On March 28th the official PHP Git repository was compromised in order to open a backdoor into many web servers. The attackers were able to gain access to the PHP official main Git server, uploading two malicious commits, including a backdoor.
The malicious commits were discovered a few hours after, and then published on the morning of March 29th.
Nevertheless, Imperva research labs noticed a spike in scanning attempts of the backdoor right after the publication in the early morning of March 29th.
So far we registered a few hundreds of scanning attempts, most of them from only a few attackers using automated software.
Attacks were observed across the board.
The payloads that we saw so far indicate that the attacker is trying to scan and check if the exploit works, and contained mainly simple commands such as MD5 and Nslookup.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.