Hacked on the latest version

kimmyk · June 10, 2015, 8:08am

Hi,

This morning we found out somebody hacked our Piwik version. I have not enough knowledge how and what, but just a heads up. These were the hacked files:

{HEX}php.base64.v23au.183 : ./plugins/DBStats/page.php
{HEX}php.base64.v23au.183 : ./plugins/Overlay/javascripts/code74.php
{HEX}php.base64.v23au.183 : ./plugins/CoreAdminHome/javascripts/code.php
{HEX}php.base64.v23au.183 : ./plugins/CorePluginsAdmin/stylesheets/error6.php
{HEX}php.base64.v23au.183 : ./plugins/ExampleTracker/lang/gallery.php
{HEX}php.base64.v23au.183 : ./libs/Zend/Config/error.php
{HEX}php.base64.v23au.183 : ./libs/bower_components/angular-cookies/footer14.php
{HEX}php.base64.v23au.183 : ./tmp/templates_c/61/article53.php
{HEX}php.base64.v23au.183 : ./vendor/monolog/monolog/css79.php
./plugins/VisitTime/Columns/LocalTime.php
./plugins/DBStats/proxy.php
./plugins/DBStats/Reports/GetAdminDataSummary.php
./plugins/DBStats/Reports/GetMetricDataSummary.php
./plugins/Referrers/API.php
./plugins/Actions/Reports/GetDownloads.php
./plugins/SEO/Metric/javascript.php
./plugins/SEO/lang/option.php
./plugins/SEO/templates/object.php
./plugins/Goals/Reports/Get.php
./plugins/Transitions/images/stats.php
./plugins/LeftMenu/Settings.php
./plugins/Resolution/Reports/sql.php
./plugins/PrivacyManager/PrivacyManager.php
./plugins/Diagnostics/Diagnostics.php
./plugins/UserLanguage/lang/proxy.php
./plugins/UsersManager/javascripts/proxy.php
./plugins/CoreHome/DataTableRowAction/xml.php
./plugins/CoreHome/Columns/info.php
./plugins/Annotations/javascripts/xml.php
./plugins/Installation/FormFirstWebsiteSetup.php
./plugins/ScheduledReports/Tasks.php
./lang/pl.php
./core/Updates/1.11-b1.php
./core/ReportRenderer/options.php
./core/ViewDataTable/Manager.php
./core/Plugin/Segment.php
./core/Db/Adapter.php
./config/manifest.inc.php
./libs/Zend/Validate.php
./libs/Zend/Mail/start.php
./libs/bower_components/ngDialog/ajax.php
./tmp/stats.php
./tmp/cache/tracker/eagercache-2131-tracker.php
./tmp/cache/tracker/eagercache-2131-ui.php
./tmp/cache/tracker/piwikcache_Translations-nl-e88b4d6ec60b54e349e7d87f60a392de34d44bd7.php
./tmp/cache/tracker/piwikcache_Translations-en-1b102ea65a388758ae542899d561fc1def482e31.php
./tmp/cache/tracker/piwikcache_Translations-en-e88b4d6ec60b54e349e7d87f60a392de34d44bd7.php
./tmp/cache/tracker/piwikcache_general.php
./tmp/templates_c/24/proxy.php
./tmp/templates_c/a6/lib.php
./tmp/templates_c/4a/themes.php
./tmp/templates_c/35/diff.php
./vendor/twig/diff.php

This was a default install. No directories were opened or changed onour end.

We reinstalled and hope for the best;-)

kimmyk · June 11, 2015, 1:09pm

And hacked again…

Code injected and we’re on Hotmail and Gmail’s blacklists now. Bummer.

We’re tightening filerights see if will still nbe working well. Happens from within the TMP directory each time.

matthieu · June 12, 2015, 12:44am

Hi there,

Do you run other software on the same server, such as wordpress or other applications?

it’s possible another application was used to penetrate the server and then the malware spread to piwik files.

Do you have more information or maybe logs where you can see what the intruder is doing and how he got in?

Thanks

kimmyk · June 12, 2015, 8:07am

Hi Matt,

Thanks for the reply.

We had an old, almost forgotten version of OpenX on our server. The good people at Amerinoc found out from the logs that:

Yesterday, IP 192.163.250.195 POST’d to the following:
192.163.250.195 - - [10/Jun/2015:03:28:59 -0700] “POST /ads/var/cache/deliverycache_17df5a3abec4c54873459093462ff06e.php HTTP/1.1” 200 367 “-” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
192.163.250.195 - - [10/Jun/2015:06:19:17 -0700] “POST /ads/var/cache/deliverycache_8960c6a031ae926bd3076f119e938fc2.php HTTP/1.1” 200 314 “-” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
192.163.250.195 - - [10/Jun/2015:06:19:18 -0700] “POST /ads/var/cache/deliverycache_17df5a3abec4c54873459093462ff06e.php HTTP/1.1” 200 497 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0”

Immediate after those last 2, it POST’d to:
192.163.250.195 - - [10/Jun/2015:06:19:22 -0700] “GET /piwik/tmp/templates_c/25/diff.php HTTP/1.1” 200 363 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0”

We updated the old OpenX version and are waiting tobe whitelisted with Spamhaus again.

Thanks (and sorry for blaming Piwik;-)).

youradds · June 12, 2015, 11:32am

OpenX caught me out as well on one of my sites - wasn’t pretty

kimmyk · June 12, 2015, 11:48am

@Andy, we hardly use it but for one or two small sites, so I might have been lucky.
Hopefully all is good again now.

Not updating OpenX for 5 years sure wasn’t the smartest thing to do I’m sure. I did not even know they - again - renamed the program. It’s the 4th renaming since I first started using it.

youradds · June 12, 2015, 11:50am

Yeah - I remember when I first started using it, I think it was called phpMyAds (or something like that). I had the same thing where I forgot it was even there (as it wasn’t being used any more), but as always, the hackers found it and made use of the fact it was such an old version.

As you said - could have been a lot worse!