{"id":51701,"date":"2019-02-07T13:00:42","date_gmt":"2019-02-07T19:00:42","guid":{"rendered":"https:\/\/blog.cpanel.com\/?p=51701"},"modified":"2019-02-07T13:00:42","modified_gmt":"2019-02-07T19:00:42","slug":"when-php-went-pear-shaped-the-php-pear-compromise","status":"publish","type":"post","link":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/","title":{"rendered":"When PHP Went Pear Shaped- The PHP PEAR Compromise"},"content":{"rendered":"\n<p>As you may or may not be aware, on January 19th, 2019, a security&nbsp;<a href=\"http:\/\/blog.pear.php.net\/\">announcement<\/a>&nbsp;was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>&#8220;A security breach has been found on the&nbsp;<a href=\"http:\/\/pear.php.net\/\">http:\/\/pear.php.net<\/a>&nbsp;webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it\u2019s back online.&#8221;<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">What is PEAR?<\/h2>\n\n\n\n<p>The&nbsp;<a href=\"http:\/\/pear.php.net\/\">PEAR repository<\/a>&nbsp;(currently offline until the compromise can be remedied)&nbsp;is a site that holds host to a vast number of PHP projects where programmers and application developers use the go-pear script to download PHP class packages from the repository. This library of code was intended to promote a standard coding style. While community-driven, the PEAR project has a PEAR group acting as the governing body handling administrative tasks. A&nbsp;PEAR package is essentially a gzipped tar file consisting of source code written in PHP&nbsp;and can be readily used by developers as ordinary third-party code by way of include statements in PHP. Users could invoke the PEAR package manager from the command line via the&nbsp;<code>pear<\/code>&nbsp;command. For PHP installations running on Linux, the PEAR package manager is enabled by default.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So what happened?<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2019\/02\/PEAR-perl-backdoor.png\" alt=\"\" class=\"wp-image-51705\"\/><\/figure>\n\n\n\n<p>Speculated to have happened as far back as 6 months ago, a malicious user compromised the PEAR installation script with an extractor that enabled a backdoor (via Perl) that opened a shell connecting to a remote infected server. This allowed the malicious users to install apps, run malicious code, and capture sensitive data.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Should I be concerned?<\/h2>\n\n\n\n<p>If you&#8217;re a user who has built your PHP RPMs from the PEAR website, there is a potential chance that your machine may have been compromised.&nbsp;<a href=\"https:\/\/dcso.de\/\">DCSO<\/a>&nbsp;(a German cybersecurity organization) has published a MISP (Malware Information Sharing Platform) event with the relevant IOCs (indicators of compromise) that can be used to scan your infrastructure for infections:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><code>\u201cPHP PEAR Software Supply Chain Attack\u201d (5c46dd16-2ed0-4604-ab12-181cac12042b)<\/code><\/p><\/blockquote>\n\n\n\n<p>cPanel &amp; WHM users have nothing to fear, as we build our RPMs from GitHub, which does not pull in the compromised go-pear.phar archive to our RPMs. This means there are no indications that any cPanel RPMs containing PEAR packages are compromised.&nbsp;<\/p>\n\n\n\n<p>For further updates from PEAR directly, we recommend following the official&nbsp;<a href=\"https:\/\/twitter.com\/pear\">pear&nbsp;Twitter feed<\/a>. You can also join in the discussion by participating in our&nbsp;<a href=\"https:\/\/go.cpanel.net\/discord\">Discord<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/go.cpanel.net\/slack\">Slack<\/a>&nbsp;channels, as well as our official cPanel&nbsp;<a href=\"https:\/\/reddit.com\/r\/cpanel\">subreddit.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As you may or may not be aware, on January 19th, 2019, a security&nbsp;announcement&nbsp;was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce: &#8220;A security breach has been found on the&nbsp;http:\/\/pear.php.net&nbsp;webserver, with a tainted go-pear.phar discovered. The PEAR website itself has [&hellip;]<\/p>\n","protected":false},"author":77,"featured_media":65093,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[49],"tags":[2185,297,325],"class_list":["post-51701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products","tag-pear","tag-php","tag-product-development"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel\" \/>\n<meta property=\"og:description\" content=\"As you may or may not be aware, on January 19th, 2019, a security&nbsp;announcement&nbsp;was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce: &#8220;A security breach has been found on the&nbsp;http:\/\/pear.php.net&nbsp;webserver, with a tainted go-pear.phar discovered. The PEAR website itself has [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/\" \/>\n<meta property=\"og:site_name\" content=\"cPanel\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cpanel\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-02-07T19:00:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/devel.www.cpanel.net\/wp-content\/uploads\/2019\/02\/2019.02.06.pearcompromise.png\" \/>\n\t<meta property=\"og:image:width\" content=\"3858\" \/>\n\t<meta property=\"og:image:height\" content=\"1527\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"cPanel Community\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cPanel\" \/>\n<meta name=\"twitter:site\" content=\"@cPanel\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"cPanel Community\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/\",\"url\":\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/\",\"name\":\"When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel\",\"isPartOf\":{\"@id\":\"https:\/\/devel.www.cpanel.net\/#website\"},\"datePublished\":\"2019-02-07T19:00:42+00:00\",\"dateModified\":\"2019-02-07T19:00:42+00:00\",\"author\":{\"@id\":\"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/8cf97408aad4fb70cf55d11a1d4f57f8\"},\"breadcrumb\":{\"@id\":\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/devel.www.cpanel.