PHP Git服務器被入侵，黑客向源代碼中添加後門

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3月28日，PHP團隊成員Nikita Popov發佈一條緊急新聞，稱“PHP官方Git服務器被入侵，代碼庫被篡改”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"之後，網名叫nixCraft的網友也在Twitter發文，“小心！PHP git服務器受到攻擊，並且，攻擊者向PHP代碼庫中添加了後門。請大家注意其安全性！”"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5d\/5d16bf0b158babf343730805d4df66d2.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"PHP Git服務器被植入RCE後門"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據官方公告，PHP團隊在git.php.net服務器上維護的php-src倉庫被推送了兩個惡意提交（commits）。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了保證提交可靠性，攻擊者還僞造簽名，讓人以爲提交是由PHP開發者和維護者Nikita Popov與Rasmus Lerdorf完成的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/b3\/b3fa8cdc6f339d1bbcbe42b17d2efab4.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而，在新增的第370行調用zend_eval_string函數的地方，這段代碼實際上是爲運行這個被劫持的PHP版本的網站埋下了一個後門，以獲取輕鬆的遠程代碼執行（RCE）。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PHP開發者表示，“如果字符串以'zerodium'開頭，這一行就會從useragent HTTP頭內執行PHP代碼。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在提交幾小時後，PHP團隊就在進行常規的代碼審查時發現問題。這些更改的惡意很明顯，所以很快被還原了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對像Git這樣的源碼版本控制系統來說，這樣的事並不讓人意外。因爲攻擊者可以把提交的內容打上其他人的簽名，然後再把僞造的提交上傳到遠程的Git服務器。這樣一來，就會讓人覺得這個提交確實是由簽名的人提交的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國外安全媒體bleepingcomputer對此評論，“作爲一門服務器端編程語言，PHP爲互聯網上超過79%的網站提供支持。這一事件令人震驚。”"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"棄用官方Git服務器，PHP代碼庫遷移到GitHub"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲此次事件後的預防措施，PHP團隊已經決定將PHP官方源碼庫遷移到GitHub。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/56da6c537689430cf2e9e87b7dd7e2eb.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前，PHP團隊還在對此事進行調查。官方稱，“我們還不知道這是怎麼發生的，但是這次惡意活動源於被入侵的git.php.net服務器，而非個人的Git賬戶被入侵。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“雖然調查還在進行中，但爲了減少我們自己維護的Git基礎設施所面臨的風險，我們將停用git.php.net服務器”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"官方團隊表示，“GitHub上的PHP代碼庫以前只是作爲鏡像，現在將作爲正式的來使用。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且，從現在開始，任何代碼修改都會直接推送到GitHub上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在，除了那兩個惡意提交外，PHP官方團隊還在檢查是否還有其他的安全威脅。"}]}]}