I say ‘JohnnyA” because that is the new administrator that is added when you find out that your WordPress site has been hacked. MediaTemple says that the hacks have been “site specific” and that they are not the problem. Yet…..almost all the sites have have the same javascript and the same administrator added via hack? I think when they meant “site specific” they meant any site they hosted may have been hacked. Here is their recent comment on the recent issues
During the past week, we have received several reports of WordPress exploits from our customer base. We would like to briefly address this matter and provide some additional information that we have gathered as a result of our research. Primarily, this is not related to any specific service that we offer; rather it appears that an application-level vulnerability was abused in a large-scale manner. There appears to be a large number of users on the net facing a similar attack, and you may have also seen reports of this affecting other hosts. To clarify, this is not exploiting any architectural or system vulnerability.
Here’s how you can tell if you are affected. The following is a list of symptoms that we have observed that are related to this exploit:
An external link to a ‘jquery.min.js’ file in the source for your page (’view source’ in your browser).
This has been noticed as coming from several different domains, but most notably on variations of smartenergymodel.com and gaindirectory.org
Any external link to such a file that you are not aware of may be considered as part of this exploit.
The creation of additional WordPress users.
The prominent usernames are some form of ‘johnnyA’, ‘johhnyB’ or ‘amin’. However, any unfamiliar username is deserving of suspicion and should be investigated.
A malicious warning as presented by Google or any other authority when visiting the site in your browser (all recent browsers have this functionality).
Pharmaceutical links appearing in search queries for your domain.
If you’ve noticed any of these symptoms appear on any of your sites, then you may be affected by this issue.
At this time, we have not been able to identify the entry-point, or source, of this exploit, and without completely removing the afflicted files it is possible for this to reappear. As it stands, it is unclear which files are being created/modified, and while WordPress appears to be the prime target, it is possible for other applications to also be affected. We will be continuing our investigation in this matter, but our best suggestion for recovering from this is a fresh installation of WordPress and then hardening your site against future attack attempts.
“… our best suggestion for recovering from this is a fresh installation of WordPress and then hardening your site against future attack attempts.” MT
Yes, and a fresh Windows installation for those who visited your unsecured website mr. cultra. Meanwhile, it’s great to see you are ‘… going to make a ton of money because of it. DS’.
P.O.S.
Not sure if that was an attack against me or mediatemple so I’ll leave it alone. It was on my site for less that 12 hours and hopefully it didn’t infect anyone. I certainly am not going to make any money off it
Hi Shane-
It appears that you may need a bit more information to understand the scope of vulnerabilities on the internet as a whole. We are more than happy to discuss these with you (and any client) that wants clarification on the impact and function of various security issues on the internet. If you have the time, please email your contact information directly to andrew[at]mediatemple[dot]net and we will contact you ASAP to discuss the matter.
The simple fact is, this hack is related to vulnerabilities within WordPress and/or plugins. It is also possible that a backdoor was planted in your software previously. Think about it this way, when your PC gets a virus, do you blame the computer manufaturer for the vulnerabilities built into the Windows OS?
The simple fact that there are commonalities across the compromised sites indicates that this is a large scale attack being run against websites with similar configurations. If this were a vulnerability unique only to (mt) Media Temple hosted domains, there would be no other reports of simlar hacks against sites hosted on our competitors. However, over the past few months, we have seen a significant increase in WordPress and related PHP application compromises:
Nearly identical hack at Rackspace:
http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/
The notorious Pharma Hack:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
We are looking into the possibility of offering a new service to our customers that would help ensure the security of their websites. We don’t like hearing that our customer’s sites are exposed to attack without any chance for resolution. Please help us determine the best way to proceed by filling out this quick survey:
http://mdtm.pl/a3lhQc
I appreciate the response MT. I have and will stick with you as a host because you’ve always taken care of any problems I’ve ever had. I am not as concerned with the problems as much as how they are handled
Not alone. I had all my sites hacked as well by a turkish hacker named RD-Z3RO.
I had all my top domains defaced (joomla, wordpress and plain html sites, not only wordpress, so dont bother please with “hard your wordpress installation”).
The hacker did void the .htaccess and pulled in a index.html, a logo.ong and a flag.jpg file.
I searched thru the entire domains and it seems that nothing else has been touched, except for those strange guys in my wordpress users (johnnyA but others as well).
I spent half an hour to change ALL the passwords (root, ftp’s, emails, databases) and reconfigure them all.
I have to be honest: it seems to be a breach in the server, not in the software. But i am waiting for Mediatemple to clarify.
I have to be honest
Dear Travis of Mediatemple,
i would like to have these clarification too, just because in the support request i opened last night about the issue, the answer from the company was:
Unfortunately scanning your websites for vulnerabilities falls outside the (mt) Media Temple scope of support. For information on working with a hacked or compromised server see our article at http://kb.mediatemple.net/questions/1577.
I was not asking for this, i ask you to tell me if mysites are exposed to a more dangerous type of hacking. A defacement is still a problem we can handle, but having 10-20 sites put down is an isssue. For me, MONEY! Money that i gave you to host my sites. I am sure a small buyer, sure not a big company. So, i don’t deserve explanations?
We have about 40 websites on Media Temple’s Grid Service – a ton of WordPress installs were hacked. We found the malicious code inside jquery js files – encrypted code is added to the top. We are also double-checking our htaccess files for anything else weird. I’m betting they are gaining access via jquery calls or something similiar
too bad they did not even mention this in their knowledge base or give the heads up on the 13th
There’s a WP topic which is directly related to this exploit:
http://wordpress.org/support/topic/421834
So far, I’ve found the malicious code in footer.php and archive.php
mt could provide a little more assistance by scanning the server’s php files are removing the malicious code as we learn more about the WP vulnerability.
Solving the problem is not so simple because the exploit may involve MySQL account access.
There goes my Saturday.