PHP PEAR Backdoor Discovered

On January 19th, the maintainers of the popular PHP package management system disclosed that they had discovered a backdoor in an installer component named go-pear.phar. The PEAR website is still down as of today and maintainers state that they have no ETA for when a clean site will be on line.

Although initial indications were that any installations in the last six months may have been compromised, an update says that the PEAR team can only confirm that installs on or after 20DEC18 would have been impacted.

This incident amplifies the need for supply chain security. Software supply chain security is particularly difficult due to the many library components (PEAR packages for example) that may be components of a larger software installation. To help with this challenge, Rendition Infosec released a draft framework for evaluating supply chain security last year at the SANS Threat Hunting Summit.

Jake Williams, Founder of Rendition Infosec gives some additional thoughts about the PEAR hack in this video.

If you need assistance with incident response surrounding a compromised web server or just need to be sure you weren’t part of the fallout from this attack, please contact Rendition Infosec. We’ll be happy to help investigate your system and remediate any intrusions discovered.