Piwik.org webserver hacked and backdoor added to Piwik

If you are using Piwik and you have downloaded/updated it recently, please double check your install to verify that it does not contain a backdoor. From piwik.org:

Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

How do I know if my Piwik server is safe?

You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

The attackers also added a backdoor at the end of the file Loader.php allowing them to execute any command using preg_replace("/(.+)/e" (code eval) and $_GET['g']. You can search on your logs for “g=” and see if it was used by any attacker.

In their report they say it was compromised through a vulnerability on a WordPress Plugin, but didn’t provide any details on which one caused it. We will post more details if we learn more about it.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid