WordPress › Support » Media Temple oeaou hack

nmmt
Member
Posted 1 year ago #

@xyclopsoft:

I understand your concerns. Please know that (mt) Media Temple is doing everything we can to assist any and all affected clients. I would like to try to respond to your comments in more detail...

We did not make any passwords "available", but we used to allow customers to see FTP/DB passwords in the AccountCenter in plaintext. FTP passwords were taken out of the AccountCenter at the end of 2009 and DB passwords were removed in early Spring of this year. Those were originally put there as a convenience and based on customer feedback. We have removed them and addressed all of that publicly. Also, as you probably know, passwords that are weak can be "brute-forced", and that happens all the time, on all kinds of systems.

Exploits of this type are indeed happening on other hosts, and these types of redirects/includes/etc. are not unique to (mt) or our (gs) Grid-Service. In fact, php/javascript injections are incredibly common, and often go undetected. Here are some indicators:

http://sucuri.net/malware/entry/MW:JS:222
http://sucuri.net/malware/entry/MW:RKS:3
http://sucuri.net/malware/entry/MW:RKS:2

Other companies are mentioned if you look through the links above. Please see this post for detailed information on these exploits and where (mt) Media Temple is coming from:
http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/

We are not blaming customers, and to be clear, we are not blaming WordPress either. Also, we have done much analysis on our end and have yet to find any indication that there is a vulnerability in our infrastructure.

On the other hand, via Sucuri.net and other means, we have found that out-of-date software is being used on the exploited customer services and is a source of site vulnerability. Take a look at this list of security advisories for older versions of WP:
http://secunia.com/advisories/product/6745/?task=statistics

Also, this was written by Matt Mullenweg (founding developer of WP):
http://wordpress.org/news/2009/09/keep-wordpress-secure/

This article was created to give users detailed steps on fixing an infected site:
http://wiki.mediatemple.net/w/Fixing_an_infected_website_-_(detailed_steps)

If you are an (mt) customer, please open a support request and we can look at the specifics of your account/services.
dotnature
Member
Posted 1 year ago #

I would just like to add that the PR by NMMT above from MT is utter BS.

Blaming users for file permissions?

How about a log file to pinpoint exactly what happened instead of spinning this into a circle.

How about this little gem:

Diagnostic page for AS31815 (MEDIATEMPLE)

Of the 56359 site(s) we tested on this network over the past 90 days, 7844 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

gee that looks like 7844 wordpress sites...

this network has hosted sites that have distributed malicious software in the past 90 days. We found 31 site(s) that infected 571 other site(s).

Not only end users but cross site yayyyy..

Keep beating the drum that it was the user file permission fault, it is working wonders for your clients.

Brute force a wordpress login???, your are a JOKE for saying that.

MT needs to at least hire a competent computer user or god forbid someone with actual security knowledge to spin at least more competent drivel.

One thing is for sure, people are simply just leaving your service and your competition sure is capitalizing on this continual failure.
bkeen
Member
Posted 1 year ago #

I believe this is a known issue.
Mvied
Member
Posted 1 year ago #

@dotnature:
The whole point is that these kinds of attacks are usually untraceable, so there is usually little to no evidence in logs.

I'm not a (gs) customer, so I don't know how they handle file permissions, but back in April, Network Solutions got slammed with an attack on WordPress sites due to public read permissions on their wp-config.php files. - Read here

Also, it is very possible to Brute Force a WordPress site. Although, I hope site administrators are smart enough not to use dictionary words for passwords. If so, they probably deserve to be hacked.

Anyways, what I'm trying to say is that what Media Temple is saying is probably 100% correct, and they know exactly what they're doing. You, on the other hand, should look before you leap and leave the name-calling to a minimum when somebody is just trying to help people out.

Take your incompetent drivel somewhere else.
dotnature
Member
Posted 1 year ago #

@Mvied

As someone who has worked in security I can say your post did absolutely nothing.

Untraceable...totally wrong, how can you possibly think that? Being lazy more like it.

File permissions on a grid or shared server (most likely involving fantastico)..yes the host is to blame.

Of course it is possible to brute force attack, but are you actually suggesting that in the past 90 days on the MT grid 7844 wordpress sites were brute forced? Have you ever tried to brute force wordpress...really have you?

Anyways, what I'm trying to say is that what Media Temple is saying is probably 100% correct, and they know exactly what they're doing

You mean you believe their PR man ( who was already called out in this thread for being dead wrong) and blindly trust a host that blames it user base, when the attack vector has clearly not been found yet but so far REALLY points to a hosting issue.

