript

what's going on guys my name is hussein and the php source code have been infiltrated and two nasty commits have been committed to the code base just like that and the scary thing is nobody knows how so let's get into the article and discuss this this is uh this is the first time i've seen something like that so bleeping computer reporting reported this and thank you for uh you guys sent me a lot of you sent me this article to report on this so php get server hacked to add backdoors to php source code so if you don't know guys php is a very very popular server server-side language i've been trinketing with this language since the 2000s early 2000s and the last time i wrote php code was i don't know 2003 maybe and i stopped stopped using it because basically i moved stack to dot net and then now javascript and yeah it's just uh but yeah i love php is a great language i don't know if you used it but i absolutely love it and it's usually it's combined with other stack right nice little lamp stack and or the wamp stack so php source code is written in c and it's hosted on a git server a custom good server that is backed by uh by the maintainers of the php and then all of a sudden people started noticing this so the maintainers came in and said they saw er look at this commit guys this is funny fix typo yeah look at this and the erasmus lured off is is one of the maintenances signed off by so it looks legit right so it's committed and looks good so look at that it's uh and it says hey fix table so if you look at it from there i was like oh this this guy just fixed the title but but look at the typo they fixed oh my god all right look at that i'm gonna start i'm gonna try to zoom in way down here this is it this code says okay it uses the http port server and it looks through the header that's called http user agent tt with an extra t right and what it does it if the string in the http server agent contains zero diem whatever that thing is then go ahead and evaluate that string immediately execute that string so essentially you can once you if you download php and install it and run it right with that configuration i as a shady person can send you a maliciously crafted http request with this particular http user agent and then put in a nasty php code and it would be excluded in the backend and i think you can technically maybe execute c code i don't know how this works to be honest like i don't know much of c language but this is nasty a remote code execution essentially and they explain it right here so as a result and you might say hussein how did they sign off as someone else apparently you can't do that i did not know that here's a here is here here's how you do it spoof a comment on github from anyone you can essentially do that why why would anyone want why is this a feature why is this a feature i don't understand this should be blocked right so as a result of this incident the maintainers of the php uh code base decides you know what this is not worth it apparently this is not the first incident they said they want to move to github as their main main repository and we've seen a lot of open source code move to github because github yeah it's maintained by microsoft and some people have their criticism about that but if you look from long term yeah hi so if you look long term actually it's actually a good idea because now github is instead of spinning up your own git server and and worry about patches and what about security flaws you just let github do this work for you and you can and and there's two-factor authentication so you know everyone that is signing in github it's trusted so not hacks like this cannot happen on github so you read this is dangerous stuff and uh when asked they asked the maintainers did anyone build the code base when those two commits existed in the code base and they said nobody actually managed to do that because they discovered two hours ago and then they immediately reverted and even so this has been done in the development branch which is bhp 8.1 so it's not and people usually when they install they install the release version nobody i'm not aware of anyone installing a development version of php most people don't right unless you're really hardcore you're like the facebook of the world where you are essentially pushing uh features to the php language because the whole thing is built in php facebook right so they build php so they will be on the development branch i would assume to test and test the features of of the php language guys this is nasty stuff and i'm glad that they moved to github i i don't know what do you guys think about this because i know curl is has moved has moved to github because it's just easier for the open source maintaining and this this is one thing one less thing to worry about right and i know i understand totally understand that some people have their reservation about uh github being on by one monolith which is microsoft and it's always a better idea to have your own but look at that those people cannot afford hosting their own server yeah but even worrying about all this security stuff they have a job the job is to write code their job is not to maintain servers and and patch and security that's just a lot of work that's devops that is just that's just you you need your own team to maintain all of this stuff so i kind of i kind of agree with their move i'm glad they did all that stuff here's one statement that they mentioned here um bleeping computer reached out a court bleeping computer reached out to both popov and the php security team to find out the complete extent of this compromise and if any code was distributed downstream before the malicious commits were the caught it may cut it may have cloned forked in the meantime but the changes did not make it into any tags or release artifacts so it was not built as a beta or an alpha right or anything that that will be downloaded by an end developer right the changes were uh on the development branch of php811 which is due to release at the end of the year pop off uh further told bleeping computer guys what do you think about this uh this this is one of the first time i i've seen anyone just just straight up commit nasty remote code execution into the source code yeah i see i guess we live and see stuff all right guys i'm gonna see in the next one you guys stay awesome go buy your

Original Description

Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The commits were found and reverted two hours after it was committed. PHP is moving to github as a result. Article https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/ 🎙️Listen to the Backend Engineering Podcast https://husseinnasser.com/podcast 🏭 Backend Engineering Videos https://backend.husseinnasser.com 💾 Database Engineering Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2 🏰 Load Balancing and Proxies Videos https://www.youtube.com/playlist?list=PLQnljOFTspQVMeBmWI2AhxULWEeo7AaMC 🏛️ Software Archtiecture Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXNP6mQchJVP3S-3oKGEuw9 📩 Messaging Systems https://www.youtube.com/playlist?list=PLQnljOFTspQVcumYRWE2w9kVxxIXy_AMo Become a Member https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join Support me on PayPal https://bit.ly/33ENps4 Stay Awesome, Hussein
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Hussein Nasser · Hussein Nasser · 0 of 60

← Previous Next →
1 Extending ArcObjects (IGeometry) - 01 - Getting Started
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
2 Extending ArcObjects  (IGeometry) - 02 - The Document, The Map and The Layers
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
3 Channel Update - New Book, New Job, New Videos
Channel Update - New Book, New Job, New Videos
Hussein Nasser
4 Learn Programming with VB.NET - 01 - Getting Started
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
5 Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
6 Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
7 Learn Programming with VB.NET - 04 - User Interface
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
8 Learn Programming with VB.NET - 05 - By Value v. By Reference
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
9 Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
10 Learn Programming with VB.NET - 07 - Conditional Statements
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
11 Learn Programming with VB.NET - 08 - Inheritance
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
12 Learn Programming with VB.NET - 09 - Strategy Design Pattern
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
13 Learn Programming with VB.NET - 10 -  How did I learn programming
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
14 IGeometry 2016 Retrospective - Channel Update
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
15 Javascript by Example - The Vook
Javascript by Example - The Vook
Hussein Nasser
16 Vlog - Keep your servers close and your database closer
Vlog - Keep your servers close and your database closer
Hussein Nasser
17 Vlog - Client/Server Programming Languages
Vlog - Client/Server Programming Languages
Hussein Nasser
18 Javascript By Example L1E01 - Getting Started
Javascript By Example L1E01 - Getting Started
Hussein Nasser
19 Persistent Connections (Pros and Cons)
Persistent Connections (Pros and Cons)
Hussein Nasser
20 Javascript By Example L1E02 - Building the Calculator Interface
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
21 Happy new Year from IGeometry!
Happy new Year from IGeometry!
Hussein Nasser
22 Synchronous v. Asynchronous
Synchronous v. Asynchronous
Hussein Nasser
23 Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
24 Show Your Work. Blog, Vlog, Write, Create and Develop!
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
25 Relational Database Atomicity Explained By Example
Relational Database Atomicity Explained By Example
Hussein Nasser
26 Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
27 What Comes First, User Experience or Software Architecture?
What Comes First, User Experience or Software Architecture?
Hussein Nasser
28 Javascript By Example L1E05 -  Evaluate the Calculator Expressions with eval
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
29 Fastest Way to Learn Programming Language or Technology
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
30 Javascript By Example L1E06 -  Fix Leading Zero Bug with Conditions
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
31 Stateful vs Stateless Applications (Explained by Example)
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
32 Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
33 Advice for New Software Engineers and Developers
Advice for New Software Engineers and Developers
Hussein Nasser
34 Why JSON is so Popular?
Why JSON is so Popular?
Hussein Nasser
35 Building Scalable Software - SLA, HS, VS
Building Scalable Software - SLA, HS, VS
Hussein Nasser
36 Vlog (Istanbul) - Datacenter Proximity
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
37 Should Software Engineers Learn Bleeding-Edge Technologies?
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
38 Do Developers Build Bad User Interfaces/Experience?
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
39 Learn By Doing.
Learn By Doing.
Hussein Nasser
40 I Wrote Bad Front-End Code That Broke Chrome
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
41 My Story
My Story
Hussein Nasser
42 Vlog - Horizontal vs Vertical Scaling
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
43 Can User Experience Help Build Better Rest API?
Can User Experience Help Build Better Rest API?
Hussein Nasser
44 Reverse engineering Instagram in flight mode
Reverse engineering Instagram in flight mode
Hussein Nasser
45 The Benefits of the 3-Tier Architecture (e.g. REST API)
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
46 Stateless v. Stateful Architecture (Podcast)
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
47 The evolution from virtual machines to containers
The evolution from virtual machines to containers
Hussein Nasser
48 Proxy vs. Reverse Proxy (Explained by Example)
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
49 Canary Deployment (Explained by Example)
Canary Deployment (Explained by Example)
Hussein Nasser
50 No Excuses
No Excuses
Hussein Nasser
51 Synchronous vs Asynchronous Applications (Explained by Example)
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
52 What is an Asynchronous service?
What is an Asynchronous service?
Hussein Nasser
53 Difference between Client Polling vs Server Push in Notifications
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
54 Software vs. Hardware AdBlockers (Explained by Example)
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
55 HTTP Caching with E-Tags -  (Explained by Example)
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
56 Simple Object Access Protocol Pros and Cons (Explained by Example)
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
57 Nodejs Express "Hello, World"
Nodejs Express "Hello, World"
Hussein Nasser
58 Reverse Engineering Instagram feed
Reverse Engineering Instagram feed
Hussein Nasser
59 Popup Modal Dialog with Javascript and HTML
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
60 MIME and Media Type sniffing explained and the type of attacks it leads to
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser

The PHP source code was compromised with two malicious commits, highlighting the importance of security measures in open source development, and prompting a move to GitHub for improved security and repository management.

Key Takeaways
  1. Implement two-factor authentication for repository access
  2. Regularly review and audit code commits for security flaws
  3. Consider moving to a reputable repository management platform like GitHub
💡 The use of two-factor authentication and reputable repository management platforms can significantly improve the security of open source code.

Related Reads

📰
7 Apache Kafka Design Patterns Every Backend Engineer Should Know
Learn 7 essential Apache Kafka design patterns for building scalable and efficient real-time data streaming systems
Medium · Programming
📰
Symfony Validator: Where Framework Validation Ends, Domain Rules Begin
Learn to separate framework validation from domain rules in Symfony to avoid duplicating logic and improve code maintainability
Dev.to · Gabriel Anhaia
📰
Seu status de pedido não devia ser uma string
Learn how to replace status strings with Enums in PHP 8.1 to improve code quality and prevent bugs
Dev.to · Denis Augusto
📰
From a Go CLI to a full developer ecosystem: Gopher Glide for IDEs
Learn how to transition from a Go CLI to a full developer ecosystem using Gopher Glide for IDEs, enhancing your backend development workflow
Dev.to · Shiyam
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →