Friday, October 25, 2013

Google blacklist blocking php.net

Summary: Claiming the well-known web software site is serving malware, Google's safe browsing API is marking php.net as malicious.

Google's safe browsing API, a security blacklist service which warns of malicious web sites, has marked the php.net site as malicious. As a result, users of Google Chrome and Mozilla Firefox get a dire warning when attempting to visit the site.

[Update: 9:30 AM EST and I'm not seeing the warning on one of my systems. Perhaps the fix is in.]

Google-Site-Blocked-Firefox
The warning in Firefox

PHP is an extremely popular web server-side scripting language and PHP.net is the home page for it. PHP creator Rasmus Lerdorf tweeted several hours ago about the blockage and claimed it was a false positive.
The detail provided by Google includes the following information:
Of the 1613 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-24, and the last time suspicious content was found on this site was on 2013-10-23.
Malicious software includes 4 trojan(s).
Malicious software is hosted on 4 domain(s), including cobbcountybankruptcylawyer.com/, stephaniemari.com/, northgadui.com/.
3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stephaniemari.com/, northgadui.com/, satnavreviewed.co.uk/.

Google-Site-Blocked-Chrome
The warning in Chrome

Hat tip to Netcraft.
The Netcraft analysis points to a Hacker News analysis which indicates that PHP.net may, in fact, have been compromised. And the file they cite as malicious has since been removed from the PHP repository.