The PHP PEAR website has been hacked recently where the attackers managed to get access to the web server and make alterations to the “go pear.phar” file, that has the installation package with the go pear package manager.
PEAR stands for “PHP Extension and Application Repository,” is the first package manager developed for the PHP scripting language in the 1990s. It operates by permitting the developers to load and reuse code for common functions delivered as PHP libraries.
Now most of the PHP developers have shifted to use Composer which is a third-party package manager. Still PEAR is being used widely as it is already included with all official PHP binaries for Linux as default.
The developers either uses the PEAR version that comes along with their PHP distribution or they can download an updated PEAR (go-pear.phar) version from the PEAR website.
But last week the PHP PEAR website (pear.php.net) was hacked and now the home page shows message regarding the security breach.
The message reads that the PEAR team has fund that the website is hosting a “tainted go-pear.phar” file which is the main PHP PEAR executable.
They also asks the customers who have downloaded the go-pear.phar in the past six months to get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If it is different, then the user may have the infected file.
The malicious version of the file is believed to contain a backdoor. However, what this backdoor does is currently not known. The team is still examining the source code of the file. The security hole which the attackers exploited around 6 months back to insert the backdoor file is being analyzed. More details regarding the incident will be updated later.
The PHP web servers that has updated to the PHP PEAR executable downloaded from the PEAR website must consider as compromised.
Meanwhile, the PHP PEAR team released PEAR v1.10.10, which is a new PEAR release similar to the previous release v1.10.9. They have uploaded it on GitHub to indicate that it is a clean version that webmasters can install without any fear.
At present PHP powers nearly 79 % of all internet sites but still only a small portion of them are probably be affected by this incident because most of the people either use Composer or rarely download the PEAR executable from the website.