Instead of being able to access the site, Chrome visitors received the warning: "The Website Ahead Contains Malware! Google Chrome has blocked access to php.net for now."
At first, the PHP Group running the project was incredulous. Rasmus Lerdorf, PHP's original developer, tweeted, "It appears Google has found a false positive and marked all of http://php.net as suspicious." The problem seems to be that when PHP checked the suspect page, it found nothing glaringly wrong. In a subsequent statement yesterday, it announced, "it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging."
That digging, especially through the access logs, eventually showed that it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. In other words, the malware was periodically being injected into the page, and Google must have checked the page during one of the periods in which it was infected.
This led Martijn Grooten of Virus Bulletin to conjecture, "Pretty sure JS file was modified on the fly and only served to some - md5 of the 'file' doesn't make much sense :)" The implication here is that the real infection was memory resident, designed to inject malicious javascript occasionally and briefly in order to maintain its own low visibility.
If this is the case, then PHP's subsequent action will have solved the issue: it moved all the services from two affected servers to new servers and revoked the SSL certificate, adding in its latest update, "The method by which these servers were compromised is unknown at this time."
Meanwhile, the analysis of the malicious javascript has begun. Jaime Blasco of AlienVault shows that the malicious javascript (once deobfuscated) is an iFrame that calls stat.htm from whichusb.co.uk. Stat.htm in turn checks the user's plug-ins specifically looking for Java and Adobe Reader.
"The server redirects the browser to a server that makes another redirection very likely depending on the plugins detected on the victim," writes Blasco. The destination is a server (incidentally, one already flagged by AlienVault as malicious) that appears to host the Magnitude exploit kit. If successful, the exploit kit installs the information stealing Tepfer trojan (also known as Fareit).
When checked against VirusTotal yesterday, this payload was detected by just 5 of 47 anti-virus engines. When checked today at the time of writing this report, it is now detected by 21. However, any user who has visited php.net this week, would do well to check for a possible infection of Tepfer.