Publish hash and signature of the compromise version for detection

[etigervaise]

Hey,
Is it possible to publish the hashes and signature of the tainted version for detection. If you have any other idea for easy detection it would be great.

Thanks!

[FQuen]

According to Rapid7's blog, the MD5 hash of the compromised version is 1e26d9dd3110af79a9595f1a77a82de7

Source : https://blog.rapid7.com/2019/01/22/php-extension-and-application-repository-pear-compromise-what-you-need-to-know/

[ashnazg]

@FQuen is correct... tainted file's md5sum is 1e26d9dd3110af79a9595f1a77a82de7.

[bbaald]

does anyone have a md5 for the corresponding non-tainted version? the version i d/l'd on 1/14 does not match the above, but i'd feel much more secure knowing that it does match the clean version.
thx.

[ashnazg]

@bbaald history of good hashes is visible here -- https://gist.github.com/ashnazg/f40be76c05da965bc749c914828c0dba

Your go-pear.phar download on 1/14 should match this hash if it's a valid copy:
95ef294f47d21d8c27af75a34f055f16

[bbaald]

@ashnazg many thanks. FWIW if anyone wants a forensic data point, my 1/14 download is A-OK.