On January 19, 2019 the PEAR project announced, that it’s installation script had been tampered with: https://twitter.com/pear/status/1086634389465956352:
A security breach has been found on the https://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.
PEAR is short for “PHP Extension and Application repository”. This repository is host to a vast number of PHP projects. Programmers and application administrators use the go-pear script to download PHP class packages from the repository.
According to the projects website, the breach occured six months ago.
The modified file has an MD5 hash of 1e26d9dd3110af79a9595f1a77a82de7. Looking at its content, the backdoor can easily be seen on line 1270:
The following command line extracts and deobfuscates the simple backdoor:
sed -ne 1270p 1e26d9dd3110af79a9595f1a77a82de7 | perl -ne 's/\\x(..)/chr(hex($1))/ge && print'
It remains a mystery, why the attacker used a backdoor written in Perl to infect a piece of software written in PHP.
The backdoor opens a shell and connects to 104.131.154[.]154. Although it connects to port 443, the connection is unencrypted and there is no SSL negotiation.
Chances are high, that the server 104.131.154[.]154 (bestlinuxgames[.]com) might be another compromised host.
DCSO has published a MISP event with the relevant IOCs. Please use this to scan your infrastructure for infections:
“PHP PEAR Software Supply Chain Attack” (5c46dd16-2ed0-4604-ab12-181cac12042b)
Who we are
The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.