[ General ] 30 November, 2012 11:28

  Piwik is a free software web analytics system written by a team of international developers, and runs on a PHP/MySQL webserver. 

Per Official Piwik Blog Security Announcement:

  Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker  added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

  You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.

  If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.


The victim's info will be sent to hxxp://prostoivse.com/x.php! The malicious code analysis is as following:



To check if your Piwik is affected, open the file piwik/core/Loader.php, where as a compromised Loader.php would contain the following code at the end of the file:



Piwik has suggested the following steps to fix this issue. 

- Backup piwik/config/config.ini.php

- DELETE the piwik/ directory

- It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well.

- Download latest Piwik from piwik.org

- Unzip and Upload the piwik/ directory  on your server

- Copy the config.ini.php back in /piwik/config/

- Go to Piwik, it should display the dashboard as expected 


In order to prevent malicious connection, we urge our customer to keep WG signature up to date. 

by AegisLab


[ Security Alert ] 16 November, 2012 11:27

An Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, reported a new permanent XSS affecting the products listings on eBay.com. 

AegisLab also test again immediately, so far, this vulnerability is currently unfixed!!

Here is the page with XSS injection code: 



For this flaw, you need a eBay seller account, login to your account on eBay and create a listing for sale. Then put XSS code into HTML.





The news of XSS vulnerabilities is nothing new, but still so dangerous. What are the threats of XSS? Everything from account hijacking, shopping, payment, changing of user settings, cookie theft/poisoning, or false advertising is possible.


by AegisLab


[ Security Alert ] 12 November, 2012 18:57

AgeisLab found a URLwww.hv20.com/payroll/djia-finance.php was posioned by Blackhat SEO.

The attack scenario as following:

Google search -> djia finance

-> hxxp://www.hv20.com/payroll/djia-finance.php

-> hopping site -> hxxp://

-> the final download site -> hxxp://proddingappsumo.info/guaranteeing/means_phone- pool_occurs.php?tjn=33:2v:1h:2w:1m&wrgglxs=38&ciooh=33:30:32:2w:30:1n:31:1f:1m:1i&zuhy=1n:1d:1g:1d:1h:1d:1f

!! (attempt to download a malicious pdf file) !! 

Virustotal scan result (3/44): 



As our analysis and observation, this download site format made by Blackhole Exploit Kit 2.0.

So far, this "djia finance" Blackhat SEO poisoning still keep alive and no any warning message in Google search results. 




AegisLab urge our customer to keep WG signature in latest version.

by AegisLab WG Team