On March 28th the official PHP Git repository was compromised in order to open a backdoor into many web servers. The attackers were able to gain access to the PHP official main Git server, uploading two malicious commits, including a backdoor.
The malicious commits were discovered a few hours after, and then published on the morning of March 29th.
Nevertheless, Imperva research labs noticed a spike in scanning attempts of the backdoor right after the publication in the early morning of March 29th.
So far we registered a few hundreds of scanning attempts, most of them from only a few attackers using automated software.
Attacks were observed across the board.
The payloads that we saw so far indicate that the attacker is trying to scan and check if the exploit works, and contained mainly simple commands such as MD5 and Nslookup.
Imperva’s research team has added new dedicated rules to mitigate this attack vector so Imperva WAF customers are protected out-of-the-box.
Try Imperva for Free
Protect your business for 30 days on Imperva.