Important: If you have downloaded the PHP PEAR package manager from its official website in the past 6 months, is it possible that your server has been compromised.
PEAR, which stands for “PHP Extension and Application Repository,” is a community-driven framework and is the first package manager that was developed for the PHP scripting language back in the 1990s, and works by allowing developers to load and reuse code for common functions delivered as PHP libraries.
PEAR is similar in nature to Maven
(for Java), CPAN
(for Perl) or CRAN
(for R). All PEAR packages are registered in and downloaded from a central server at pear.php.net
.
While most PHP developers have switched to using Composer, a newer third-party package manager, PEAR still remains very popular and is still very widespread because it’s also been included by default with all official PHP binaries for Linux.
The administrators of PEAR took down the official website of PEAR after they found that someone had replaced original the PHP PEAR package manager go-pear.phar
with a modified version in the core PEAR file system.
A new clean version 1.10.10 of pearweb_phars is now available on Github, which “re-releases” the correct go-pear.phar
as v1.10.9, the file that was found tainted on the ‘http://pear.php.net’ server, and now includes separate GPG signature files, that will allow users to more easily verify the authenticity of each individual PEAR component.
The known-infected go-pear.phar executable has an MD5 hash of 1e26d9dd3110af79a9595f1a77a82de7
You should compare all copies of this file in your organization to this hash to determine whether you’ve been directly impacted.
Since the PEAR officials have just put out a warning notification and not released any details about the security incident, it is still unclear that who is behind the attack.
The malicious version made available through the official PEAR website appears to contain a backdoor. What exactly this backdoor does, is currently unknown, as the PHP PEAR team is still analyzing the file’s source code.
All PHP/PEAR users who have downloaded the installation file go-pear.phar from the official website in the past six months should consider themselves compromised and quickly download and install the Github version.
PEAR administrators are using the @pear Twitter account to communicate news about this breach.