Dear Media temple, why do I keep getting hacked?

I have been running my two blogs on media temple for quite some time. Recently they have been getting hacked. Very frequently. My hosting provider is Media Temple, and I can’t say I am very happy with them right now. I am hesitant to say that the hacks all are media temple’s fault, but at least one of them was (they admitted it) and they aren’t giving me any evidence that this has been as pervasive as they say.

This is the fourth time they have gone down in under a year, and the second time in less than a month. I want to believe that it is not specifically media temple’s fault, but if that is the case, then (even worse) I am just really disappointed in wordpress as a platform.

I have done most of the things listed in order to harden your wordpress install, and I am having a really tough time believing that even 10% of the existing wordpress installs out there are (a) jumping through those hoops and (b) still getting hacked.

As I write this, it seems that media temple’s server is down and I am unable to log in. They are also having an emergency staff meeting so all twitter customer service people are offline. That’s not a good sign.

I really want to believe that MT is a good host. They provide really good twitter service, and they usually help me get my hacks cleaned up in a reasonable amount of time. The problem is that I’m not seeing any evidence of a broad wordpress compromise. I’m not talking about people running outdated versions. I’m talking “fresh from the factory with several security focused plugins and lots of time spent under the hood tweaking things” boxes getting compromised. I would love for them to prove me wrong. The sad thing is that this is the second time I have been hacked and frustrated enough with media temple to post about it, and the first time they only did just enough damage control to keep people from losing it.

So, in my usual way I ask you, the faceless internet; Have you ever been hacked? Recently? Who is your host? What do you recommend for WP hardening? Do you have any good hosts to recommend? Can you explain any of this?

I await your responses with bated breath.

Here is one security site where they seem to be thinking in the same direction, and this was in response to last month’s hacks!
http://blog.unmaskparasites.com/2010/08/08/malicious-ads-and-bars-on-rackspace-mediatemple/

And here is a media temple page that they sent out while this was being written.
http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/
And another
http://wiki.mediatemple.net/w/%28mt%29_Security_Resources
It’s almost laughable that this is their only response. Did this many people really ALL have the same incorrect permission settings?

UPDATE – (One day later) I spoke with one of the techs on the phone yesterday and he helped explain one possibility as to why the most recent hack happened. It seems that the hackers had hidden a malicious php file somewhere that served as a backdoor. I really appreciate the time he spent looking into it, and the time he spent explaining it to me. It still doesn’t explain what vector they used for the initial hack, or why it seems to be only targeting media temple and rackspace users. I am always really happy with the great customer service that MT provides. I just wish it wasn’t always after I have been “mysteriously” hacked.

ALSO, unmaskparasites has put up an analysis of the most recent round of media temple attacks, and doesn’t have anything good to say about them. If media temple has a reasonable excuse, now would be the time to tell it to us…

3 Responses to Dear Media temple, why do I keep getting hacked?

  1. Hi there. I wanted to drop by and address some of the concerns that you bring up here. It seems as though you feel left in the dark with what (mt) Media Temple is doing to address these security issues. I can understand. There are so many moving pieces in this puzzle sometimes I get lost myself. Let me try and clear a few things up for you.

    Right now we have found no signs that the attack is originating from this end. That does not mean that we’re resting on our laurels and taking this any less seriously. Many MAJOR changes are being worked on to vastly improve security for our users — even if they run vulnerable code.

    Here’s a few things to keep in mind:

    1) PHP running on a single server, on the grid, has the ability to access files on that same server. So, if there’s a compromise on a single script or file, the hacker can access the rest of your files.

    2) Securing your site is a multi-step process, meaning that it’s the customer responsibility to run secure code and it’s our responsibility to keep him safe from the back end.

    3) We have NOT seen people get re-compromised from this recent wave of attacks.

    To address item #1 please read over and use the following:

    http://wiki.mediatemple.net/w/Securing_PHP_on_the_%28gs%29_Grid-Service

    This does a few things:

    1) It prevents sites on your server from accessing one another, so it isolates a hacked domain

    2) It prevents php commands like exec, shell_exec, passtru, popen, and system from being run which effectively allow a php script to run arbitrary code as the primary user.

    It’s not 100% fool proof, but coupling that in addition to the BIG steps (ie: upgrading ALL software, changing ALL passwords, scan for viruses, etc) should be a huge step towards security

    To address #2; What is (mt) doing in the back-end to help customers:

    1) Disabling insecure PHP functions.

    2) Upgrading PHP.

    3) Work on giving customers the ability to streamline security by removing write access.

    4) Continue internal forensic security auditing.

    5) Added new protective infrastructure to various layers.

    6) Scanners/scrubbers that search for knwon variations of malicious code and remove them.

    I hope this provides some explanation and answers your questions. If you have any other questions, please let me know by emailing me at: travis (at) mediatemple (dot) net.

  2. Over 30 of my sites have been hacked yet again at Media Temple. This time it’s the PE*.php files getting dropped in (happened Dec 10, 2010), and major edits to htaccess files throughout my server. When this first happened to me this past summer I thought it must be a wordpress issue since that’s what MT told us. Then it happened a couple more times over the next month. This last time I’m going through every site, checking htaccess files, etc. and noticed that its happening even on sites that are simply an HTML file and an image – no htaccess, no database, no php. This is getting ridiculous and the fact that MT still says they can’t find anything on their end is getting really annoying. How come these kind of widespread attacks aren’t happening on my customers that use other hosts?

  3. Also:

    Their “scanners” have found viruses and backed them up each month since this started happening… August, Sept, Oct, Nov and now Dec. Sometimes php files are dropped in Img folders, css folders, etc. Sometimes they look like “Moo Tools” or “Jquery” scripts that have just been placed there.

    I love media temple but I may have to move a ton of clients to a different server that isn’t as vulnerable as MT