Hours after Google's Safe Browsing initiative flagged the website for malware, PHP.net confirmed that two of their servers were compromised and used to attack visitors. However, the administrators are still not sure how the attackers accessed the servers.
Further, the SSL certificate used on PHP.net was revoked out of caution, and a new one was assigned a short time after. All affected services on the two compromised servers have been migrated, and it has been confirmed that the Git repository was not compromised.
Additional research from Trustwave's Spider Labs confirmed the Shockwave (Flash) exploit attempt, but they also discovered that the script was targeting CVE-2013-2551, an Internet Explorer flaw discovered by exploit clearinghouse VUPEN during this year's Pwn2Own competition at CanSecWest.
PHP.net user accounts will have their passwords reset over the next few days, if the account is used to commit code to any projects. A full post-mortem of the incident is expected sometime next week.
This story, "PHP.net confirms server breach after Google flags them for malware" was originally published by CSO.