PHP.net blocked by Google: False positive or not?

Rasmus Lerdorf – the creator of PHP – is currently trying to get Google to stop blocking the whole php.net website after it was suspected of containing malware. In a tweet earlier this morning, Rasmus posted a screenshot and suggested that the block was caused by a false positive:

Google's Webmaster Tools flag the inclusion of the script at http://static.php.net/www.php.net/userprefs.js as suspicious, although this file currently appears benign. However, Google's Safe Browsing diagnostics for php.net do suggest that malware has been present on the site in the last 90 days:

"Of the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent."

The block was added to add chunk 127721 in the Google Safe Browsing goog-malware-shavar list. At the time of writing, php.net is still blocked in Firefox and Chrome, both of which make use of Google's blocklist. Visiting php.net from a Google search results page or the bitly URL shortener causes an interstitial warning page to be displayed.

A seemingly benign, yet obfuscated, JavaScript file called functions.js was removed from the PHP website repository this morning. The developer behind this change speculated that the file "Could be the reason why Google is blocking us today.."

However, a short moment ago, a Hacker News user posted some obfuscated JavaScript that was found appended to a possibly cached version of the userprefs.js script, suggesting that the PHP.net website may have been compromised recently. The obfuscated JavaScript inserts an iframe into the webpage, which loads content from an external site known for distributing malware. Google Chrome blocks the inclusion of any content from known malware domains, although the injected content in this case no longer appears to be accessible.


Using Firebug to display the injection point of the iframe (iframe has been moved to a visible location)

Update [Monday 28th October]: The administrators of PHP.net have since confirmed that two web servers were compromised and at least one was serving malware. The affected servers have been taken offline and the SSL certificate in use has been revoked by Comodo. The PHP source packages and code repository were reportedly not compromised.