The Latest in IT Security

PHP.net compromised, serving up obfuscated content

25
Oct
2013

The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer's web site hxxp://php.net/.

Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google's staff has posted on a number of forums (examples here and here) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain:

The following screen shot shows the decoded obfuscation:

When we look at the resulting JavaScript, we can identify a URL in the .uk TLD space:

The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string "not ready", as shown below:

The code was served just once per IP and was dependent upon correct Referer and UA strings.

The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware.

Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine

Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages:

  • Redirection stage
  • Exploit Kits stage
  • Command and Control URLs

Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.

Leave a reply


Categories

SATURDAY, DECEMBER 07, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments