One reason I migrated away from php is the fact that there is simply way too many attack vectors. Using frameworks help quite a bit, but it is to easy to miss configure a stock php install. Not saying that is the case here though.
Currently using Django. Once I started playing around with it I haven't looked back. Although I am told cake php and a few other frameworks really do improve php.
they dont improve PHP. you still have to deal with PHP shortcomings even with a framework. But since you dont deal with low level stuffs your code might be more secure yeah.
PHP has too many unsecure apis accessible to beginners.
With Django for instance you have a view layer with auto escaping by default.You dont write unsecure SQL queries ,..., That makes a huge difference.
that's the issue, PHP should be secure(ie restrictive) by default, Linux style... it is not. PHP+Apache => recipe for disaster. PHP is a templating language yet doesnt do html sanitizing by default !
95% of compromised websites are PHP ones.
That's the reason why PHP will die eventually,when businesses understand while it's cheap to go online with a PHP cms, once you get hacked , it will cost you your business.
Using prepared statements is necessary condition (of secure) for any application independent of language. Almost all databases (and their drivers) support prepared statements.
That's speculation. I've seen servers get compromised due to FTP problems, SSH misconfiguration, unpatched Apache vulnerabilities, third-party stats monitoring software with 0-days and even SQL injection.
Defacement (I consider malware injection a form of defacement) isn't unique to PHP by a long shot.
This is ridiculous speculation on your part, you can't speculate with security, for all you know the webmaster's ex-girlfriend could have inserted the malware.
This is what happens when you give too much power to one company. And what is the appeal process? Asking for help on Twitter as the founder of a huge project like PHP? https://twitter.com/rasmus/status/393258264034422785
WebMaster Tools really need some improvements - there is no way to re-scan suspected page fast and get more info about the issue. If even Rasmus was unable to get this resolved fast, imagine regular webmasters in the same situation.
It's very heavy handed. It has not been 100% verified that the site was compromised, and a lot of very technically smart PHP community members are looking hard at this. It may prove to be a false positive or otherwise, but in the meantime:
1. Google is blocking access to the site in Chrome.
2. Firefox is warning users that php.net is not to be trusted (it uses the same list of infected sites provided by Google).
3. Google is warning users on Google Search that "This site may harm your computer.".
4. Google's appeals process is slow and cumbersome.
So yeah, that is a lot of power for one company.
If this happened to your website due to, for example a false positive, you would be pretty unhappy. Only a high profile project like PHP gets this kind of attention, but I'd happily wager that many smaller websites suffer the same faith every day.
A site we once had under development was incorrectly flagged. I reported the error via the webmaster tools and after less than 20 minutes, the warning went away.
Google doesn't notify anybody, you have to find out for yourself the hard way.
And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged. And that is after the owner even figured out how and where to contact Google.
Yes, they do. If you've signed up for Webmaster Tools, you'll get notified by email.
They don't force anyone to sign up. If you do nothing other than fixing your website, eventually Google will check it again and remove from blacklist.
Seriously, what's your complaint? If you don't want to get blacklisted, don't let your site be hacked. If your site is hacked, and you're complaining that Google blacklisted it and notified you about it, you're dumb.
And guess what -- they provide this service (and also pay the real person to review your re-listing request) for FREE.
Google sends out emails to a bunch of different addresses like webmaster@domain.com, abuse@domain.com, etc and notifies anyone signed up through Google Webmaster tools. The only improvement I can think of would be if they notified whoever was listed after doing a WHOIS of the domain but that's a little hard to automate.
>And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged.
Google forces you to prove that you own the domain before they give you any information that they don't release publicly. How else do you suggest they go about not releasing everything publicly? Also, all you have to do as a site owner is click on the safe browsing diagnostic link and go from there.
In our case the email alerts went out 12 hours after they identified our site and started giving the warning to users. We got several calls from customers before being notified by Google.
7 months in "web years" is pretty old, but as you know PHP has been around a long time, so there's still alot of relevant information for those who depend on the site.
> For php.net, it reports only mere 4 trojans. So php.net is almost 100 times safer that google.com, according to this tool. That sounds pretty good :)
Compare how many google.com pages have been tested and how much php.net pages have been tested and stop with that non sense.
A site I visit frequently was once identified as containing malware. I overrode it and went there anyway. (In firefox.)
And now forevermore the icon for that site in the url-bar dropdown is the warning icon, and I have not been able to find out how to change it back to the normal one.
The icon is correct in tabs (and by correct I mean not there - the site has no favicon), it's only incorrect in the url-drop down (the arrow in the url box which shows you the most visited pages).
Favicion caching is extremely aggressive in Firefox. In the past, visiting the URL of the favicon and pressing Ctrl+F5 was enough. Nowadays, you have clear your cache [1] and then restart your browser.
[1] Tools -> Options -> Advanced -> Network -> Cached Web Content -> Clear Now
Not sure if you're joking or lacking knowledge. Just because it's the official PHP site does absolutey NOT mean it cannot contain malware. Legitimate sites are compromised and used to spread malware all the damn time.
But in this case it looks like Google tool found legit, but obfuscated file, which was loaded in some tricky way that bad sites usually use, and decided it's a malware.
mysql.com was hacked by a sql injection [0]. microsoft.com had XSS vulnerabilities a while back that allowed auth token harvesting via an overly generous cookie paths [1].
Any website in the world has the potential to be flagged as serving malware.
Everybody seems to laugh and rage about this, but could somebody tell me if this is correctly detected or not? I would not be surprised at all if somebody had breached php.net. Did they properly check against intrusions?
From my experience are these contents only provided once per IP and then you're getting filtered to not get any content again, to prevent 'easy' detection of this.
You simply get blacklisted after the first serving
I've seen this sort of thing from the Darkleech apache module[1]. It also won't show the malicious Javascript to any IP that appears in the `last` log. It looks like php.net uses Apache too[2]. The easiest way I've seen to find the module (they come with a variety of names) is to do something like
Yeah, I ran across malware once that only injected JS for visitors from certain referrers, such as Google search. I believe the intention was so that when someone would tell me, "Hey, you have a bunch of weird links on your site" I would go to it directly and not see a problem. IIRC the .htaccess had been modified.
What a mess. I hope running Chrome via EMET is enough to keep my machine safe.
I've noticed that hacks have gone up recently in my little part of cyberspace. Things like Cryptolocker are so profitable that its motivating a lot of talented guys to get into malware and hack servers. Usually servers running some unpatched CMS or module.
then include the functions js you will see an autocomplete list of functions when you type into the pattern box. The lists of function names are stored in a compressed string at the top so it's not really obfuscated, just minified. They shouldn't store it minified though.
Both files appear identical to me. Which is odd, since there is only 1 CNAME to an address with 1 A record. Perhaps your version of static.php.net is cached by your ISP?
Even with only one public facing address there could be more than one server handling the content. It could be that only one had a bad file, or they all did but that one is yet to be cleaned. Or, as you say, the bad file could be cached at the ISP level (if this was only affected one ISP, whcih obviously it didn't, it could even have been injected at the point rather than at php.net's resources).
@icebraining, You're right! The file has indeed been changed a lot lately. In fact as can be seen here: http://lerdorf.com/static.log.gz that file has changed in size from: 2602 bytes to 5821 to 1279 all in the space of 25 hours... that is really suspicious
Err, often they do. Or more correctly, they often don't show something you think they would if it happened.
Logs show a subset of what has happened. There's no way to prove they are showing everything, so there's no way to use them to prove what did not happen.
Its was definitely hacked .. the log shows that the size of userprefs.js has definitely changed multiple times in the past 25 hrs : http://lerdorf.com/static.log.gz
The site that is linked to in the obfuscated code is http://lnkhere.reviewhdtv.co.uk/stat.htm and it is that site which Google has marked as unsafe. Php.net has received the malware warning as a result.
Notably the whois on that domain includes the registrants full name and address. Nominet allows personal registrants an opt-out on the full details in whois, so you would be unlikely to try and hack PHP.net and forget to use a privacy service on a domain name that isn't quite so traceable..
The domain record for that site show:
Domain name:
reviewhdtv.co.uk
Registrant:
Oli Bachini
Registrant type:
UK Individual
Registrant's address:
Rainbow Cottage
West Perry
Huntingdon
Cambs
PE28 0BX
United Kingdom
Registrar:
Webfusion Ltd t/a 123-reg [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 13-Oct-2010
Expiry date: 13-Oct-2014
Last updated: 06-Oct-2012
Registration status:
Registered until expiry date.
Name servers:
ns.123-reg.co.uk
ns2.123-reg.co.uk
WHOIS lookup made at 11:44:39 24-Oct-2013
According to Twitter post by Rasmus (https://twitter.com/rasmus/status/393258264034422785) this has been like this for at least 1 day and still has not been fixed. Something tells me that Google has way too much power and the fact that they don't sort out false positives in a timely fashion is really bad.
According to one of the people responsible for a software project that has been plagued by security holes for ~15 years, and whose website was hacked, and who hasn't fixed it...
Yeah, that's definitely a problem with google alright. Just because the entire PHP team disregards security completely, doesn't mean the consequences of that are google's problem. The fact that they just assume it is a false positive and don't even bother to verify their hacked site is incredible.
177 comments
[ 3.4 ms ] story [ 108 ms ] threadA good reminder that anyone's low-profile website may not seem a tempting target, but it's still very much at risk.
PHP has too many unsecure apis accessible to beginners.
With Django for instance you have a view layer with auto escaping by default.You dont write unsecure SQL queries ,..., That makes a huge difference.
95% of compromised websites are PHP ones.
That's the reason why PHP will die eventually,when businesses understand while it's cheap to go online with a PHP cms, once you get hacked , it will cost you your business.
"PHP: Hypertext Preprocessor
php.net/
This site may harm your computer.
Server-side HTML embedded scripting language. It provides web developers with a full suite of tools for ..."
Google inserts the "harm" note.
OMG! Did I just defend PHP? Gotta go take my medication.
Defacement (I consider malware injection a form of defacement) isn't unique to PHP by a long shot.
Thank you, thank you, ladies and gentlemen, I'll be here all week!
What happens? Is it bad that that Google protects users from malware and notifies webmasters that their website was compromised?
1. Google is blocking access to the site in Chrome.
2. Firefox is warning users that php.net is not to be trusted (it uses the same list of infected sites provided by Google).
3. Google is warning users on Google Search that "This site may harm your computer.".
4. Google's appeals process is slow and cumbersome.
So yeah, that is a lot of power for one company.
If this happened to your website due to, for example a false positive, you would be pretty unhappy. Only a high profile project like PHP gets this kind of attention, but I'd happily wager that many smaller websites suffer the same faith every day.
And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged. And that is after the owner even figured out how and where to contact Google.
They don't force anyone to sign up. If you do nothing other than fixing your website, eventually Google will check it again and remove from blacklist.
Seriously, what's your complaint? If you don't want to get blacklisted, don't let your site be hacked. If your site is hacked, and you're complaining that Google blacklisted it and notified you about it, you're dumb.
And guess what -- they provide this service (and also pay the real person to review your re-listing request) for FREE.
>And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged.
Google forces you to prove that you own the domain before they give you any information that they don't release publicly. How else do you suggest they go about not releasing everything publicly? Also, all you have to do as a site owner is click on the safe browsing diagnostic link and go from there.
All php releases are signed and checksummed on the d/l page.
http://www.google.com/safebrowsing/diagnostic?site=http://go...
It reports google.com for 142 exploit(s), 131 trojan(s), 98 scripting exploit(s)
Compare how many google.com pages have been tested and how much php.net pages have been tested and stop with that non sense.
And now forevermore the icon for that site in the url-bar dropdown is the warning icon, and I have not been able to find out how to change it back to the normal one.
[1] Tools -> Options -> Advanced -> Network -> Cached Web Content -> Clear Now
https://code.google.com/p/google-safe-browsing/wiki/Protocol...
Any website in the world has the potential to be flagged as serving malware.
[0] http://www.pcworld.com/article/240609/mysqlcom_hacked_to_ser... [1] http://www.marw0rm.com/xss-flaw-on-office-microsoft-com-disc... etc
http://productforums.google.com/d/msg/webmasters/puLmvjtK0m8...
direct
2) Now when I browse to static userprefs.js on my desktop in incognito mode, no obfuscated contents.
3) When i browse to static userprefs.js on normal mode I get the following js appended:
You simply get blacklisted after the first serving
[2] http://builtwith.com/php.net
(yes, yes, I know that DIVs aren't really non-semantic - it's a joke)
But if they are able to hack into the server, I supposed there is nothing to do then...
[1] http://www.w3.org/TR/CSP/#frame-src
If my assumption is correct, then CSP won't help unless we separate the source server and the proxy server from each other.
I've noticed that hacks have gone up recently in my little part of cyberspace. Things like Cryptolocker are so profitable that its motivating a lot of talented guys to get into malware and hack servers. Usually servers running some unpatched CMS or module.
http://pastebin.com/w8RLk3iq
If you have this in your html as the only form:
then include the functions js you will see an autocomplete list of functions when you type into the pattern box. The lists of function names are stored in a compressed string at the top so it's not really obfuscated, just minified. They shouldn't store it minified though.Could this be a DNS issue, with a different server serving the bad .js file?
My IP for static.php.net is 69.147.83.201.
Logs show a subset of what has happened. There's no way to prove they are showing everything, so there's no way to use them to prove what did not happen.
http://safebrowsing.clients.google.com/safebrowsing/diagnost...
Notably the whois on that domain includes the registrants full name and address. Nominet allows personal registrants an opt-out on the full details in whois, so you would be unlikely to try and hack PHP.net and forget to use a privacy service on a domain name that isn't quite so traceable..
The domain record for that site show:
You are just making them a target for malicious people who would otherwise be too lazy to find that information.
It is pretty bad form to post people's personal addresses on a forum such as this.
>> You are just making them a target for malicious people who would otherwise be too lazy to find that information.
I already addressed that.
Update: no, you're correct, this log apparently only has one file.
Yeah, that's definitely a problem with google alright. Just because the entire PHP team disregards security completely, doesn't mean the consequences of that are google's problem. The fact that they just assume it is a false positive and don't even bother to verify their hacked site is incredible.