The Hacker News
If you are today trying to visit the website, an official website of the PHP scripting language, you will likely see the above shown result, instead of the original website.
Chrome and Firefox is currently flagging the site as "suspicious" and contains malware that can harm your computer.
The Hacker News
According to Google's Webmaster Tools, the script at was included as suspicious, and Google's Safe Browsing diagnostics for do suggest that malware has been present on the site in the last 90 days:
"Of the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent."
"Malicious software includes 4 trojan(s). Malicious software is hosted on 4 domain(s), including,, . 3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including,, ."
The obfuscated JavaScript "userprefs.js" inserts a hidden iframe into the webpage, which loads content from an external site known for distributing malware.
The Hacker News
This suggests that the website may have been compromised recently. Well, Google's Safe Browsing team will be looking into the issue and we will update this article if we hear anything from Google or PHP site owner.

Update (1:42 PM Thursday, October 24, 2013 GMT): It seems that the issue has been resolved by admins and is back as a normal clean website, after removing malicious scripts.

Update: After Security Audit, PHP team found that two servers were compromised for some unknown time. They said that their Git repository was not compromised, and it remains in read only mode as services are brought back up in full.

"As it's possible that the attackers may have accessed the private key of the SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to sites that require SSL (including and in the next few hours." blog post said.

The team concludes that JavaScript malware was served to a small percentage of users from the 22nd to the 24th of October 2013. Now all affected services have been migrated to new secure servers.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.