Image: PHP PEAR Team

Details remain foggy about a recent security breach at the PHP PEAR website, a crucial, but lesser-known part of the PHP ecosystem.

PEAR, which stands for "PHP Extension and Application Repository," is the first package manager that was developed for the PHP scripting language back in the 1990s, and works by allowing developers to load and reuse code for common functions delivered as PHP libraries.

While currently most PHP developers have switched to using Composer, a newer third-party package manager, PEAR still remains very popular and is still very widespread because it's also been included by default with all official PHP binaries for Linux.

PHP developers can use the PEAR version that ships with their PHP distribution, but they can also download an updated PEAR (go-pear.phar) version from the PEAR website (which also hosts all PEAR-compatible PHP libraries).

However, last week, the PHP PEAR website --located at pear.php.net-- was taken down and its homepage replaced with a short message announcing a security breach.

According to the message, the PEAR team said they've found that the official website had been hosting a "tainted go-pear.phar" file --which is the main PHP PEAR executable.

"If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes," said the message on the official website. "If different, you may have the infected file."

Image: ZDNet

According to a VirusTotal scan of the tainted go-pear.phar file, the malicious version made available through the official PEAR website appears to contain what some antivirus vendors are describing as a backdoor.

What exactly this backdoor does, is currently unknown, as the PHP PEAR team is still analyzing the file's source code, which contains thousands of line of code.

All PHP web servers where administrators installed an update to the PHP PEAR executable (go-pear.phar) that they downloaded from the PEAR website should be considered compromised and treated accordingly.

The PHP PEAR team says it's still auditing and rebuilding its website, looking for the security hole that attackers exploited six months ago to plant the backdoored go-pear.phar file in the first place.

PEAR developers promised a more detailed incident post-mortem when this operation concludes.

In the meantime, earlier today, the PHP PEAR team also released PEAR v1.10.10, a new PEAR release, which is identical with the previous release v1.10.9, but which the PHP PEAR team uploaded on GitHub to give it a new timestamp and signal that it's a clean version that webmasters can install without fear of downloading a potentially backdoored release.

While PHP currently powers nearly 79 percent of all internet sites, only a small portion of them are likely to be affected by this incident, as most people either use Composer or rarely update the PEAR executable in the first place.

UPDATE, January 23: In a series of tweets following the publication of this article, the PEAR team has published more details about its recent security breach. The tweets are embedded below:

1/5 What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19. — PEAR (@pear) January 23, 2019

2/5 What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP 104.131.154.154. This IP has been reported to its host in relation to the taint. — PEAR (@pear) January 23, 2019

3/5 What we know: no other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok, and could be used as a good md5sum comparison for any suspect copies. — PEAR (@pear) January 23, 2019

4/5 What we know: being unsure of other potential insecurities, we took the site down in order to restore a new box from backups. A previous mirror box was set to host a "PEAR is down" single info page in the meantime. — PEAR (@pear) January 23, 2019

5/5 What we know: We cast a wide net by asking everyone to be concerned if they'd used the go-pear.phar file in the past six months. The server restoral is ongoing, by limited staff with timezone differences between the parties involved. — PEAR (@pear) January 23, 2019

In addition, the team at DCSO has also analyzed the malicious backdoor, and confirmed the findings of the PEAR team that it drops a reverse shell on infected hosts, allowing attackers to connect to web servers running a tainted PEAR package.

More security coverage: