The tl;dr is that there are links in spam email to my piwik instance (http://piwik.arunraghavan.net/large.php?Bradley_Warner) which redirect to spam pages. I’ve had to bring the instance down but can bring it back up if someone wants to see what the redirect looks like.
Well a little more information might get you some help.
I’m just guessing here.
Someone uploaded a “large.php” file, which does not seem to be a normal Piwik file, to your Piwik installation, and liks this file in spam mails ?
Well… assume your webserver to be hacked then and start over new. Talk to oyur hoster maybe…
X-Account-Key: account8
X-UIDL: 878bf8783f5a4a793c17b8638126ea7a
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Envelope-From: <BradleyWarner@apex.com.my>
X-Envelope-To: <x>
X-Delivery-Time: 1439104958
X-UID: 485
Return-Path: <BradleyWarner@apex.com.my>
Authentication-Results: strato.com 1;
spf=pass
smtp.mailfrom="BradleyWarner@apex.com.my";
dkim=pass
header.d=apex.com.my;
domainkeys=none;
dkim-adsp=pass
header.from="BradleyWarner@apex.com.my"
X-Strato-MessageType: email
X-RZG-CLASS-ID: mi
Received-SPF: pass
(strato.com: domain apex.com.my designates 210.19.31.174 as permitted sender)
mechanism=mx;
client-ip=210.19.31.174;
helo="mail.apex.com.my";
envelope-from="BradleyWarner@apex.com.my";
receiver=smtp.rzone.de;
identity=mailfrom;
Received: from mail.apex.com.my ([210.19.31.174])
by smtp.rzone.de (RZmta 37.8 OK)
with ESMTP id A03131r797MbzhO
for <x>;
Sun, 9 Aug 2015 09:22:37 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.apex.com.my (Postfix) with ESMTP id 2EEA6F79004D;
Sun, 9 Aug 2015 15:22:35 +0800 (MYT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=apex.com.my; s=alpha;
t=1439104955; bh=LmQqgrOIMM82FoEOE+TGM/UOoIAmUPOr6fydddlbklM=;
h=Date:From:Subject:To;
b=VNi7Kze/1n+8vZ58pSMcB1hMsc/0zCARBl0Kmm2VqeoZukNXuhWJ+JT+EtcTib1hx
1OJwJem4sMaJ1P7tY9Z/MHwHWxpoPJ3p4ATXoqkxYOzrrYTlSTT5JjdeMrtZNbRljW
njIFcWSaGLfJYZm3um6Gq1h4QmV2m+GTKrNLCAIE=
X-Virus-Scanned: amavisd-new at apex.com.my
Received: from mail.apex.com.my ([127.0.0.1])
by localhost (mail.apex.com.my [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id NRlRoL9zBNoW; Sun, 9 Aug 2015 15:22:33 +0800 (MYT)
Received: from mail.apex.com.my (filed-firer.volia.net [93.74.141.133])
by mail.apex.com.my (Postfix) with ESMTPSA id 49454F79003A;
Sun, 9 Aug 2015 15:22:25 +0800 (MYT)
X-Mailer: YahooMailIosMobile/0.0 YahooMailWebService/0.8.203.802
Message-ID: <e120_______________________f67$@apex.com.my>
Date: Sat, 9 Aug 2015 08:22:25 +0000
From: Bradley Warner <BradleyWarner@apex.com.my>
Subject: from: Bradley Warner
To: "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top"><div id='yahoo__compose_area' style="background-color:white; display:block; font-family:HelveticaNeue-Regular,Helvetica;"><br>Hi!<b> </b><div>How are you?</div><div><a href="http://piwik.arunraghavan.net/large.php?Bradley_Warner">http://piwik.arunraghavan.net/large.php?Bradley_Warner</a><i> </i></div><div>Bradley Warner </div><div><i> </i></div><div><br><div><a href="https://yho.com/footer0">Sent from Yahoo Mail for iPhone</a></div></div></div><div id='yahoo__original_message'></div></html></td></tr></table>
Just to confirm: these emails are not crafted or sent by Piwik. Likely your server was compromised and maybe some virus / worm are on there generating spam? or some other app?
I think it’s actually because of a bad WordPress config, where write to part of htdocs was allowed (to allow for automated updateds to plugins etc.)
I’m in the process of rebuilding the server from scratch, but now I’m concerned that allowing the same thing (write access to htdocs for httpd) on the Piwik instance is also kind of insecure. Do you have recommendations on best practices with regards to security here?
I was thinking of performing the upgrade by cleaning out the installation directory and unzipping the new version again each time (will probably automate using ansible or such). This sounds a bit painful, though.