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"When PHP Went Pear Shaped- The PHP PEAR Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/devel.www.cpanel.net\/#website\",\"url\":\"https:\/\/devel.www.cpanel.net\/\",\"name\":\"cPanel\",\"description\":\"Hosting Platform of Choices\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/devel.www.cpanel.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/8cf97408aad4fb70cf55d11a1d4f57f8\",\"name\":\"cPanel Community\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e1949945083b5526bb95711bd3d616b3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e1949945083b5526bb95711bd3d616b3?s=96&d=mm&r=g\",\"caption\":\"cPanel Community\"},\"description\":\"The web hosting industry's most reliable management solution since 1997. With our first-class support and rich feature set, it's easy to see why our customers and partners make cPanel &amp; WHM their hosting platform of choice. For more information, visit cPanel.net.\",\"sameAs\":[\"https:\/\/cpanel.net\"],\"url\":\"https:\/\/devel.www.cpanel.net\/blog\/author\/cpadmin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/","og_locale":"en_US","og_type":"article","og_title":"When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel","og_description":"As you may or may not be aware, on January 19th, 2019, a security&nbsp;announcement&nbsp;was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce: &#8220;A security breach has been found on the&nbsp;http:\/\/pear.php.net&nbsp;webserver, with a tainted go-pear.phar discovered. The PEAR website itself has [&hellip;]","og_url":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/","og_site_name":"cPanel","article_publisher":"https:\/\/www.facebook.com\/cpanel\/","article_published_time":"2019-02-07T19:00:42+00:00","og_image":[{"width":3858,"height":1527,"url":"https:\/\/devel.www.cpanel.net\/wp-content\/uploads\/2019\/02\/2019.02.06.pearcompromise.png","type":"image\/png"}],"author":"cPanel Community","twitter_card":"summary_large_image","twitter_creator":"@cPanel","twitter_site":"@cPanel","twitter_misc":{"Written by":"cPanel Community","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/","url":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/","name":"When PHP Went Pear Shaped- The PHP PEAR Compromise | cPanel","isPartOf":{"@id":"https:\/\/devel.www.cpanel.net\/#website"},"datePublished":"2019-02-07T19:00:42+00:00","dateModified":"2019-02-07T19:00:42+00:00","author":{"@id":"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/8cf97408aad4fb70cf55d11a1d4f57f8"},"breadcrumb":{"@id":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/devel.www.cpanel.net\/blog\/products\/when-php-went-pear-shaped-the-php-pear-compromise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/devel.www.cpanel.net\/"},{"@type":"ListItem","position":2,"name":"When PHP Went Pear Shaped- The PHP PEAR Compromise"}]},{"@type":"WebSite","@id":"https:\/\/devel.www.cpanel.net\/#website","url":"https:\/\/devel.www.cpanel.net\/","name":"cPanel","description":"Hosting Platform of Choices","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/devel.www.cpanel.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/8cf97408aad4fb70cf55d11a1d4f57f8","name":"cPanel Community","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/devel.www.cpanel.net\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e1949945083b5526bb95711bd3d616b3?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e1949945083b5526bb95711bd3d616b3?s=96&d=mm&r=g","caption":"cPanel Community"},"description":"The web hosting industry's most reliable management solution since 1997. With our first-class support and rich feature set, it's easy to see why our customers and partners make cPanel &amp; WHM their hosting platform of choice. For more information, visit cPanel.net.","sameAs":["https:\/\/cpanel.net"],"url":"https:\/\/devel.www.cpanel.net\/blog\/author\/cpadmin\/"}]}},"_links":{"self":[{"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/posts\/51701"}],"collection":[{"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/comments?post=51701"}],"version-history":[{"count":0,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/posts\/51701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/media\/65093"}],"wp:attachment":[{"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/media?parent=51701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/categories?post=51701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel.www.cpanel.net\/wp-json\/wp\/v2\/tags?post=51701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}