its official website in past 6 months, we are sorry to say that
your server might have been compromised.
Last week, the maintainers at PEAR took down the official
website of the PEAR (pear-php.net) after they found that
someone has replaced original PHP PEAR package manager
(go-pear.phar) with a modified version in the core PEAR file
system.
Though the PEAR developers are still in the process of analyzing
the malicious package, a security announcement published on January 19,
2019, confirmed that the allegedly hacked website had been serving
the installation file contaminated with the malicious code to
download for at least half a year.
[1]
The PHP Extension and Application Repository (PEAR) is a
community-driven framework and distribution system that offers
anyone to search and download free libraries written in PHP
programming language.
These open-source libraries (better known as packages) allows
developers to easily include additional functionalities into their
projects and websites, including authentication, caching,
encryption, web services, and many more.
When you download PHP software for Unix/Linux/BSD systems, PEAR
download manager (go-pear.phar) comes pre-installed, whereas
Windows and Mac OS X users need to install the component when
required manually.
providers, also allow their users to install and run PEAR, this
latest security breach could impact a large number of websites and
their visitors.
“If you have downloaded this go-pear.phar in the past six months,
you should get a new copy of the same release version from GitHub
(pear/pearweb_phars) and compare file hashes. If different, you may
have the infected file,” the note on the official PEAR website
reads.
performing a forensic investigation to determine what is the extent
of the attack and how the attackers managed to compromise the
server in the first place.
A new clean version
1.10.10 of pearweb_phars[2]
is now available on Github, which “re-releases the correct
‘go-pear.phar’ as v1.10.9, the file that was found tainted on the
‘http://pear.php.net’ server, and now includes separate GPG
signature files with each ‘phar.”
The developers further notified that only the copy on the
pear.php.net server was impacted, to their knowledge, and that the
GitHub copy of go-pear.phar is not compromised.
Since the PEAR officials have just put out a warning
notification and not released any details about the security
incident, it is still unclear that who is behind the attack.
The developers tweeted[3]
that they will publish a “more detailed announcement” on the PEAR
Blog once it’s back online.
All PHP/PEAR users who have downloaded the installation file
go-pear.phar from the official website in the past six months
should consider themselves compromised and quickly download and
install the Github version.
References
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/xwXsRrR614E/php-pear-hacked.html