We just got close to a major hack-fest that would have impacted 80+% of web sites worldwide. Don’t believe me? Read on.
The WordFence team have just posted this article on how an embedded exploit nearly went live in PHP. As PHP is used in some 80% of all websites globally, chances are you would have been impacted. Fortunately, this hack was intercepted and removed.
The exploit would have been buried inside PHP and allow:
Remote Code Execution makes it possible to issue commands to a server remotely which allows attackers to do things like create new files, steal data on the server, delete files, and essentially take over the affected server by any websites powered by PHP.
That means completely take over your website, as well as the web server it is hosted on – so all other websites on that server are exposed as well.
This would have resulted in a global hack-fest. Hackers, in act anyone who was prepared to pay for it, could take over any website using PHP they wanted to.
How did the attempted exploit happen?
PHP is an open-source programming language and is updated by a community of programmers who save their PHP updates for the next release in a common location – a Git Repository.
Understandably access to the PHP Git Repository is tightly controlled, but somehow a hacker managed to compromise this and gained access. The hacker then submitted an innocent-looking ‘patch’ for the next release of PHP, but this was in fact the code to create a backdoor in PHP.
How was the exploit foiled?
Routine reviews of submitted code by the PHP core team revealed the exploits. Consequently, the exploits were removed before they were published into a production release of PHP.
The PHP core team are now changing from an internal Git to the public GitHub.com. They are also increasing authentication requirements for access to two-factor authentication.
How does this affect you and your website?
Fortunately, the exploit was foiled before going public so there’s no impact, but let’s consider what you should do now, to be prepared should a a hack like this be successful.
Off-site backups will save your bacon
Offsite backups is my strongly suggested strategy. While the worldwide hacking raged, you can be comforted with the knowledge that you at least have a current copy of your website safety and securely stored on an unrelated repository. Website Concierge packages up client’s websites and stores them on DropBox a part of our routine maintenance operations.
In our scenario above, once the PHP team has reissued a safe PHP version, we could find you a web server that has the inoculated version of PHP and recreate your website from our DropBox backups. As we store fresh backup copies each week, we’d have the luxury of selecting from a range of backups going back 15 weeks into the past to avoid any infected versions of your site. Lead time to do this? Probably 24 to 48 hours.
Your competitor’s website’s which had backups on the infected server are likely to destroyed or compromised by the exploit. As typical hosting backups typically only have a 24-48 hour history, all your backups will potentially tainted or destroyed. They’ll be redeveloping the website from scratch with a lead time of weeks and costs that reflect the considerable amount of work to do this.
What is PHP?
PHP is a programming language popular on web servers. PHP is used on numerous Content Management Systems including WordPress, Magneto, Drupal, Joomla, OpenCart, Expression engine and many more. Further, PHP is also used in significant websites such as Facebook.com, Wikepedia.org, Microsoft.com and many more.
It is claimed that 80% of all websites use PHP as their underlying programming language.
Read more about PHP here: https://en.wikipedia.org/wiki/PHP
About Website Concierge
Succinct Ideas have been involved in website hosting and website support for 10+ years as part of our portfolio of online marketing services.
We’ve now established Website Concierge to focus on the range of professional website support services that a business website needs to generate more leads and customers for the website owner.