Piwik.org webserver hacked and backdoor added to Piwik

If you are using Piwik and you have downloaded/updated it recently, please double check your install to verify that it does not contain a backdoor. From piwik.org:

Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

How do I know if my Piwik server is safe?

You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

The attackers also added a backdoor at the end of the file Loader.php allowing them to execute any command using preg_replace("/(.+)/e" (code eval) and $_GET[‘g’]. You can search on your logs for “g=” and see if it was used by any attacker.

In their report they say it was compromised through a vulnerability on a WordPress Plugin, but didn’t provide any details on which one caused it. We will post more details if we learn more about it.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid