I know that Matomo has not to be the security hole the hackers got in, since this is a Wordpress setup.
But I wanted to let you know what the hackers did, since they changed a Matomo file:
I realized that something is wrong as I tried to visit the my-customers-domain.com/piwik/ site. I got an Error 500. The logfile showed: Namespace declaration statement has to be the very first statement in the script /piwik/core/Plugin/API.php on line 10.
They added some code at the the top of the API.php.
As far as I have encoded the cryptic code they inserted a remote PHP shell script. That way they were able to send some PHP commands to the API.php script files via POST/GET. I guess then they tried to make a db dump or gather some logins.
So if you get en Error 500 or you see an “Namespace declaration statement has to be the very first statement in the script” error be aware, you might have been hacked.
If there are any further information that might be useful (maybe to even prevent these kind of hacks) let me know.
While it isn’t impossible that the attackers used Matomo, this sounds like they found a vulnerability somewhere (maybe the wordpress site) allowed attackers to modify files on the server and they prepended their malware to the beginning of PHP files. It seems like their attack doesn’t work correctly and therefore broke Matomo throwing the error you saw. (As appending PHP code to the start often results in an invalid file).
I’m no security expert, but I would err on the side of safety and create a new server and very carefully migrate data there once everything has been updated.
Thanks for you comments, @Lukas.
I also think the script does not work correctly. If the script would not have broken Matomo I would have never
relized the hack.
I also found these file has been changed:
/piwik/plugins/Actions/Reports/GetSiteSearchKeywords.php
/piwik/plugins/MultiSites/Categories/MultiSitesCategory.php
/piwik/plugins/Actions/Reports/GetSiteSearchKeywords.php
Furthermore I found one file in a WordPress plugin that has been edited in the same way.
I reverted to a backup where the exploit was not present. Then changed all related passwords and installed all the latest updates and some more security related settings. Hope this will fix the security hole.