(mt)
- Started
- Last post
- 26 Responses
- nocomply0
ukit - You might be correct on some accounts, but my 2 sites running wordpress that were hacked over the weekend were on gs accounts that were not even created until well into 2010.
Also another client of mine who was being hosted through network solutions had their wordpress site hacked a few months ago. (side note - I DO NOT recommend hosting with network solutions!)
It's definitely going around, but it is very concerning to me how many of these hacks have happened on MT lately.
- ukit0
Could some of this even be fall out from this incident?
http://michaeltorbert.com/blog/m…
All of this is confusing obviously because (a) other hosts have been hit as well (b) Wordpress is exploitable all on its own, but here we have a case where a huge amount of user login information was extracted from one of Mediatemple's servers.
This was last November, but with all the accounts I wonder if it's possible that they are still dealing with the fall out from that...with the hackers attacking in waves rather than all at once.
- acescence0
you're always better off on a dedicated or virtual private server. on a shared setup you're only as secure as the least secure of the other 200 accounts on your box if the server setup has a potential security hole somewhere.
- nocomply0
Just found out about a cool plugin that locks you out of wp-admin for a set amount of time after a number of failed login attempts.
http://wordpress.org/extend/plug…
I installed it and tested it on wp 3.0.1 and it seems to work great.
Thoughts? I figure it couldn't hurt, right?
- ukit0
What to make of this
http://johnkary.net/mediatemple-…
"MediaTemple asserts in a July 16, 2010 blog entry, “We do not believe that this is an infrastructure issue, but we are still investigating the root cause(s).”
I believe I have evidence to the contrary."
...
"MediaTemple’s head of support and a few sysadmin/security guys were nice enough to give me a call...they believe someone possibly obtained a list of database credentials, then used those credentials to scan and inject code."
(mt) themselves comment on the blog post and don't seem to contradict what he's saying...
- I have no way to know if that's true. But based on my experiences thus far it sounds very, very likely.nocomply
- phatwrx0
Run a DV setup with 3-4 WP installs and none so far have issues.
- ukit0
Could something like this help?
http://wordpress.org/extend/plug…
"Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address."
- acescence0
a lot of stuff I do revolves around .htaccess... limit access to wp-admin via password protection and a specific IP address, or if that's too strict, deny all access directly to wp-admin and provide a mirror via URL rewriting and a "secret" URL. limit direct access to sensitive files, wp-config, anything that gets included rather than accessed directly, any plugin stuff, etc..
I also change the default admin account to something other than "admin", and always install WP into a random directory while serving the site from root, and hide the meta generator tag that identifies your WP version, just to stop the script kiddies that troll for WP installs.
to monitor things, set up a cron job that backs up the database regularly and then diff the backup against the previous to identify things that have changed. this can be less useful if the content, comments, users, etc., change drastically under normal conditions, but it's good to have regular backups you can revert to.
- acescence0
... or properly secure wordpress / hire someone that knows something about server security. still have yet to have any wordpress installs of mine hacked, I've got 10 of them up on GS, plus more elsewhere.
- Can you list some of your security checks? Anything I didn't mention? Thanks!nocomply
- mrsprinkles0
The problem is with wordpress, not (mt). If you switch to another host the same thing will happen again. If you really want to keep from getting pwned:
1. keep wordpress up-to-date (daily)
2. don't run wordpress
- acescence0
to use SFTP on GS, you need to enable SSH in the account center under server admin, then the login info is the same as FTP, port is 22. most FTP apps also do SFTP these days. I use Transmit personally.
- nocomply0
Well guess what? I woke up this morning to 2 more of my wordpress websites that were subject to this database injection hack on 2 different MT grid-service accounts of my clients. These are different sites than the ones on my own MT account which were hacked a few weeks ago.
