An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#23786 - 10/16/12 07:05 AM Pear appears infected
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
I did a ClamXav scan this morning and got this result in the top window:

Filename Infection Name Status

/Users/myname/Desktop/Quarantine/install-pear-nozlib.phar PHP.Exploit.CVE_2011_4153-2 Quarantined

In the lower window I got:

Starting scan…

ERROR: Can't unlink '/usr/lib/php/install-pear-nozlib.phar': Permission denied
----------- SCAN SUMMARY -----------
Known viruses: 1315949
Engine version: 0.97.5
Scanned directories: 179553
Scanned files: 579428
Infected files: 1
Total errors: 307
Data scanned: 57953.32 MB
Data read: 69575.40 MB (ratio 0.83:1)
Time: 6095.328 sec (101 m 35 s)

One or more infected files were found and were moved into your quarantine folder.

I then did a Get Info on the quarantined document, and got:

Created: July 31, 2012 6:42 PM
Modified: July 31, 2012 6:42 PM

I've looked around and, although I don't know what Pear is, it appears to be something that the system wants, but that PHP.Exploit.CVE_2011_4153-2 is not desirable.

So, I assume I should trash the install-pear-nozlib.phar document in the Quarantine folder. However, I'm not sure how to perform the "unlink" that the ERROR message seems to want.


What are my best steps at this point?

If Pear is something the system wants, how would I get an infected copy?


Edited by ryck (10/16/12 07:08 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23787 - 10/16/12 08:00 AM Re: Pear appears infected [Re: ryck]
alternaut Offline

Moderator

Registered: 08/04/09
The suspect file you're looking at is a PHP archive (.phar). 'Pear' stands for PHP Extension and Application Repository, and is part of a standard Mac OS X install. It appears that yesterday's (10/15) ClamXav signature update flags this particular archive and others like it (tar.gz) that until now have neither been changed in quite a while nor been flagged as infected. Re-scanning the uncompressed archives returns no infection flag, suggesting that the flag is made in error (false positive). ClamXav has been notified and (presumably) is working on it.

Take home message: leave this quarantined file alone for the time being, sit back and wait for more info on this.
_________________________
alternaut moderator

Top
#23788 - 10/16/12 08:41 AM Re: Pear appears infected [Re: alternaut]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Thanks.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23791 - 10/16/12 11:54 AM Re: Pear appears infected [Re: ryck]
alvarnell Offline


Registered: 09/21/09
Loc: Mtn View, CA, USA
I uploaded the file to ClamAV False Positives signature team yesterday and expect it to be resolved shortly. The identified file has been distributed with OS X since 10.6.x. A couple of Unix users have also complained, so it's not just Mac users that are affected.

In any case, the file itself is not infected, but may trigger a vulnerability in the php code. We'll just have to wait and see what they tell us.
_________________________
-Al-

--
Al Varnell
Mountain View, CA

Top
#23799 - 10/17/12 06:56 AM Re: Pear appears infected [Re: alvarnell]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alternaut
Take home message: leave this quarantined file alone for the time being, sit back and wait for more info on this.

Originally Posted By: alvarnell
In any case, the file itself is not infected, but may trigger a vulnerability in the php code. We'll just have to wait and see what they tell us.

The file will sit in quarantine until we hear. Thanks and thanks.


Edited by ryck (10/17/12 06:57 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23800 - 10/17/12 07:10 AM Re: Pear appears infected [Re: ryck]
alternaut Offline

Moderator

Registered: 08/04/09
You may want to see if you still get the warning* after you update ClamXav's signature file to Daily CVD 15471 or later (current version is 15472, the flagging update was Daily 15462).

It's suggested that the PHP.Exploit.CVE_2011_4153-2 flag is no longer raised with the newer updates, although ClamXav did not provide further details about its previous inclusion either. As Alvarnell mentioned above, it looks like this file contains vulnerabilities and not malware per se.

*) This may not be conclusive as I don't know if ClamXav includes the Quarantine folder in its scan. If possible you may want to scan first before updating the signature file to find out, and then update. If you set ClamXav to auto-update the signature file, however, this pre-update check obviously won't work. That's also true if you're running ClamXav Sentry, as Sentry can be configured to auto-update on startup as well.
_________________________
alternaut moderator

Top
#23801 - 10/17/12 11:43 AM Re: Pear appears infected [Re: alternaut]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alternaut
You may want to see if you still get the warning* after you update ClamXav's signature file to Daily CVD 15471 or later (current version is 15472, the flagging update was Daily 15462).

I've just done a scan and got "No infected files were found".

I checked "About CalmXav" and it reports I have V2.3.2 (269) and a "Check for Updates" says I have the most current version.

Since I don't know where the "install-pear-nozlib.phar" was originally, and therefore can't move it back, do I assume that I don't need to worry as it's already done whatever it needed to do?
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23802 - 10/17/12 12:06 PM Re: Pear appears infected [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
It hasn't actually done anything. It's an installer file for PEAR, which is a set of PHP frameworks.

In case that doesn't sound like English, here's the quick and dirty rundown:

PHP is a programming language. It's used almost exclusively for writing programs that run on a Web site. For example, WordPress, the popular blogging program, is written in PHP.

