LevelBlue Completes Acquisition of Cybereason. Learn more

Request a Demo

LevelBlue Completes Acquisition of Cybereason. Learn more

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Manage Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
LevelBlue SpiderLabs
Global researchers, ethical hackers, and responders
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

PHP.Net Site Infected with Malware

Change theme to light
2 Minute Read by Ryan Barnett

Earlier today, users attempting to access the www.php.net site were met with malware warnings from Google's Safe Browsing plugins in Chrome/Firefox and other browsers -

10315_82f32ea5-82d1-4ea8-ab11-1a09e0c045c9

So, what was the problem?

 

Malware Redirection Details

Google's SafeBrowsing currently lists the following for the site:

12602_f09c295f-1185-4f16-9667-3e368539a214

 

The malware was tied to the javascript call on line 21 of the main index.php page:

9176_4d578e65-59ca-4612-b99b-e8296887ad37

 

When clients accessed this page on the static.php.net server, there was a conditional injection of obfuscated javascript code appended to the end of the file:

9624_63e6f233-6e8a-4fb2-88a0-69dce6b8725c

 

This javascript data decodes to a new hidden Iframe:

9805_6d3a6f31-c12d-4277-b0bd-46729e6f0d51
The "stat.htm" page returned the following html code:

11916_cfcae25b-f56f-4707-b76f-864748951cb9

The PluginDetect_All.js is used to identify installed browser software and the page initiates a form POST back to the stat.htm page indicating the screen size and if Java and Acrobat are installed. It then returns with a 302 Redirect:

11062_a6c58cf2-a800-4e3a-90a4-7ef3f5a00812

The clients get redirected to a number of different temp domains and served with various exploit payloads:

hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 -> which attempted a SWF exploit:

9880_7081aae0-4700-4eb1-8c9f-74d7d7c4751b

Another instance tried to send down a PE file similar to this one on Malwr while another attempted to exploit CVE-2013-2551.

 

Initial Compromise Vector

The initial attack vector is not currently confirmed. What we do know at this point is that the conditional malware was executing on the "static.php.net" domain and appending data to the userprefs.js file. At the time of these infections, the IP address for static.php.net was 69.147.83.201 and was running a lighttpd/1.4.28 web server version where as today the IP address is 72.52.91.12 and is running nginx/1.4.1 so some changes were obviously made.

 

Mitigation Options

It is not confirmed that the attackers were able to install a malicious module such as Darkleech or Cdorked.A but it is not out of the realm of possibility. In these cases, when attackers have that level of access to install a malicious web server module, there isn't much you can do locally to prevent these attacks. What would be possible, however, would be to use an external WAF such as ModSecurity to dynamically add in new Content Security Policy (CSP) response headers or alter the HTML itself with a meta tag. Using this type of topology, even if attackers were able to compromise the web server and send out malicious JS code, the WAF would add the CSP data on a separate system on the way out to the intended victim's browser.

The following ModSecurity rules show an example of modifying the HTML to add in a meta tag which would only allow iframe sources from static.php.net:

SecContentInjection OnSecStreamOutBodyInspection OnSecRule REQUEST_FILENAME "@endsWith .php" "chain,phase:request,t:none,nolog,pass"   SecRule STREAM_OUTPUT_BODY "@rsub s//|00|
 /"

This is how the HTML would look to the browser:

9755_6a835c6d-9684-4afc-b392-620377637100

In this scenario, even if Google Chrome received the malicious JS code, it would not execute it due to this CSP policy:

8447_298fd22e-7c20-4422-bd13-aa41d94a7f61

Applying security policies such as CSP externally to your normal website has value as it prevents them from being disabled or modified in the event of a local compromise.

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Microsoft Issues Emergency Patch for Windows Server Update Services RCE Vulnerability CVE-2025-59287
SharpParty: Process Injection in C#
The Cat's Out of the Bag: A 'Meow Attack' Data Corruption Campaign Simulation via MAD-CAT

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo