PHP.net users that would like to access php.net were unpleasantly surprised today. Google flagged the website as suspicious and users of the Google Chrome and Mozilla Firefox browsers saw a security warning when they tried to visit the website.
According to the Google diagnostic page, suspicious content was found on php.net on October 23rd, 2013. There mentioned three domains; cobbcountybankruptcylawyer.com, stephaniemari.com, and northgadui.com (owned by the same GoDaddy account) which were said to distribute malware to visitors of the site.
Was it a false positive like regular visitors of php.net suggested in many online discussions?
After connecting to the domain php.net the browser loads a few css files and userprefs.js from static.php.net.
After deobfuscating we get
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+.