> The officials didn’t say when the hack of their Web server occurred or precisely what the malicious version of go-pear.phar did to infected systems.<p>From Twitter (<a href="https://twitter.com/pear" rel="nofollow">https://twitter.com/pear</a>):<p>> What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19.<p>> What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP 104.131.154.154. This IP has been reported to its host in relation to the taint.<p>> What we know: no other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok, and could be used as a good md5sum comparison for any suspect copies.<p>> If you downloaded go-pear.phar before 12/20, we have no concrete evidence you received a tainted file... but it would be prudent to check your system if you used go-pear.phar to perform a PEAR installation in the last several months.
A good reminder to run your webserver with only the privileges it needs, including read/write permissions on the filesystem outside www and shell execution of commands on the system.<p>Also not a bad idea to have some kind of file compare against a "known good" folder of your site(s) to determine if any files have been modified or added, such as webshells.
Aptly timed vulnerability with this article <a href="https://research.swtch.com/deps" rel="nofollow">https://research.swtch.com/deps</a>
Thankfully nobody is using PEAR anymore. Using composer doesn't solve the problem of blinedly pulling internet dependencies, though (as others pointed out).<p>What I currently do is grepping vendor for common smells like usage of eval() or obfuscations of the same thing after doing a composer update on a project.
I'm not doing PHP anymore, but never heard of PEAR, everybody seems to use Composer since quite a while. Seems like the transition happened in 2014-2015.
If a company does not invest in open source and uses it - it has to invest into open source to kee using it. Well at least it's under the security budget and doesn't look like a voluntarily paid tax anymore.
This article is outdated. Check the PEAR Twitter profile for new information.<p>It would be nice if journalists would keep up with the things they report on.