Security breach found in PHP library service 'PEAR'

by Markus Spiske

We found that there was an attack on the server " PEAR " that provides a library available in PHP , and a security breach of file modification. The PEAR server is in a stopped state until safety is confirmed.

PEAR (@pear) | Twitter
https://twitter.com/pear

PEAR's official Twitter account reports that PEAR's web server is undergoing security breach. The first tweet about security infringement was posted on January 19, 2019, "A teenaged go-pear.phar modified on the web server of the PEAR official site was found a security breach.PEAR The website itself is unusable until you reconstruct a clean, harmless clean site, please check with PEAR's official blog for more detailed information. "

A security breach has been found on the https://t.co/dwKlscDEFf webserver, with a tainted go-pear.phar discovered.
The PEAR website is has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online.

- PEAR (@pear) January 19, 2019

Below is official website of PEAR. As of January 24, 2019, the server is still down. Also, the official blog that details are written is also downed and can not be accessed.

PEAR server is down
http://pear.php.net/

On the page showing that the server is down, "When you download" go-pear.phar "within the past 6 months, you get a copy of the same release version from GitHub , compare the hash of the file Please note that if the hash of "go-pear.phar" downloaded in the past differs from what you copied from GitHub, it may contain a modified file. "

According to PEAR, it is said that you are using cweiske.de you used before to inform the official site that the server is down.

PEAR mirror box (cweiske) to serve the "PEAR is down" page, while we work to bring the original box back up.

- PEAR (@pear) January 22, 2019

On January 23, 2019, after the investigation, I have reported on Twitter that I became obvious.

The modification of the "go-pear.phar" file was discovered on January 18th as reported by the Paranoids FIRE team. PEAR estimates that the latest release of "go-pear.phar" is December 20, 2018, so modifications have been made since then. In the modified "go-pear.phar", a line designed to generate a reverse shell for IP address "104.131.154.154" in Perl has been found. Other security breaches are not found at the time of article creation, and it is confirmed that "install - pear - nozlib.phar" file is normal. Also, since it is also confirmed that the "go-pear.phar" file saved on GitHub is normal, if you have "go-pear.phar" file at hand, you can compare files It is possible to confirm whether or not it has been altered.

1/5 What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19.

- PEAR (@pear) January 23, 2019

2/5 What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP 104.131.154.154. This IP has been reported to its host in relation to the taint.

- PEAR (@pear) January 23, 2019

PEAR stated that "We suspended the server to restore the new box from the backup because there was no other potential problem, so we are already in the process of restoring the server among the staff .

4/5 What we know: being unsure of other potential insecurities, we took the site down in order to restore. A previous mirror box was set to host a "PEAR is down" single info page in the meantime.

- PEAR (@pear) January 23, 2019

Users who downloaded the "go-pear.phar" file after December 20, 2018 are asking for confirmation that the file has not been altered, and if the corresponding file was downloaded before December 20, 2018 Even if PEAR installation is executed, PEAR warns the user "It is prudent to check the system".

In addition, as a method for installing the package of PEAR while the server is down, download the latest version package from GitHub, move to the directory, execute "pear install package.xml" or "pear install package 2. xml" It is cited as to do.

Workaround for installing PEAR packages while https://t.co/dwKlscDEFf is down:
get the latest Release of the package at GitHub (eg https://t.co/BXkQWhkioP ), unpack it, cd into that dir, and run `pear install package.xml` or` pear install package2.xml`.

- PEAR (@pear) January 24, 2019