No one is going to really spent the massive amount of time figuring out the cause, that is MT' job and they have just applied a band-aid, without being honest about WHY, people are simply moving to more secure hosts.
aeternis
Member
Posted 1 year ago #

Hey guys,

We encountered a similar problem on Dreamhost sites last night (google immediately blacklisted one of them). While it is not the exact URL, the cleanup process may be the same (we think it is more like the JS222 referenced above)

The symptom for this one is the same - the site will attempt to redirect you to their page. From the admin, this is particularily annoying on the dashboard page, but if you can get to any other link, such as Settings, it will not happen. The script also seems to try executing a download of the php file in the URL you are at.

cleanup:
1. Delete all theme folders and plugins you are not using. Several files in each theme were affected.
2. Change your database password.
3. Update your config.php and re-upload. Change the permissions to 600 (right-click in your FTP client and choose Permissions)
4. Edit your theme's index.php file to remove the massive block of javascript at the end.
5. Check every other theme folder for an index.php with a lats modified date of more recently than you recall updating your theme. (for us it was 8/18) This will probably be an index.php file in every folder. Delete them.
6. Manually upload the WordPress 3.0.1 update downloaded from this website (do not download from your host or use your host's auto-update as that may be part of the problem)
7. In your wordpres install, allow it to update your database tables if prompted.
8. Review your plugins. The only ones that should be installed are those verified by wordpress.org.
9. Disable any re-direct plugins for now.
10. Create a new admin that does NOT use the 'admin' username and then disable the admin user (set the role to none)
11. Install Secure WordPress and Bulletproof Security plugins.
12. Finally, go to http://scan.sucuri.net/ and click on Scanner, then enter your URL to scan it for any remaining issues. If the blacklist page shows you as clean by all the partner sites, you are good to go for now.
aeternis
Member
Posted 1 year ago #

I should clarify (sorry) that the block of javascript you are removing is the injected code. It is fairly obvious, but for the novice admin, it looks something like "<script type="text/javascript">var PwJmWsRp7=" followed by a bunch of garbage strings.
mmmfruit
Member
Posted 1 year ago #

I followed the Wikipedia page on how to clean up the database, but 0 rows were found in my wp tables. Sucuri Scan also shows that my site is clean on all Blacklist partners except for being blocked by Google. Twitter will also not allow the URL to be posted due to spam or malicious content. Any idea how to get the site off Google's blacklist? Or is there something I may have missed?
eckert
Member
Posted 1 year ago #

my MT wordpress sites were mass injected for a third time yesterday. a new domain, but the same style of attack.

each time this has happened, ive been changing keys, passwords, making sure everything is updated, etc...

frustration is setting in and MT is slowly losing my business.
esmi
Theme Diva & Forum Moderator
Posted 1 year ago #

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Also contact your hosts. The back door may well be someplace else on your server.
herve76
Member
Posted 1 year ago #

Hello guys,

I have been a MT customer for years now. But since the beginning of the year (2010), their service is getting worse every month. They experienced a major hack of their DB that resulted in changing all the passwords for all their clients. But since then, the number of affected sites on their network is on the rise. If you check this Google page,
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:31815 you will see that "Of the 64585 site(s) we tested on this network over the past 90 days, 12128 site(s) served content that resulted in malicious software being downloaded and installed without user consent".

The fact that 1 site for 6 sites on MT is affected by malware is deeply hurting the Google Index of all sites hosted on this network. I am experiencing bad ranking for my sites since a few weeks, and the problem is getting worse.

I know MT is aware of this problem but they will never communicate about it. This will kill them. That is very sad, I used to love MT for their good service and innovations, but like any other hosting company that reach a high number of clients, their service is not getting better. Too bad, I have to find another good efficient hosting company now.

Internet is a battle field, you have to query on the fight, if you don't , you die !!!

Hervé
Jparra
Member
Posted 1 year ago #

Hi,
I just wanted to add that one of my sites has fallen victim to this malicious script on the Gridserver.

Here is some info that hopefully will be of use to people dealing with this or on the WP or MT team trying to prevent this:

- ao.euuaw.com/9 is where mine is redirecting. There are many variations on this name.

- I went through the steps outlined here: http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit
after I deleted any of the script I could find in the page/post editor.

- The query returned that I had 0 affected rows.

- I downloaded my DB and searched for the malicious domain and found it more than 50 times still inside the DB.

- Spoke to a MT Tech and he said that as long as the script is not in your WP_Posts table you are fine. Is that true? Not sure.

- Despite my concerns I am no longer experiencing the redirect.

- One more note. Upon checking my wp-config.php file I noticed somoething odd-Towards the end of the file where it usually says

'AUTH_KEY'
'SECURE_AUTH_KEY'
'LOGGED_IN_KEY'

This text instead is full of gibberish and the areawhere you usually paste in your secret phrase is left blank saying 'put your unique phrase here'

I personally installed WP manually via FTP and I know I did not do that.

Hopefully this helps someone.

-J

« Previous 1 23

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

Media Temple oeaou hack (72 posts)

Topic Closed

About this Topic

Tags

Code is Poetry