[horde] Google Analytics

Simon Brereton simon.brereton at dada.net
Tue May 18 15:52:36 UTC 2010 

> From: horde-bounces at lists.horde.org [mailto:horde-
> bounces at lists.horde.org] On Behalf Of Rick Romero
> Sent: Tuesday, May 18, 2010 11:02 AM
> Quoting "Simon Brereton" <simon.brereton at dada.net>:
> 	
> >> From: horde-bounces at lists.horde.org [mailto:horde-
> >> bounces at lists.horde.org] On Behalf Of Niels Dettenbach
> >> Sent: Tuesday, May 18, 2010 9:57 AM
> >>
> >> Am Dienstag 18 Mai 2010, 15:46:40 schrieb Simon Brereton:
> >> > How do I add analytics tracking to my horde install?
> >>
> <snip>
> >> Just by interest - why? There are some very good host side open
> >> source web analytics solutions which btw. are much more exact with
> >> many parameters (awstats, webalizer etc.)...
> >
> > I trust those less than I trust Google :)  (whom I don't trust at
> all
> > actually)..
> >
> > So anyway - will putting it into index.php work, or should it go
> > somewhere else?
> 
> I use phpmv2, and put it in horde/templates/common-footer.php

You mean common-footer.inc?  I've put it in there <?php require_once('../analytics.php'); ?> and it seems to be working - I guess we'll see in the morning.  Thanks!

I checked out phpmv2 - and it certainly looks awesome!  However, when I googled the download URL I got a pop-up that tried to convince me that it has found 4 trojans on my C:\ - which is amazing as I didn't know Ubuntu has a C:\ or could run IE..  When I tried again, I got a page fill of Meet Sexy Singles ads..  My guess is they've been hacked...

When you google phpmv2 download, the first url is http://www.phpmyvisites.us/ and yet, that's the same URL you click on if you go to http://www.phpmyvisites.net

More troublesome was the warning on phpmyvisites.us:

16 december 2009 - 17:00
We are releasing phpMyVisites 2.4 to address a security issue that was recently reported. The security issue is in the third party Clickheat library. We release phpMyVisites 2.4 without the Clickheat plugin. We urge every phpMyVisites user to update as soon as possible to phpMyVisites 2.4 as the security issue is critical.

Is your web server contaminated? 
It can be hard to tell as the crackers are using quite clever techniques.

If you have a file phpmv2/datas/thumbs.php, you are affected.
If you are on a dedicated server, try to execute ps faux and look for SSH connections that are not supposed to be there (eg. sshd fakelogin at priv fakelogin being a login that doesn't exist on your server or is not supposed to exist).
Look in your website directories, are there new files, especially suspicious looking files like numbers 8475875.php or styles.css.php or fotter.php or s.php?
Are there new .htaccess that are not supposed to exist?
look at your actual website files (especially if written in php), do they contain code that is not yours at the top or at the bottom? Things like base64_decode, eval, gzinflate, are a sign that you are infected.
Note: do not only look in phpmv2/ files, also look in your website files or any file on your server (to help, look at files that have a modification time that is suspicious)



Anyway, thanks for your help and perspectives on 3rd party analysers.  I'll definitely play with them more.

Simon

More information about the horde mailing list