Backdoor found in Piwik analytics software - Update
A backdoor has been added to the web server analytics Piwik which allows attackers to take control of a system. Users who have setup Piwik in the last few weeks after downloading it from the server of the open source project and installing it, should review their servers immediately.
A reader of heise Security discovered the unusual code when he was inspecting
/piwik/core/Loader.php. At the end of the file he found base 64 encoded data which, when upacked, will transfer data to a server at
prostoivse.com. The code also sets the manifest files
lic.log and activates
/piwik/core/DataTable/Filter/Megre.php. The latter file is a general uploading form and can be used as a shell command launcher allowing the attackers to perform arbitrary PHP commands and manually further compromise a system,
The download package, latest.zip, of the current version 1.9.2 of the Piwik server code was apparently affected. A clear sign of an infected Piwik installation is the line of code:
in the file
/piwik/core/Loader.php which unpacks and runs the disguised code. Anyone who discovers this line should shut down their Piwik server and review its code. The problem is being discussed on the Piwik forum; Piwik team members are investigating how the archive was infected.
Update (13:40) - The Piwik developers have now published a blog posting about the security incident. They say the code now available on their website is free from the malware. Access to the Piwik server was obtained through a vulnerable WordPress plugin used on the site. The developers also include instructions on how to clean a compromised Piwik installation; essentially by backing up the Piwik configuration file and then deleting the entire Piwik directory and installing a freshly downloaded copy of the software.