Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
10-30-2013, 12:48 PM #1
- Join Date
- Oct 2013
- Thanked 0 Times in 0 Posts
PHP.net maintainers to reset user passwords, change SSL certificate
The PHP group states that PHP Group will change the Password for an account on php.net, after the attackers attack the programming language decide to change the site’s SSL certificate, as two servers and stick the malicious code in the website.
10-30-2013, 01:06 PM #2
- Join Date
- Feb 2011
- Your Monitor
- Thanked 550 Times in 537 Posts
I didn't even realise that php.net had user accountsA further update on php.net ¶
All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.
To summarise, the situation right now is that:
Neither the source tarball downloads nor the Git repository were modified or compromised.
Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
Over the next few days, we will be taking further action:
php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.
We will provide a full post mortem in due course, most likely next week. You can also get updates from the official php.net Twitter: @official_php.
I can't really think of anything to write here now...