PHP, or Hypertext Preprocessor, is a programming language that runs approximately 80 percent of the web. WordPress websites run on PHP, making them critically vulnerable to PHP hacks.
The language itself is open-source, which means that anyone who programs in PHP can become a “contributing member” of the open-source community who deploys and develops with it.
This is important to know because it shows just how widespread an attack on PHP could be.
On the night of Sunday, March 28, 2021, just such an attack was launched. Nikita Popov reported that two malicious commits were pushed to the php-src Git repository.
Git is a secure web development hub/community, and a Git repository is a library of code assigned to specific users on the Git network. Repositories can be either public or private.
The PHP scripting language—the backbone of 100 percent of WordPress sites—is hosted on a Git repository that was compromised, presenting a potentially dangerous compromise to all sites on WordPress. Here’s what happened and what it means going forward.
Backdoors Were Planted during the PHP Hack
These specific Git commits were done in order to plant two backdoors.
These backdoors would have effectively granted these attackers the permissions to run remote code execution attacks in two ways: through PHP code and through an HTTP header.
According to Wordfence’s security team:
“Remote Code Execution makes it possible to issue commands to a server remotely which allows attackers to do things like create new files, steal data on the server, delete files, and essentially take over the affected server by any websites powered by PHP.”
In the same article, Wordfence also went into detail regarding the extent of the hacks:
“On Saturday, March 27, 2021, the first of two commits was pushed to the repository. The first commit had the description of Fixes minor typo. Signed-off-by: Rasmus Lerdorf <[email protected]> by the committer rlerdorf. This account belongs to Rasmus Lerdorf, a co-author of the PHP language.The second commit had no description, however, the title was Revert “Revert “[skip-ci] Fix typo”” which reverted the revert of the original commit by rlerdorf, which indicates that the attacker reverted Nikita’s original attempt to revert this back door. This commit was made to look like it was coming from the nikic account. This account belongs to Nikita Popov, a highly respected contributor to the PHP project.
The use of these two individual accounts made it look like the commits were coming from highly trusted contributors and authors, which was done in an attempt to make the commits look authentic and reputable. The attacker also made sure that the changes appeared to be minor fixes to correct a typo in order to hide their intentions.
At first glance it might appear that rlerdorf’s and nikic’s accounts were compromised, however, the PHP group has explicitly stated that they believe the malicious commits were a result of a compromise within their git infrastructure rather than any individual account.”
The following is a screenshot of the commit that appeared to have come from the rlerdorf account.
The following is a screenshot of the commit that appeared to have come from the nikic account.
What’s the Significance?
When viewing those screenshots, it’s important to note that the same code was used for both hacking attempts.
Thankfully, the Git Repo was able to catch these commits before they were released to the production version.
Otherwise, the hackers could have done a lot of damage to all WordPress websites.
Wordfence mentions that in the end, the backdoor was not well concealed, and it is likely that the attacker either expected to get caught or didn’t have the skill to conceal it.
They (Wordfence) are also not taking the threat quite as seriously due to the attribution that it was more of an inexperienced “script kiddie” executing the attack as opposed to a sophisticated full-fledged team of hackers.
This PHP Hack Does Not Affect WordPress Sites in Production
Fortunately for all of us, this hack does not affect WordPress sites in production due to the speed at which it was initially caught.
Wordfence reports that the compromised version of PHP did not and will never reach your server.
We will continue to keep you updated of any changes as the story progresses.
Screenshots: Wordfence.com / Mar 2021