PHP source received backdoor commits

The PHP project still treated git.php.net as canonical. On March 28, 2021, two commits landed in php-src under the names of Rasmus Lerdorf and Nikita Popov. The commits looked like ordinary maintenance. They were not.

The payload touched the PHP interpreter path and used an HTTP header trigger. If a request supplied the misspelled User-Agentt header beginning with zerodium, the injected code evaluated attacker-controlled PHP. A production build from that tree would have turned the runtime itself into a remote execution surface.

The first response treated the event as likely PHP-hosted Git infrastructure compromise. A later update changed the picture. Access logs showed the malicious commits were pushed over HTTPS using password authentication through git-http-backend, outside gitolite's SSH path. The project no longer believed the git.php.net server itself had been compromised, but considered it possible that the old master.php.net user database had leaked.

The response was architectural. PHP made GitHub the primary repository host, made git.php.net and svn.php.net read-only, migrated master.php.net to main.php.net, reset all php.net passwords, moved password storage to bcrypt, and removed the need to keep HTTP Digest-compatible MD5 password material. The backdoor did not become a stable release; its importance is structural. One accepted commit in the language source tree could have put hostile behavior inside every downstream build.

Motive

Espionage Strategic Advantage

Attribution

Person

Cause

Compromised Credentials

Transitive

No

Actor

Individual Hacker

• Changes to Git commit workflownews-web.php.net
• Update on git.php.net incidentnews-web.php.net
• PHP 8.1.0-dev Backdoor Remote Code Executionflast101.github.io
• PHP's Git server hacked to add backdoors to PHP source codebleepingcomputer.com
• php-src issue 6900github.com