Mac OS X is more than just a desktop operating system. It comes with Web and file serving programs as well. The Web server built into every version of OS X is a full-featured, powerful Web server package identical to what powers most of the world's Web sites. In addition to serving up Web pages, your Mac comes equipped to run Web programs like WordPress or Joomla or Drupal or zillions of others, because it includes PHP (along with other Web languages like Ruby, Python, Perl, and so on). Essentially, though it's turned off by default, your Mac is a full, powerful Web server and application platform; you could turn on the Web server, stick your Mac in a rack at a datacenter, and it would fit right in alongside all the other Web servers there.

Programming in PHP is a bit annoying in the sense that most of the time, if there's something you need to do, you need to write all the code to do it yourself. Let's say you want to write a Web site in PHP and you want people to be able to log in. Maybe it's a social networking site you're writing, maybe it's a Facebook clone, maybe it's a blog, maybe it's a dating site, maybe it's a store--but for whatever reason, you need to have people be able to log in. Normally, you'd write all the code for handing creating an account, storing it in a database, keeping track of who is logged in and who is not, and so on, and so on, yourself.

But wait a minute, people have already written this kind of code a zillion times before. WordPress is written in PHP and it has functions to do this. Drupal is written in PHP and it has login functions too.

That's what an "application framework" is. Basically, it's a skeleton for a program. It's a way of saying "A lot of programs for the Web need to be able to do a lot of things in common, like have users log in and out, play sounds, have users create accounts, be able to pull messages or posts from a database, be able to encrypt information to store it safely, be able to send an email, be able to upload or download pictures, and so on." An application framework is basically just a big collection of subroutines to do a lot of common tasks, so that you don't have to.

That's what PEAR is--a huge collection of subroutines for programs written in PHP.

By default, PEAR is not actually installed on your Mac...but the installer file is included on your Mac, so that if you are a PHP programmer, you can just install it and use it without needing to download it from the Internet. The file "install-pear-nozlib.phar" is, like its name suggests, an installer file for the PEAR framework.

Unless you are a PHP programmer *and* you want to use PEAR, this file will sit unneeded and unnoticed on your Mac and you'll never do anything with it.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#23803 - 10/17/12 12:28 PM Re: Pear appears infected [Re: alternaut]
alvarnell Offline


Registered: 09/21/09
Loc: Mtn View, CA, USA
Originally Posted By: alternaut
You may want to see if you still get the warning* after you update ClamXav's signature file to Daily CVD 15471 or later (current version is 15472, the flagging update was Daily 15462).
All users I've contacted have confirmed that it's been fixed for this particular file.
Quote:
It's suggested that the PHP.Exploit.CVE_2011_4153-2 flag is no longer raised with the newer updates, although ClamXav did not provide further details about its previous inclusion either. As Alvarnell mentioned above, it looks like this file contains vulnerabilities and not malware per se.
Actually it's PHP v5.3.8 that has the vulnerablility and the file in question has all the elements that could trigger the vulnerability if it were malicious, which I'm confident it is not. I'm sure there are quite a few Mac PHP programmers who have installed PEAR without incident. Since all Mac OS X 10.6.8 and above users are running PHP 5.3.15, I also think the PHP CVE has been patched. The PHP Change Log says:
Quote:
http://www.php.net/ChangeLog-5.php
Version 5.4.0
01-Mar-2012
Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153).
and v5.3.15 was released on 19-Jul-2012.
Quote:
*) This may not be conclusive as I don't know if ClamXav includes the Quarantine folder in its scan.
As long as the ClamXav Preference->Quarantine->Quarantine infected files to: box is checked, ClamXav and Sentry will scan that directory.
_________________________
-Al-

--
Al Varnell
Mountain View, CA

Top
#23804 - 10/17/12 12:31 PM Re: Pear appears infected [Re: ryck]
alvarnell Offline


Registered: 09/21/09
Loc: Mtn View, CA, USA
Originally Posted By: ryck
Since I don't know where the "install-pear-nozlib.phar" was originally, and therefore can't move it back, do I assume that I don't need to worry as it's already done whatever it needed to do?
It came from /usr/php/ and I suspect it is still there as you would not have had permission to move it.

In any case, it is something you will almost certainly never use and is not at all involved in the operation of your Mac.
_________________________
-Al-

--
Al Varnell
Mountain View, CA

Top
#23805 - 10/17/12 12:34 PM Re: Pear appears infected [Re: tacit]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit
It hasn't actually done anything. It's an installer file for PEAR, which is a set of PHP frameworks.

In case that doesn't sound like English, here's the quick and dirty rundown:

Thanks for the full and educational response. It's appreciated.

With the chance of me becoming a PHP programmer, let alone also wanting to use PEAR, is about the same as the odds of finding bear eggs in the woods behind the house.....the file can stay where it is.


Edited by ryck (10/17/12 12:39 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23806 - 10/17/12 12:47 PM Re: Pear appears infected [Re: alvarnell]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alvarnell
It came from /usr/php/ and I suspect it is still there as you would not have had permission to move it.

ClamXav moved it to the Quarantine folder and also provided the same trail for the place it came from. However I couldn't locate /usr/php/ and so I posed the question. However, as you say "it is something you will almost certainly never use and is not at all involved in the operation of your Mac" so I'll stop worrying about its location. Thanks for all your help.


Edited by ryck (10/17/12 12:47 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#23810 - 10/17/12 04:23 PM Re: Pear appears infected [Re: alvarnell]
alternaut Offline

Moderator

Registered: 08/04/09
Thanks for your contribution here, Al, including filling in some of my blanks regarding ClamXav's scanning behavior. laugh
_________________________
alternaut moderator

Top

Moderator:  alternaut, dianne, dkmarsh