Mystery still surrounds hack of PHP PEAR website

Three days later, still no new details about how the official PHP website hosted a backdoored version of the PEAR package manager for the past six months.

PHP PEAR

Image: PHP PEAR Team

Details remain foggy about a recent security breach at the PHP PEAR website, a crucial, but lesser-known part of the PHP ecosystem.

PEAR, which stands for "PHP Extension and Application Repository," is the first package manager that was developed for the PHP scripting language back in the 1990s, and works by allowing developers to load and reuse code for common functions delivered as PHP libraries.

While currently most PHP developers have switched to using Composer, a newer third-party package manager, PEAR still remains very popular and is still very widespread because it's also been included by default with all official PHP binaries for Linux.

PHP developers can use the PEAR version that ships with their PHP distribution, but they can also download an updated PEAR (go-pear.phar) version from the PEAR website (which also hosts all PEAR-compatible PHP libraries).

However, last week, the PHP PEAR website --located at pear.php.net-- was taken down and its homepage replaced with a short message announcing a security breach.

According to the message, the PEAR team said they've found that the official website had been hosting a "tainted go-pear.phar" file --which is the main PHP PEAR executable.

"If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes," said the message on the official website. "If different, you may have the infected file."

PHP PEAR security breach

Image: ZDNet

According to a VirusTotal scan of the tainted go-pear.phar file, the malicious version made available through the official PEAR website appears to contain what some antivirus vendors are describing as a backdoor.

What exactly this backdoor does, is currently unknown, as the PHP PEAR team is still analyzing the file's source code, which contains thousands of line of code.

All PHP web servers where administrators installed an update to the PHP PEAR executable (go-pear.phar) that they downloaded from the PEAR website should be considered compromised and treated accordingly.

The PHP PEAR team says it's still auditing and rebuilding its website, looking for the security hole that attackers exploited six months ago to plant the backdoored go-pear.phar file in the first place.

PEAR developers promised a more detailed incident post-mortem when this operation concludes.

In the meantime, earlier today, the PHP PEAR team also released PEAR v1.10.10, a new PEAR release, which is identical with the previous release v1.10.9, but which the PHP PEAR team uploaded on GitHub to give it a new timestamp and signal that it's a clean version that webmasters can install without fear of downloading a potentially backdoored release.

While PHP currently powers nearly 79 percent of all internet sites, only a small portion of them are likely to be affected by this incident, as most people either use Composer or rarely update the PEAR executable in the first place.

UPDATE, January 23: In a series of tweets following the publication of this article, the PEAR team has published more details about its recent security breach. The tweets are embedded below:

In addition, the team at DCSO has also analyzed the malicious backdoor, and confirmed the findings of the PEAR team that it drops a reverse shell on infected hosts, allowing attackers to connect to web servers running a tainted PEAR package.

More security coverage: