Security breach found in PHP library service 'PEAR'

by Markus Spiske

We found that there was an attack on the server " PEAR " that provides a library available in PHP , and a security breach of file modification. The PEAR server is in a stopped state until safety is confirmed.

PEAR (@pear) | Twitter

PEAR's official Twitter account reports that PEAR's web server is undergoing security breach. The first tweet about security infringement was posted on January 19, 2019, "A teenaged go-pear.phar modified on the web server of the PEAR official site was found a security breach.PEAR The website itself is unusable until you reconstruct a clean, harmless clean site, please check with PEAR's official blog for more detailed information. "

Below is official website of PEAR. As of January 24, 2019, the server is still down. Also, the official blog that details are written is also downed and can not be accessed.

PEAR server is down

On the page showing that the server is down, "When you download" go-pear.phar "within the past 6 months, you get a copy of the same release version from GitHub , compare the hash of the file Please note that if the hash of "go-pear.phar" downloaded in the past differs from what you copied from GitHub, it may contain a modified file. "

According to PEAR, it is said that you are using you used before to inform the official site that the server is down.

On January 23, 2019, after the investigation, I have reported on Twitter that I became obvious.

The modification of the "go-pear.phar" file was discovered on January 18th as reported by the Paranoids FIRE team. PEAR estimates that the latest release of "go-pear.phar" is December 20, 2018, so modifications have been made since then. In the modified "go-pear.phar", a line designed to generate a reverse shell for IP address "" in Perl has been found. Other security breaches are not found at the time of article creation, and it is confirmed that "install - pear - nozlib.phar" file is normal. Also, since it is also confirmed that the "go-pear.phar" file saved on GitHub is normal, if you have "go-pear.phar" file at hand, you can compare files It is possible to confirm whether or not it has been altered.

PEAR stated that "We suspended the server to restore the new box from the backup because there was no other potential problem, so we are already in the process of restoring the server among the staff .

Users who downloaded the "go-pear.phar" file after December 20, 2018 are asking for confirmation that the file has not been altered, and if the corresponding file was downloaded before December 20, 2018 Even if PEAR installation is executed, PEAR warns the user "It is prudent to check the system".

In addition, as a method for installing the package of PEAR while the server is down, download the latest version package from GitHub, move to the directory, execute "pear install package.xml" or "pear install package 2. xml" It is cited as to do.

in Software,   Web Service,   Security, Posted by logu_ii