Piwik is a free software web analytics system written by a team of international developers, and runs on a PHP/MySQL webserver. 

Per Official Piwik Blog Security Announcement:

  Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker  added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

  You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.

  If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

 

The victim's info will be sent to hxxp://prostoivse.com/x.php! The malicious code analysis is as following:

 

 

To check if your Piwik is affected, open the file piwik/core/Loader.php, where as a compromised Loader.php would contain the following code at the end of the file:

  

   

Piwik has suggested the following steps to fix this issue. 

- Backup piwik/config/config.ini.php

- DELETE the piwik/ directory

- It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well.

- Download latest Piwik from piwik.org

- Unzip and Upload the piwik/ directory  on your server

- Copy the config.ini.php back in /piwik/config/

- Go to Piwik, it should display the dashboard as expected 

 

In order to prevent malicious connection, we urge our customer to keep WG signature up to date. 

by AegisLab