If you tried to visit PHP.net earlier today, you found that Google’s Safe Browsing API marked the website as malicious software and blocked access to it.
“Of the 1,513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-23, and the last time suspicious content was found on this site was on 2013-10-23,” Google stated in an advisory.
Rasmus Lerdorf, creator of PHP, tweeted, “It appears Google has found a false positive and marked all of php.net as suspicious.”
After going through the access logs for static.php.net, the organization found that it was “periodically serving up userprefs.js with the wrong content length and reverting back to the right size after a few minutes.” You can read its full explanation of the situation here.
Google has since removed the block to the site. PHP.net is still investigating how someone caused the file to be changed and has migrated static.php.net to new clean servers in the meantime. A full postmortem on the intrusion will be posted when a clearer picture of what happened is drawn.