The first results of the analysis of the incident related to the detection in the Git repository of the PHP project of two malicious commits with a backdoor activated when sending a request with a specially designed User Agent header have been published. In the course of studying the traces of the attackers' activity, it was concluded that the git.php.net server itself, on which the git repository was hosted, was not hacked, but the database with the accounts of the project developers was compromised.
It is possible that the attackers were able to download the user database stored in the DBMS on the master.php.net server. The contents of master.php.net have already been migrated to the new main.php.net server installed from scratch. All developer passwords used to access the php.net infrastructure have been reset and the process of changing them has been initiated through a special password recovery form. The git.php.net and svn.php.net repositories remain read-only (development moved to GitHub).
After the discovery of the first malicious commit made through the account of Rasmus Lerdorf, the founder of PHP, it was assumed that his account had been hacked and Nikita Popov, one of the key developers of PHP, rolled back the changes and blocked the commit rights for the problematic account. After some time, the realization came that the blocking did not make sense, since without verification of commits by digital signature, any participant with access to the php-src repository could make a change by substituting a fictitious author name.
Next, the attackers sent a malicious commit on behalf of Nikita himself. Through the analysis of the logs of the gitolite service used to organize access to the repositories, an attempt was made to determine the participant who actually made the changes. Despite the inclusion of accounting for all commits, there were no entries in the log for two malicious changes. It became clear that the infrastructure was compromised, since the commits were added directly, bypassing the connection through gitolite.
The git.php.net server was promptly disabled, and the primary repository was transferred to GitHub. In a hurry, it was overlooked that in order to access the repository, in addition to SSH using gitolite, there was another entrance that allowed you to send commits via HTTPS. In this case, the git-http-backend was used to interact with Git, and authentication was performed using the Apache2 HTTP server, which checked the credentials by accessing the database hosted in the DBMS on the master.php.net server. Entrance was allowed not only by keys, but also by a regular password. Analysis of the http server logs confirmed that the malicious changes were added via HTTPS.
When studying the logs, it was revealed that the attackers did not connect the first time, but at first they tried to guess the account name, but after determining they entered on the first try, i.e. they knew the passwords of Rasmus and Nikita in advance, but did not know their logins. If the attackers were able to access the DBMS, then it is not clear why they did not immediately use the correct login specified there. This inconsistency has not yet received a reliable explanation. Hacking master.php.net is considered the most likely scenario, as this server used very old code and an outdated OS that had not been updated for a long time and had unpatched vulnerabilities.
Actions taken include reinstallation of the master.php.net server environment and translation of scripts to the new version of PHP 8. The code for working with the DBMS has been redesigned to use parameterized queries that complicate the substitution of SQL code. The bcrypt algorithm is used to store password hashes in the database (previously, passwords were stored using an unreliable MD5 hash). Existing passwords are reset and you are prompted to set a new password via the password recovery form. Since access to the git.php.net and svn.php.net repositories over HTTPS was tied to MD5 hashes, it was decided to leave git.php.net and svn.php.net in read-only mode, and also migrate any remaining to them PECL extension repositories on GitHub, similar to the main PHP repository.
Source: opennet.ru