Hi all,
I had a couple of strange IP’s browsing my site, now it seems they came back and had access to my Piwik server. I can see them in my logs visiting Piwk admin pages.
Has anyone else had this? I am on version 1.12. I changed my password.
Even though they logged into your Piwik install are you sure they got into your system through Piwik? You sure your permissions and ownership of your files are correctly setup? What OS, web server, mysql versions are you running? Have you verified they are not in your system in other places? Such as they got in through another means and were able to get your Piwik information by escalating to root on your box? Verified the files in your install as all being the correct ones? To really say though would take some deep digging and posting more information, or get your box audited properly to find out the when, what, how and why of the intrusion. Have you changed all passwords? Verified there are not new users that you did not create? Do you allow anonymous visitors on your Piwik install? Are you using the Hide URL proxy script? Did you use the security check thing inside Piwik that verifies no files have been modified? Have you changed your box’s login passwords as well, such as root and your users? Also you mysql password, basically every one shoudl be redone.
I honestly wish Piwik would post an md5sum/PGP signature of the packages, any kind of verification for the enduser something at all, since they already have had an issue with someone putting a malicious package in their download section. Security Report: Piwik.org webserver hacked for a few hours on 2012 Nov 26th - Analytics Platform - Matomo Hopefully this is not the beginning of another one of those. Though I still think it is bad practice on Piwik’s part to not disclose the “plug-in” that allowed the breach to help protect other end users that could be on a similar setup. I just dont think the check that is done once its installed is enough, its a great start but we need to verify the tarball/zip file is not modified before its even installed.
@JimJim can you explain further what you mean by “strange IPs” and browsing the UI ? most likely, if you see the Piwik visits in your Piwik is because you enabled the setting:
; if set to 1, a Piwik tracking code will be included in the Piwik UI footer and will track visits, pages, etc. to idsite = 1
; this is useful for Piwik developers as an easy way to create data in their local Piwik
track_visits_inside_piwik_ui = 1