a website of my customer has been hacked.
I know that Matomo has not to be the security hole the hackers got in, since this is a Wordpress setup.
But I wanted to let you know what the hackers did, since they changed a Matomo file:
I realized that something is wrong as I tried to visit the my-customers-domain.com/piwik/ site. I got an Error 500. The logfile showed: Namespace declaration statement has to be the very first statement in the script /piwik/core/Plugin/API.php on line 10.
They added some code at the the top of the API.php.
As far as I have encoded the cryptic code they inserted a remote PHP shell script. That way they were able to send some PHP commands to the API.php script files via POST/GET. I guess then they tried to make a db dump or gather some logins.
So if you get en Error 500 or you see an “Namespace declaration statement has to be the very first statement in the script” error be aware, you might have been hacked.
If there are any further information that might be useful (maybe to even prevent these kind of hacks) let me know.