{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3月28日,PHP团队成员Nikita Popov发布一条紧急新闻,称“PHP官方Git服务器被入侵,代码库被篡改”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"之后,网名叫nixCraft的网友也在Twitter发文,“小心!PHP git服务器受到攻击,并且,攻击者向PHP代码库中添加了后门。请大家注意其安全性!”"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5d\/5d16bf0b158babf343730805d4df66d2.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"PHP Git服务器被植入RCE后门"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根据官方公告,PHP团队在git.php.net服务器上维护的php-src仓库被推送了两个恶意提交(commits)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"为了保证提交可靠性,攻击者还伪造签名,让人以为提交是由PHP开发者和维护者Nikita Popov与Rasmus Lerdorf完成的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/b3\/b3fa8cdc6f339d1bbcbe42b17d2efab4.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,在新增的第370行调用zend_eval_string函数的地方,这段代码实际上是为运行这个被劫持的PHP版本的网站埋下了一个后门,以获取轻松的远程代码执行(RCE)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PHP开发者表示,“如果字符串以'zerodium'开头,这一行就会从useragent HTTP头内执行PHP代码。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在提交几小时后,PHP团队就在进行常规的代码审查时发现问题。这些更改的恶意很明显,所以很快被还原了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对像Git这样的源码版本控制系统来说,这样的事并不让人意外。因为攻击者可以把提交的内容打上其他人的签名,然后再把伪造的提交上传到远程的Git服务器。这样一来,就会让人觉得这个提交确实是由签名的人提交的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"国外安全媒体bleepingcomputer对此评论,“作为一门服务器端编程语言,PHP为互联网上超过79%的网站提供支持。这一事件令人震惊。”"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"弃用官方Git服务器,PHP代码库迁移到GitHub"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作为此次事件后的预防措施,PHP团队已经决定将PHP官方源码库迁移到GitHub。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/56da6c537689430cf2e9e87b7dd7e2eb.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,PHP团队还在对此事进行调查。官方称,“我们还不知道这是怎么发生的,但是这次恶意活动源于被入侵的git.php.net服务器,而非个人的Git账户被入侵。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“虽然调查还在进行中,但为了减少我们自己维护的Git基础设施所面临的风险,我们将停用git.php.net服务器”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"官方团队表示,“GitHub上的PHP代码库以前只是作为镜像,现在将作为正式的来使用。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"并且,从现在开始,任何代码修改都会直接推送到GitHub上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"现在,除了那两个恶意提交外,PHP官方团队还在检查是否还有其他的安全威胁。"}]}]}
PHP Git服务器被入侵,黑客向源代码中添加后门
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3月28日,PHP团队成员Nikita Popov发布一条紧急新闻,称“PHP官方Git服务器被入侵,代码库被篡改”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"之后,网名叫nixCraft的网友也在Twitter发文,“小心!PHP git服务器受到攻击,并且,攻击者向PHP代码库中添加了后门。请大家注意其安全性!”"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5d\/5d16bf0b158babf343730805d4df66d2.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"PHP Git服务器被植入RCE后门"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根据官方公告,PHP团队在git.php.net服务器上维护的php-src仓库被推送了两个恶意提交(commits)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"为了保证提交可靠性,攻击者还伪造签名,让人以为提交是由PHP开发者和维护者Nikita Popov与Rasmus Lerdorf完成的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/b3\/b3fa8cdc6f339d1bbcbe42b17d2efab4.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,在新增的第370行调用zend_eval_string函数的地方,这段代码实际上是为运行这个被劫持的PHP版本的网站埋下了一个后门,以获取轻松的远程代码执行(RCE)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PHP开发者表示,“如果字符串以'zerodium'开头,这一行就会从useragent HTTP头内执行PHP代码。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在提交几小时后,PHP团队就在进行常规的代码审查时发现问题。这些更改的恶意很明显,所以很快被还原了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对像Git这样的源码版本控制系统来说,这样的事并不让人意外。因为攻击者可以把提交的内容打上其他人的签名,然后再把伪造的提交上传到远程的Git服务器。这样一来,就会让人觉得这个提交确实是由签名的人提交的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"国外安全媒体bleepingcomputer对此评论,“作为一门服务器端编程语言,PHP为互联网上超过79%的网站提供支持。这一事件令人震惊。”"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"弃用官方Git服务器,PHP代码库迁移到GitHub"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作为此次事件后的预防措施,PHP团队已经决定将PHP官方源码库迁移到GitHub。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/56da6c537689430cf2e9e87b7dd7e2eb.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,PHP团队还在对此事进行调查。官方称,“我们还不知道这是怎么发生的,但是这次恶意活动源于被入侵的git.php.net服务器,而非个人的Git账户被入侵。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“虽然调查还在进行中,但为了减少我们自己维护的Git基础设施所面临的风险,我们将停用git.php.net服务器”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"官方团队表示,“GitHub上的PHP代码库以前只是作为镜像,现在将作为正式的来使用。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"并且,从现在开始,任何代码修改都会直接推送到GitHub上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"现在,除了那两个恶意提交外,PHP官方团队还在检查是否还有其他的安全威胁。"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章