Jana Barborikova

25 October 2013

Google flagged PHP.net as suspicious website

PHP.net users that would like to access php.net were unpleasantly surprised today. Google flagged the website as suspicious and users of the Google Chrome and Mozilla Firefox browsers saw a security warning when they tried to visit the website.


According to the Google diagnostic page, suspicious content was found on php.net on October 23rd, 2013. Three domains were mentioned; cobbcountybankruptcylawyer.com, stephaniemari.com, and northgadui.com (owned by the same GoDaddy account) which were said to distribute malware to visitors of the site.


Was it a false positive like regular visitors of php.net suggested in many online discussions?

After connecting to the domain php.net the browser loads a few css files and userprefs.js from static.php.net.


It turned out that the javascript userprefs.js had caused the problem. As you can see in the following log, http://lerdorf.com/static.log.gz, the size of the file has changed from 2602 bytes to 5821 bytes and then to 1279 during 25 hours. That is quite suspicious behavior. The 2602 bytes version of the file was the original file with a search completion function, the 1279 bytes version is the updated file without the search completion function removed that appeared while the problem was solving. The 5821 bytes version of the file was the suspicious file that contains an obfuscated code:



After deobfuscating we get


The obfuscated code inserted an iframe with a link to lnkhere.reviewhdtv.co.uk/stat.htm. The domain reviewhdtv.co.uk is suspicious and blacklisted by Google Safe Browsing. The iframe was probably the reason why the php.net was flagged as suspicious. As I mentioned above, the javascript userprefs.js has been replaced with the one without the obfuscated code and the website php.net has not been blacklisted anymore.

Related links:

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+.

Threat Research, Security News