Backdoor Added—But Found—in PHP
Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary.
Developers have moved PHP to GitHub, which has better authentication. Hopefully it will be enough—PHP is a juicy target.
Joe • April 9, 2021 9:39 AM
So looking at the explanation, the malicious code consisted of a line that checks if the browsers useragent header starts with the string “zerodium”
if (strstr(Z_STRVAL_P(enc), “zerodium”)) {
If that is the case, it then tries to execute the contents of the useragent (the part that follows the “zerodium” string)
zend_eval_string(Z_STRVAL_P(enc)+8
Considering the attempt to use “zend_eval_string” isn’t this something that could be easily flagged with automated code scanning tools?