Security breach found in PHP “PEAR” library service
The PEAR server is in a stopped state until safety is confirmed. Its maintainers found that there was a security breach such as an attack on the server “PEAR” which provides a library available in PHP.
Users who downloaded and installed PEAR PHP in the last 6 months from the official website of the PEAR pear-php.net, were may be infected so you should quickly download the Github version and install it. If they downloadeded “go-pear.phar” file after December 20, 2018 are asking for confirmation that the file has not been altered, and if the corresponding file was downloaded before December 20, 2018 Even if PEAR installation is executed, PEAR warns the user “It is prudent to check the system”.
Below is official website of PEAR. As of January 24, 2019, the server is still down. Also, the official blog that details are written is also downed and can not be accessed.
You can use the below steps to check the go-pear.phar file’s vulnerability.
- Login via SSH to your server where you are currently using PEAR.
- Go to the directory where you currently downloaded the go-pear.phar file, most likely your user’s home directory.
# cd ~user
- Check the md5sum value.
# md5sum go-pear.phar
- The above command will return value like this. 1e26d9dd3110af79a9595f1a77a82de7
- The infected file has the above hash value. If you see this value returned, you should proceed to disable the previous PEAR installation files and folders.
# mv go-pear.phar go-pear.phar_infected
# mv .pearrc .pearrc_infected
# mv pear pear_infected
- Next, download a fresh copy of the go-pear.phar file from github
# wget https://github.com/pear/pearweb_phars/blob/master/go-pear.phar
- You can then re-install PEAR using file downloaded from github