If you are using Piwik and you have downloaded/updated it recently, please double check your install to verify that it does not contain a backdoor. From piwik.org:
Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.
How do I know if my Piwik server is safe?
You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.
The attackers also added a backdoor at the end of the file Loader.php allowing them to execute any command using preg_replace(“/(.+)/e” (code eval) and $_GET[‘g’]. You can search on your logs for “g=” and see if it was used by any attacker.
In their report they say it was compromised through a vulnerability on a WordPress Plugin, but didn’t provide any details on which one caused it. We will post more details if we learn more about it.
Leave a reply