PHP Extension and Application Repository PEAR Website Server Down from January, 22, 2019.
The malware scanning website suggests that, if you have installed the malicious PEAR that it convert a backdoor in form of Web shell on infected servers.
According to PEAR administrator,
A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online. If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file.
What is PEAR?
The PHP Extension and Application Repository, or PEAR, is a repository of PHP software code. It is a framework and distribution system for reusable PHP components. It extends PHP and gives a higher level of programming for all web developers.
PEAR is divided into three different classes that are: PEAR Core Components, PEAR Packages, and PECL Packages. The PEAR Packages include functionality giving for authentication, networking, and file system features and tools for working with HTML and XML templates.
The project seeks to provide a structured library of code, maintain a system for distributing code and for managing code packages, and promote a standard coding style. Though community-driven, the PEAR project has a PEAR Group which serves as the governing body and takes care of administrative tasks.
Each PEAR code package comprises an independent project under the PEAR umbrella. It has its own development team, versioning-control and documentation.
Features-
- A structured library of open-source code for PHP users
- A system for code distribution and package maintenance
- A standard style for code written in PHP
- The PHP Extension Community Library (PECL)
- A website, mailing lists, and download mirrors to support the PHP/PEAR community
What You Do?
According to Rapid 7, the known infected go-pear.phar executable has an MD5 hash
1e26d9dd3110af79a9595f1a77a82de7 value.
You need to compare all copies of file in your organization to hash value to determine you have impacted or not. The Endpoint, network, and server anti-malware defense technologies should have this signature updated soon if they do not already have it in their signature databases.
PEAR admin team is working to restore the website. It is currently down and available over HTTP not HTTPS.
Review your PHP configurations file and be sure to running on current version of PHP.
