I’ve just received an email from an agitated client who runs their own Apache server, one of the websites on there has been hacked and he thinks that Piwik (which I only installed 2 weeks ago) is responsible for the security breach. Below is the content of the email.
"This morning we were alerted by abuse contact that our website had been compromised. Upon investigation they were correct and we found a load of random named folders with phishing websites loaded into them, RAT’s and remote shell scripts. Obviously we’ve been left with no choice but to close the website down until fixed.
Looking over the logs, the first affected files were sitting in /piwik/ uploaded last night at 19:56:54. I looked up piwik and it’s a free open source software (What is Piwik? - Analytics Platform - Piwik) meaning anyone can get hold of the source code which will explain how they’ve gained access. Example being it is being targeted as per this year’s exploit (Piwik CMS Superuser Plugin Upload Exploit).
I don’t feel we should be loading free open source software on a live server as it isn’t secure. Our server contains many other websites and has the potential to cause major disruption to our clients if it goes down. We’ve not had any issues for the last 2-3 years and although not intentional, it has made whoever loaded this on look very silly that you’ve used free open source software which has led to an exploit."
I have Piwik installed on hundreds of sites and have never had a problem such as this, I always update whenever a new version is released.
I’m at a loss to understand how this happened, can anybody give me a pointer?
The “exploit” that the customer links to is only “exploitable” by a Super User of Piwik. Therefore, their hypothesis that Piwik caused the security hole, is only valid if someone with Super User has messed up and leaked their password for an hacker to use to connect and upload a malicious plugin to Piwik.
We have received countless of such reports in the past, people blaming Piwik for their hack, but in all cases (so far, fingers crossed) Piwik was never at fault after deeper analysis.
In that case they need to double check the logs which can be used to confirm whether or not the attacker used Piwik to upload a malicious plugin. Look at all piwik logs containing index.php to see the history of all requests to Piwik, and one will be able to see whether an attacker has gained Super User access (likely, by phishing, or internet hacking, or a Super User losing their devices etc etc.) and used that Super User access to upload a malicious plugin giving server access.
Note that this “security hole” has been fixed recently, and now by default we don’t allow Super Users to upload custom plugins by default. They need to set a config setting in Piwik to enable the capability to upload a custom plugin.
In any case don’t just trust the customer but make sure they check their assumption by looking at logs. Guessing don’t work in security. Good luck and let us know what they find
There’s definitely no Super User security breach, I am the Super User, in fact the only User for this installation. Every install of Piwik that we do uses a new randomly generated password on a computer that is standalone and not connected to the internet and located in a secure room, these passwords are always 16 digit and in the !R~qmXcUD.JEt?J1 type of format, if somebody has found a way to breach our security just to get to this one website I would like to meet them.
I have asked the client for their server logs for analysis, I will post back once they are received.