Webhosting Companies And Security Related Attacks

**frankfarmer** · 03-02-2010 04:19 PM

Hey guys,

On Sunday, my Media Temple hosted Wordpress blog was compromised. A user brought this to my attention on monday, and did some further research this morning. Turns out there are a large number of compromised blogs, and the vast majority of the ones I found were hosted on Media Temple as well. The blogs in question have had WP versions anywhere from 2.8 to 2.9.2 -- the latest.

I found Vinh Pham via his github gist post, and he directed me to his blog post, which has some technical details:

http://vinhboy.com/blog/2010/03/01/w...-by-inii-info/

We exchanged a few emails, and discovered that there were easily dozens of sites affected by this attack -- the further we dug, the more sites we found. Here are a few examples:

http://www.google.com/search?sourcei....id.au+zpu.php
http://www.google.com/search?sourcei....com+yriji.php
http://www.google.com/search?sourcei...er.com+ypi.php
http://www.google.com/search?sourcei...ui.com+ypy.php
http://www.google.com/search?sourcei...l.de+yzidu.php
http://www.google.com/search?sourcei...ate.de+zmy.php
http://www.google.com/search?sourcei...ger.de+xza.php
http://www.google.com/search?sourcei....com+yguco.php
http://www.google.com/search?sourcei...ple.de+ynu.php
http://www.google.com/search?sourcei...a.de+xnosi.php
http://www.google.com/search?sourcei...e.de+xdyvi.php

The script operates in 3 modes:
1. To google's web spiders, it presents as a link farm, linking to other infected sites
2. To people visiting the links directly, it redirects to a CNN RSS feed, in an attempt to cloak itself
3. If you click through to any of the URLs from a search engine, it redirects you to a malware site, which tries to get you to download a fake antivirus app.

I still don't know the exact flaw that allows this attack to work in the first place.

I posted on this topic to the forums at wordpress.org. The post was deleted after about 20 minutes. I can only hope that they're doing their own investigation and will release a 2.9.3 security patch ASAP. We've also submitted a tech support ticket with Media Temple, since they appear to have been hit hard, at first glance.

I want to get the word out so that any affected WP admins can identify any infections that may have occurred.

Thanks,
Frank Farmer

Update Mar 5th: The original file I identified and deleted on Monday was recreated sometime between then and now, and I discovered two more files related to the attack. Details here

**chriscoyier** · 03-02-2010 05:20 PM

This sounds a lot like the last big Media Temple security breach to me. So the question is, is this a holdout from that same problem, or is it new? And if it's new, is it a WordPress problem? A Media Temple problem? Or an improper server setup problem on the sides of individual users?

**ozh** · 03-02-2010 05:22 PM

Checked a few sites and it appears they're all hosted by Mediatemple, so.... :)

**frankfarmer** · 03-02-2010 05:33 PM

Vinh Pham said he found a few non-Media Temple sites.

**Jeffro** · 03-02-2010 05:38 PM

We shouldn't panic. It seems like a combination of things taking place here that might not be strictly tied to the WordPress software itself. If that were the case, WPTavern.com should be hacked as well as a ton of other notable sites.

Seems like there has to be a host issue, probably with folder permissions allowing the upload of files?

**andrea_r** · 03-02-2010 05:47 PM

On the compromised sites, the hack isn't visible when viewing the source of the page, so this makes me think it's the server itself.

You can have WP hardened within an inch of its life, but if the box is wide open (and yes, there are really dumb sys admins out there... I have examples) then once someone gets in the y can do what they like, secured software or not.

**Scott D @mediatemple** · 03-02-2010 05:53 PM

frankfarmer, We are investigating the issue and unfortunately I do not have anything definitive to share right now. I assure you we take security related incidents very seriously. More info to come.

**Jeffro** · 03-02-2010 05:55 PM

Hey Scott, thanks for joining in the discussion. Just note that we are not bashing MediaTemple or the sorts but have noticed a lot of compromised sites being hosted by MediaTemple. I hope we can help you find a cause and solution to this attack.

**Scott D @mediatemple** · 03-02-2010 05:58 PM

Originally Posted by chriscoyier

This sounds a lot like the last big Media Temple security breach to me. So the question is, is this a holdout from that same problem, or is it new? And if it's new, is it a WordPress problem? A Media Temple problem? Or an improper server setup problem on the sides of individual users?

Chris, I don't have information to share with you now, but you can expect us to be transparent once it's gathered.

**Scott D @mediatemple** · 03-02-2010 06:05 PM

Originally Posted by Jeffro

Hey Scott, thanks for joining in the discussion. Just note that we are not bashing MediaTemple or the sorts but have noticed a lot of compromised sites being hosted by MediaTemple. I hope we can help you find a cause and solution to this attack.

Jeffro, I realize security related issues can cause a lot of discussion, rightfully so. I just want everyone to know that we are listening, we care, and that we will be transparent with what we find. Thank you for allowing the discussion to take place here. I'll keep you posted.

Thread: Webhosting Companies And Security Related Attacks

LinkBack

Thread Tools

Display

Webhosting Companies And Security Related Attacks

Posting Permissions