(mt)
- Started
- Last post
- 26 Responses
- meffid0
The issue with the most recent WordPress compromises isn't an issue resulting from a security flaw within our systems. We have done extremely intensive scans/tests on our infrastructure to see if we were vulnerable to these attacks and to see if they were caused by any possible vulnerabilities that may have existed. Our testings did not prove that we have any vulnerabilities on our system that would result in attacks like these. This was not caused as a result from a security flaw on our end and we can't take responsibilities for these attacks.
I'm sorry that this happened to your site and there is more documentation on this issue located here: http://wiki.mediatemple.net/w/%2…
http://weblog.mediatemple.net/we…
http://wiki.mediatemple.net/w/Fi…
As of right now we can't provide compensation for something we can't be held responsible for. This was just an unfortunate event that affected more than just (mt) Media Temples hosting platforms.
If you have any more questions regarding your (mt) Media Temple services please feel free to contact us again by responding to this message or calling in. Thank you for contacting (mt) Media Temple.
- meffid0
I got done did royally.
- that site caused a AVG alarm,
definitively infectedgeorgesIII
- that site caused a AVG alarm,
- lambsy0
this is a stupid question but, why do they do this? are they looking for something specific or do they just like to fuck with people's blogs?
- meffid0
Another update: http://www.uhleeka.com/blog/2010…
- nocomply0
Well guess what? I woke up this morning to 2 more of my wordpress websites that were subject to this database injection hack on 2 different MT grid-service accounts of my clients. These are different sites than the ones on my own MT account which were hacked a few weeks ago.
I called MT and spoke with a tech on the phone about it. Here is what I gather thus far:
From the research MT has done up to this point, there is no evidence that a security vulnerability on their system has led to these hacks. However, MT engineers are still investigating the problem because they have not yet found out the entry point of these attacks. So it may wind up being MT's fault in the end, but at this point we just don't know. They claim that the hack is affecting both GS and DV accounts, though the sites hosted on my own personal DV account thus far have been safe. They do say they're seeing it far more frequently on the GS accounts (probably just because way more people have gs accounts though).
Here's what I'm doing in the meantime:
Backing up EVERYTHING! All files and databases on ALL of my websites (wordpress or not).
Resetting all passwords (FTP, acct center, DB, WP, etc...)
Checking all of my files for weird script injections in the header/footer.
Installing an automatic DB backup plugin for wordpress (http://wordpress.org/extend/plu...
Might look into installing some WP security plugins as well.
Installing and running anti-virus software on my computer
Might even remove all of my stored FTP info from FileZilla (haven't decided yet)
I'm not here to talk shit about MT. There's enough of that already and I may soon be one of those people. I've known the gs was not rock solid, but for most of my clients a little down-time here and there didn't matter. This hack however, is unacceptable.
So for now I just want to help out others out there and pass along what I know.
Also - MT does not have any kind of backup system in place. (They do have a "disaster recovery" service but the the tech kind of made that out to be a worst case scenario kind of deal that couldn't be guaranteed to be entirely accurate. It also costs money to use.) So basically it's your own responsibility to back up your shit! Fortunately I'm pretty good about that.
ACESCENCE - Can you please provide some more info about SFTP? I might look into using that instead of regular FTP.
- ukit0
@lambsy
I have seen some exploits that redirect the site's users to an affiliate marketing page. Those marketing pages are like Adsense clicks - a few hundred hits won't make you much, but if you count all the exploits of this kind across the web, it probably adds up to some decent $, or at least enough for some asshole to pay his rent. Who knows, people might be getting rich off this, or maybe they do it more for shits and giggles.
- ukit0
By the way, watch out because if you get hit with an exploit and don't catch it right away, Google will blacklist your site and add a warning that says "this site contains malware" or something similar on the search results listing.
- acescence0
to use SFTP on GS, you need to enable SSH in the account center under server admin, then the login info is the same as FTP, port is 22. most FTP apps also do SFTP these days. I use Transmit personally.
- mrsprinkles0
The problem is with wordpress, not (mt). If you switch to another host the same thing will happen again. If you really want to keep from getting pwned:
1. keep wordpress up-to-date (daily)
2. don't run wordpress
- meffid0
^ This has already happened.
- acescence0
... or properly secure wordpress / hire someone that knows something about server security. still have yet to have any wordpress installs of mine hacked, I've got 10 of them up on GS, plus more elsewhere.
- Can you list some of your security checks? Anything I didn't mention? Thanks!nocomply
- ukit0
meffid, happened to me a lil while back but I resolved it successfully. Just go into Webmaster Tools and follow the instructions Google gives you. I was skeptical how fast they would get to it but they sorted it out in 24 hours and another 24 hour later the warning was gone.
- Just make sure the exploit is actually gone from all your files, do a search of your entire server if you haven't already.ukit
- jamble0
Been having the same issues with a WP powered site being hacked then listed as malware. Sorted that and as ukit said, less than 24 hours for removal from google badlist.
Another site hacked was a Cubecart one. Different exploit.
I think the issue is that my FTP password was compromised/brute force broken and so it's not something MT are responsible for. Fuck knows how it happened though.
They sent me this: http://wiki.mediatemple.net/w/Re… Dunno if it will help?
- vaxorcist0
I believe it may happen like this....
1. your computer actually gets a worm
2. this worm goes to your FTP program and uploads crap to any WP install it finds
3. users get a worm, possibly repeating the cycle if they have FTP programs with stored passwords and WP installs onlinePlease somebody correct me if I'm wrong....
- ukit0
^ No you're exactly right. I started a thread about this a week ago and people reacted with skepticism, but at least some of the attacks work this way.
In a way, you have to almost admire the deviousness of a scheme like this. On the other hand, when my site got hit I just wanted to break their fuckin kneecaps;D
- meffid0
What AV for osx does everyone use? I've never tried one before.
- acescence0
a lot of stuff I do revolves around .htaccess... limit access to wp-admin via password protection and a specific IP address, or if that's too strict, deny all access directly to wp-admin and provide a mirror via URL rewriting and a "secret" URL. limit direct access to sensitive files, wp-config, anything that gets included rather than accessed directly, any plugin stuff, etc..
I also change the default admin account to something other than "admin", and always install WP into a random directory while serving the site from root, and hide the meta generator tag that identifies your WP version, just to stop the script kiddies that troll for WP installs.
to monitor things, set up a cron job that backs up the database regularly and then diff the backup against the previous to identify things that have changed. this can be less useful if the content, comments, users, etc., change drastically under normal conditions, but it's good to have regular backups you can revert to.
- ukit0
Could something like this help?
http://wordpress.org/extend/plug…
"Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address."