Thanks! Also for the quick handling of the issue.
Curious: Which wordpress plugin?
I use WP with several plugins too and I would like to know which one. To deactivate it.
(If you don’t want to tell in public, a private message would be nice)
Please separate the Download Server from the official Website. Wordpress is known for its security flaws and this can happen again. Setup a separate server just to serve the download archives (e.g. download.piwik.org).
I’m here to say that you obviously got pwned by so-called Russian Hackers.
Whois details says "Email: ebaka@prostoivse.com"
Well, “prostoivse” gives us “просто и все” which is stands for “it’s just simple”.
And “ebaka” stands for “f-cker”.
Good luck.
Blog, Forum and Downloads should all be separated. Downloads should be signed and the key published by a different server. MD5 hashes can be faked now. Best would be to generate the downloads from GIT repository. Suggest people to clone from your version control instead of downloading from server.
We have taken steps to ensure it does not happen again (certainly not that “easily”)
- we have now separated the downloads to another server at builds.piwik.org
- we setup different SSH accounts for each subdomain so that even if one subdomain is compromised it will not affect others.
@Matt was this just an update or did it really take that long to do what you are stating has been done to help recitfy this issue?
stating what has been done months ago as I realized I forgot to update this post