php.net listed as suspicious - visiting this web site may harm your computer
When I access php.net through Google search i get the following message saying
The Website Ahead Contains Malware!
See the screenshot attached below:
Is it same for you guys? How can I avoid this?
Does this mean the site has been hacked or attacked by malware?
This is because Google performed a regular check on the website in the past 90 days. The results were this:
Of the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-23, and the last time suspicious content was found on this site was on 2013-10-23.
Malicious software includes 4 trojan(s).
Malicious software is hosted on 4 domain(s), including cobbcountybankruptcylawyer.com/, stephaniemari.com/, northgadui.com/.
3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stephaniemari.com/, northgadui.com/, satnavreviewed.co.uk/.
This is probably because people are leaving links to these websites throughout php.net.
There's more to this. There are reports (1100 GMT 2013-10-24) that the links have been injected to the Javascript the site uses and it is therefore hacked for the time being.
Until you hear differently, I would avoid the site. Soon - all will be well no doubt.
And if you go to the Safe Browsing diagnostics page, you can see that:
To underscore:
This site is not currently listed as suspicious.
They fixed it as I posted this answer.
From the perspective of php.net itself, it seems like a false positive:
http://php.net/archive/2013.php#id2013-10-24-1
On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging.
It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.
We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers. The highest priority is obviously the source code integrity and after a quick:
git fsck --no-reflog --full --strict
on all our repos plus manually checking the md5sums of the PHP distribution files we see no evidence that the PHP code has been compromised. We have a mirror of our git repos on github.com and we will manually check git commits as well and have a full post-mortem on the intrusion when we have a clearer picture of what happened.