Yesterday in our article php.net Blacklisted By Google Rasmus Lerdorf, the creator of php, claimed Google reported a false positive. Today however php.net admits two of their servers were compromised with malicous JavaScript code.

From October 22nd thru the 24th the two servers infected php.net visitors committing code to projects hosted on svn.php.net or git.php.net with malicous JavaScript code. Once this was discovered the services on these two servers were migrated to a secure server and a new SSL certificate was issued.

Spokes people at php.net said, “All php.net user passwords have also been reset, but neither the source tarball downloads nor the Git repository were modified or compromised.” 

Using an unknown method criminals injected a malicous iFrame which delivered the Tepfer Trojan from the Magnitude exploit kit onto unsuspecting users. This was confirmed by security researcher Fabio Assolini at  Kaspersky Labs.

php.net is stilling working to clean up the infection.