Piwik being used in spam links

Ford_Prefect · August 21, 2015, 5:53am

I posted this as a bug, but it was suggested I bring this up here: Potential spam source · Issue #8609 · matomo-org/piwik · GitHub

The tl;dr is that there are links in spam email to my piwik instance (http://piwik.arunraghavan.net/large.php?Bradley_Warner) which redirect to spam pages. I’ve had to bring the instance down but can bring it back up if someone wants to see what the redirect looks like.

Any ideas? Have I misconfigured something?

JakeTracker · August 21, 2015, 8:18am

Well a little more information might get you some help.

I’m just guessing here.
Someone uploaded a “large.php” file, which does not seem to be a normal Piwik file, to your Piwik installation, and liks this file in spam mails ?

Well… assume your webserver to be hacked then and start over new. Talk to oyur hoster maybe…

matthieu · September 15, 2015, 2:13am

Hey, could you paste here an example such email (the email source)?

Ford_Prefect · September 15, 2015, 3:40am

Here you go:


X-Account-Key: account8
X-UIDL: 878bf8783f5a4a793c17b8638126ea7a
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
X-Envelope-From: <BradleyWarner@apex.com.my>
X-Envelope-To: <x>
X-Delivery-Time: 1439104958
X-UID: 485
Return-Path: <BradleyWarner@apex.com.my>
Authentication-Results: strato.com 1;
	spf=pass
		smtp.mailfrom="BradleyWarner@apex.com.my";
	dkim=pass
		header.d=apex.com.my;
	domainkeys=none;
	dkim-adsp=pass
		header.from="BradleyWarner@apex.com.my"
X-Strato-MessageType: email
X-RZG-CLASS-ID: mi
Received-SPF: pass
	(strato.com: domain apex.com.my designates 210.19.31.174 as permitted sender)
	mechanism=mx;
	client-ip=210.19.31.174;
	helo="mail.apex.com.my";
	envelope-from="BradleyWarner@apex.com.my";
	receiver=smtp.rzone.de;
	identity=mailfrom;
Received: from mail.apex.com.my ([210.19.31.174])
	by smtp.rzone.de (RZmta 37.8 OK)
	with ESMTP id A03131r797MbzhO
	for <x>;
	Sun, 9 Aug 2015 09:22:37 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.apex.com.my (Postfix) with ESMTP id 2EEA6F79004D;
	Sun,  9 Aug 2015 15:22:35 +0800 (MYT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=apex.com.my; s=alpha;
	t=1439104955; bh=LmQqgrOIMM82FoEOE+TGM/UOoIAmUPOr6fydddlbklM=;
	h=Date:From:Subject:To;
	b=VNi7Kze/1n+8vZ58pSMcB1hMsc/0zCARBl0Kmm2VqeoZukNXuhWJ+JT+EtcTib1hx
	 1OJwJem4sMaJ1P7tY9Z/MHwHWxpoPJ3p4ATXoqkxYOzrrYTlSTT5JjdeMrtZNbRljW
	 njIFcWSaGLfJYZm3um6Gq1h4QmV2m+GTKrNLCAIE=
X-Virus-Scanned: amavisd-new at apex.com.my
Received: from mail.apex.com.my ([127.0.0.1])
	by localhost (mail.apex.com.my [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NRlRoL9zBNoW; Sun,  9 Aug 2015 15:22:33 +0800 (MYT)
Received: from mail.apex.com.my (filed-firer.volia.net [93.74.141.133])
	by mail.apex.com.my (Postfix) with ESMTPSA id 49454F79003A;
	Sun,  9 Aug 2015 15:22:25 +0800 (MYT)
X-Mailer: YahooMailIosMobile/0.0 YahooMailWebService/0.8.203.802
Message-ID: <e120_______________________f67$@apex.com.my>
Date: Sat, 9 Aug 2015 08:22:25 +0000
From: Bradley Warner <BradleyWarner@apex.com.my>
Subject: from:  Bradley Warner
To: "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>, "x" <x>
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii

<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top"><div id='yahoo__compose_area' style="background-color:white; display:block; font-family:HelveticaNeue-Regular,Helvetica;"><br>Hi!<b> </b><div>How are you?</div><div><a href="http://piwik.arunraghavan.net/large.php?Bradley_Warner">http://piwik.arunraghavan.net/large.php?Bradley_Warner</a><i> </i></div><div>Bradley Warner </div><div><i> </i></div><div><br><div><a href="https://yho.com/footer0">Sent from Yahoo Mail for iPhone</a></div></div></div><div id='yahoo__original_message'></div></html></td></tr></table>

matthieu · September 15, 2015, 3:55am

Just to confirm: these emails are not crafted or sent by Piwik. Likely your server was compromised and maybe some virus / worm are on there generating spam? or some other app?

Ford_Prefect · September 15, 2015, 4:00am

I think it’s actually because of a bad WordPress config, where write to part of htdocs was allowed (to allow for automated updateds to plugins etc.)

I’m in the process of rebuilding the server from scratch, but now I’m concerned that allowing the same thing (write access to htdocs for httpd) on the Piwik instance is also kind of insecure. Do you have recommendations on best practices with regards to security here?

I was thinking of performing the upgrade by cleaning out the installation directory and unzipping the new version again each time (will probably automate using ansible or such). This sounds a bit painful, though.

matthieu · September 15, 2015, 4:03am

If you use Debian you can use our Debian package: http://debian.piwik.org/

Otherwise can also use Git: How do I use Piwik from the official Git repository? - Analytics Platform - Matomo

Ford_Prefect · September 15, 2015, 4:08am

d’oh, of course. I’ll set things up to update based on git tags. Thank you both for the help!