<pre>Invalid argument supplied for foreach() in '/home/mydomain3/stats.mydomain.net/piwik/core/Config.php' at the line 290

osvaldo · 2012-02-20 18:22:52 UTC

My current piwik install seems to have been cracked. I’ve just upgraded to 1.7 a few days ago. The current error page says:

Invalid argument supplied for foreach() 
in '/home/mydomain3/stats.mydomain.net/piwik/core/Config.php' at the line 290

#0  Piwik_ErrorHandler(...) called at [/home/mydomain3/stats.mydomain.net/piwik/core/Config.php:290]
#1  Piwik_Config->cacheConfigArray(...) called at [/home/mydomain3/stats.mydomain.net/piwik/core/Config.php:334]
#2  Piwik_Config->__get(...) called at [/home/mydomain3/stats.mydomain.net/piwik/core/Session.php:31]
#3  Piwik_Session::isFileBasedSessions(...) called at [/home/mydomain3/stats.mydomain.net/piwik/core/FrontController.php:238]
#4  Piwik_FrontController->init(...) called at [/home/mydomain3/stats.mydomain.net/piwik/index.php:52]

Look at the rr.nu script at the end.

What should I do?

skarweb · 2012-02-20 21:58:29 UTC

Hi Osvaldo,

I have no answer for your problem, but your FTP account might have been explored by someone. At least change your FTP password immediately.

Regards,
Wilco

matthieu · 2012-02-20 22:02:01 UTC

Do you run other softwares on the same server? Most likely the attacker modified piwik using another software hole.

Do you have the logs for your website, to see what requests were made in the last few days?

osvaldo · 2012-02-21 18:15:42 UTC

Hi,

Thank you for your answers. Yes indeed I had other software in the same server with the same user, and I’ve change my SSH password.

I’ve removed all the other software and reinstalled piwik. As you say the hole might be in another software. If it’s a spammer (as it looks like) than he wouldn’t left error messages on the attacked server.

Anyway, I’ve installed Piwik with other passwords (MySQL and admin) and check who has permissions. If it’s a crack the cracker will be able to crack it again.

I’ll keep you posted, and sorry if I scared some users But I practically never use the other software on the server, so…

All the best,

Osvaldo

matthieu · 2012-02-21 18:56:23 UTC

Still you should have checked the access logs of your server to find out if the attacker left a footprint

rabo · 2012-03-07 07:04:37 UTC

I just opened up Piwik today and I’ve gotten the same hack. Do I need to re-install Piwik? Has somebody figured out the way this hack has been applied? How do I fix this?

Thx

matthieu · 2012-03-07 08:17:47 UTC

There is no hack we aware of, but it would be great if you could double check your access logs.

Check your global.ini.php is probably corrupt? replace with http://dev.piwik.org/svn/trunk/config/global.ini.php

Also, update your other softwares on your website (wordpress, phpbb, etc.) maybe one of these got hacked?

osvaldo · 2012-03-10 17:31:17 UTC

In my case the Piwik install is stll stable. So I can conclude the attack was done trough another software vulnerability, not Piwik.

vipsoft · 2012-03-10 17:49:31 UTC

See Latest Mass Compromise of WordPress sites - More Details

Appears to be associated with old versions of WordPress or malicious plugins (e.g., ToolsPack reportedly has a backdoor).

rabo · 2012-03-10 18:31:11 UTC

I’m running Magento and have this problem.

vipsoft · 2012-03-10 19:09:32 UTC

From reading other blogs, it appears to affects other installations as well. The attackers are presumably exploiting multiple attack vectors, and/or weaknesses in shared hosting configurations.