This morning we woke up with news indicating that Google was flagging the php.net website as potentialy harmful.
You can read more information on:
We couldn't replicate the behavior as it seem the webmaster modified the files that were producing the malicious redirection.
Anyway the guys from Barracuda have shared a PCAP file that shows the malicious behavior.
Based on that information we have determined that somehow the attackers were able to inject a malicious iframe in the PHP.net website that was redirecting to an Exploit Kit.
If you deofuscate the content it leads to:
The content of the file stat.htm is:
The server redirects the browser to a server that makes another redirection very likely depending on the plugins detected on the victim:
In the case of the PCAP provided by Barracuda the server is returning HTML code that is embedding some Flash content in the browser as well as a new IFRAME:
We have determined that the exploit code present there matches with the Exploit Kit known as Magnitude/Popads. In fact out OTX system flagged that IP address a few days ago as a harmul server due to the serving of Exploit Code.
As we can see in our systems using Passive DNS we have found several domain names that are pointing to the same IP address and are being use to host versions of the Magnitude Exploit Kit:
The payload delivered by the Exploit Kit if it is successfull is this one that as we see it has a low detection ratio by AV engines:
This behavior also matches with a report from other user that was seeing similar redirections in this case the content injected in the PHP.net website was hosted in other domain but the infection chain was the same:
We will update this blog post as soon as we have more information about this compromise.