I called MT and spoke with a tech on the phone about it. Here is what I gather thus far:
From the research MT has done up to this point, there is no evidence that a security vulnerability on their system has led to these hacks. However, MT engineers are still investigating the problem because they have not yet found out the entry point of these attacks. So it may wind up being MT's fault in the end, but at this point we just don't know. They claim that the hack is affecting both GS and DV accounts, though the sites hosted on my own personal DV account thus far have been safe. They do say they're seeing it far more frequently on the GS accounts (probably just because way more people have gs accounts though).
Here's what I'm doing in the meantime:
Backing up EVERYTHING! All files and databases on ALL of my websites (wordpress or not).
Resetting all passwords (FTP, acct center, DB, WP, etc...)
Checking all of my files for weird script injections in the header/footer.
Installing an automatic DB backup plugin for wordpress (http://wordpress.org/extend/plu...
Might look into installing some WP security plugins as well.
Installing and running anti-virus software on my computer
Might even remove all of my stored FTP info from FileZilla (haven't decided yet)
I'm not here to talk shit about MT. There's enough of that already and I may soon be one of those people. I've known the gs was not rock solid, but for most of my clients a little down-time here and there didn't matter. This hack however, is unacceptable.
So for now I just want to help out others out there and pass along what I know.
Also - MT does not have any kind of backup system in place. (They do have a "disaster recovery" service but the the tech kind of made that out to be a worst case scenario kind of deal that couldn't be guaranteed to be entirely accurate. It also costs money to use.) So basically it's your own responsibility to back up your shit! Fortunately I'm pretty good about that.
ACESCENCE - Can you please provide some more info about SFTP? I might look into using that instead of regular FTP.
- meffid0
The issue with the most recent WordPress compromises isn't an issue resulting from a security flaw within our systems. We have done extremely intensive scans/tests on our infrastructure to see if we were vulnerable to these attacks and to see if they were caused by any possible vulnerabilities that may have existed. Our testings did not prove that we have any vulnerabilities on our system that would result in attacks like these. This was not caused as a result from a security flaw on our end and we can't take responsibilities for these attacks.
I'm sorry that this happened to your site and there is more documentation on this issue located here: http://wiki.mediatemple.net/w/%2…
http://weblog.mediatemple.net/we…
http://wiki.mediatemple.net/w/Fi…
As of right now we can't provide compensation for something we can't be held responsible for. This was just an unfortunate event that affected more than just (mt) Media Temples hosting platforms.
If you have any more questions regarding your (mt) Media Temple services please feel free to contact us again by responding to this message or calling in. Thank you for contacting (mt) Media Temple.
- meffid0
What AV for osx does everyone use? I've never tried one before.
- ukit0
^ No you're exactly right. I started a thread about this a week ago and people reacted with skepticism, but at least some of the attacks work this way.
In a way, you have to almost admire the deviousness of a scheme like this. On the other hand, when my site got hit I just wanted to break their fuckin kneecaps;D
- vaxorcist0
I believe it may happen like this....
1. your computer actually gets a worm
2. this worm goes to your FTP program and uploads crap to any WP install it finds
3. users get a worm, possibly repeating the cycle if they have FTP programs with stored passwords and WP installs onlinePlease somebody correct me if I'm wrong....
- jamble0
Been having the same issues with a WP powered site being hacked then listed as malware. Sorted that and as ukit said, less than 24 hours for removal from google badlist.
Another site hacked was a Cubecart one. Different exploit.
I think the issue is that my FTP password was compromised/brute force broken and so it's not something MT are responsible for. Fuck knows how it happened though.
They sent me this: http://wiki.mediatemple.net/w/Re… Dunno if it will help?
- ukit0
meffid, happened to me a lil while back but I resolved it successfully. Just go into Webmaster Tools and follow the instructions Google gives you. I was skeptical how fast they would get to it but they sorted it out in 24 hours and another 24 hour later the warning was gone.
- Just make sure the exploit is actually gone from all your files, do a search of your entire server if you haven't already.ukit
- meffid0
^ This has already happened.