Officials with the widely used PHP Extension and Application Repository temporarily excluded most of their website and urge users to inspect their systems after find hackers
"If you downloaded this go-pear.phar [package manager] in the last six months, you should get a new copy of the same version from GitHub (pear / pearweb_phars) and compare file hashes". site. "If it is different, you may have the infected file."
Officials did not say when their web server had penetrated or what exactly did the malicious version of go-pear.phar do to infected systems. For beginners, hints are available to anyone who has downloaded the package manager over the past six months, suggesting that it may have happened since last July and no one has noticed either this or the infected download to date.
Moreover, the results of VirusTotal, a Google-owned malware scan service, suggest that the malicious PEAR download has installed the back door, possibly in the form of a web shell, on infected servers. gives hackers complete control, including the ability to install applications, execute malicious code, and download sensitive data to any machine that has installed malicious downloads. how and when the malfunction of their web server has occurred or what the malicious download has done. They said in Twitter that the download of go-pear.phar, available in Github, was not affected by a wound. They also said they have updated pearweb.phars, a download that includes a variety of smaller files to add GPGs for signature for each phar file. This will allow users to more easily check the authenticity of each individual PEAR component.
The PEAR Council is the last one to disclose what is known as the Supply Chain Attack. These attacks are especially effective because a single hack poison the software in its source where a potentially large number of people go to get their downloads. The most famous example of a recent supply chain attack is the back door that infected 2.27 million computers that installed a software update for CCleaner's CD's program in 201
The NotPetya zombie worm in July 2017 was instigated after the attackers infected M.E.Doc, a developer of tax accounting applications widely used in Ukraine. The attackers then caused the company's renewal mechanism to spread the ransomware. Other supply chain attacks include the infection of 100 banks worldwide, also in 2017, when server or network management products are being sold by the NetSarang software manufacturer. In October last year, two supply chain attacks, one affecting VestaCP on the control panel interface, and the other – the official archive for Python's widely used programming language, came out in October last year.
One way to reduce the chances of being hit by attacks in the supply chain is to compare the hash-digest of the downloaded files to the hash issued by the developer. This is by no means a protection against fools because hackers who have the ability to modify installation files may also be able to change the published hash. However, it remains effective in many cases, especially when the hash has been published on a large number of mirror sites.
Anyone who installed the PEAR installation files downloaded from pear.php.net should thoroughly analyze their system for signs of infection and expect further information from PEAR officials.