This post helped me find the obfuscated script in my WordPress installation. It was hidden in my theme footer.php file. I am also hosted on MT. They were not at all helpful and were very defensive. The file permissions on footer.php was 644. The modification date was not even altered – it matched the same date as the other theme files.
[…] This post was mentioned on Twitter by John Talaguit and Howard Fuhs, Open Foundstone. Open Foundstone said: Malicious “ads” and “bars” on RackSpace & MediaTemple: Right before this week-end I noticed an increased number of… http://bit.ly/96D0c2 […]
Kudos on this article!
Nice summary and mirrors my experience as well.
Though at least in my experience I’m not so sure about the stolen mysql credentials. That does not mirror my experience.
All of the sites I repaired for clients recently were fairly obvious WordPress hacks, where hacker was able to upload a file-manager-like PHP script, then from there do whatever they wished to any file within the client’s file space.
I do squarely point the finger at WordPress and plugin security though– and not the web host.
Though here is the big caveat.
Many web hosts are promoting multi-account open file structure type hosting.
Media Temple cloud, Rackspace cloud and some shared hosts like Hostgator and Bluehost have been promoting this thing call “unlimited domains hosting” for some time, in hopes of grabbing clients from more secure and segregated hosting arrangements.
note: In cPanel this is sometimes referred to as an “Addon domain.”
People are basically trading cheap or slightly easier multi-domain hosting for security in this arrangement; by setting up all of their websites within the same file space (a very short sighted setup IMHO).
This is really very alarming, particularly give the open non-proprietary nature of WordPress and Joomla, where plugins and components are so easy to install, and script security is virtually non-existent (at least in a standardized sense).
I’ll use Media Template as an example, though this same scenario may apply to any of the open file structure hosts mentioned above. With a Media Template account you may set up all of your websites under the same “cloud” account. The control panel makes this easy enough to set up… So client moves all his 20 websites over to the the new “cloud” account, sets up his WordPress blogs nicely and wanders off to do business in the real world.
Mr. Hacker comes along, finds a tasty wordpress blog with an obviously exploitable plugin, and uploads his “single” file manager script (r57, c99 or other commonly available shell scripts). He now owns all of client’s 20 websites and proceeds to demonstrate “ownage” with less than five minutes effort.
I had this same situation occur, where client had 20 websites set up with the same file space. When I saw this I basically freaked– and made it very clear how unsecure this arrangement actually can be. I quickly demonstrated this for client over the phone by appending a word to every one of his index pages for every one of his web sites using a single command (that was an eye-opener for client to say the least).
Effectively client traded ease of setup for security.
And as a result, ONE of his websites was hacked. Hacker then ran one command, simultaneously appending the …hack.. text to the index.html file of all of client’s 20 websites sharing the same file space.
Hopefully, folks will being to understand soon how very naive this particular hosting setup can be…
As for changing WordPress wp-config.php or Joomla configuration.php file permissions to 600 or even 400. You might be onto something here, though I have to wonder whether it’s worth the effort since in the majority of hacks I’ve seen the actual process used was either through FTP (stolen password), or the uploading of file manager (root shell) scripts through exploitable plugins or older WP installations.
I also suspect that hackers could use a web shell for these hacks. The question is how they manages to upload it to so many user accounts.
I doubt it was via FTP (I wrote about it in the article).
I doubt it’s a WordPress vulnerability (also in the article). If the latest version of WP is vulnerable why only target blogs on MT & RS?
I see a few scenarios (I don’t have proofs though):
1. World-writable directories: e.g. /tmp (via file inclusion) or “wp-content/uploads” (some people make it world-writeable). However, since MT & RS don’t require 777 permissions for file uploads, I don’t think many webmasters would specifically change the permission.
2. Access to database -> access to a web app -> access to file system.
I hope to gather more evidence to make more well-founded conclusions.
Very unusual. We got two type of attacks in our over 12 websites hosted on a (gs) on Media Temple. The attack referred on this post, managed its way on drupal sites, wordpress sites, but also plain static content html and flash (it was common to find the code on top of the AC_RunActiveContent.js file used for flash content). Rare thing, an undocumented attack was also found. The hacker was able to CREATE four letter php files (faro.php, oryx.php, vuln.php, to site a few) on every domain on random folders. Even domain folders that were empty (placeholders). This just makes me think as the hacker had an FTP account! Worst of all, even though all was cleaned (not without a couple of blacklists) it just seems we must sit and wait for the next attack!
I too have seen the same variety of attacks that you listed across 8+ sites that are all hosted on my MT (gs) account.
Most of these sites have static content. Only 2 of them actually have WordPress running, and both had code in their footer.php files as well as code injected between heading tags in posts on their homepages. The method of injecting the malicious code seems to change every time.
Today I just got notice from Google that a site that only has an index.html file is compromised.
After I first discovered that my sites were being compromised, I changed every password on my account (account center, server admin, every ftp / email password, database passwords) because I believed that one of my computers had been infected with a trojan (a support page that MT posted about a month ago led me to believe this). I feel that effort was completely wasted, as my sites are being hacked every couple of days/weeks no matter what measures I’ve put in place.
I’ve also seen MT putting up clean copies of compromised js files with .xxx appended to the ends of the filenames. They’ve also added themselves as site owners of my hacked sites through Google Webmaster tools, so they’re getting the malware notices about these sites at the same time I am.
Because I don’t have time to keep dealing with these same issues, I’m moving all of my sites away from MT. I’ve been a customer for almost 4 years and the lack of communication, information and resolution to this problem is bizarre to me.
I help run a quite large, and busy website, hosted on Rackspace Cloudsites. I’ve gotten proof (with a partial FTP xferlog) in the last 24 hours that problems on our site are being caused by someone FTPing into our file-space, downloading a number of files (the same ones on a regular basis) and then within 1 second of each downloaded file, uploading larger versions of them. PHP files, including index.php have an “eval(base64())” based script prefixing the regular content, .html files get a script tag.
After previous, similar issues, we’d already changed our password to a generated/randomised one. We are changing it again.
[…] This post was mentioned on Twitter by Denis, The Doctor. The Doctor said: RT @unmaskparasites: Some info about hacked sites with PE*.php files in root dirsectories: http://bit.ly/h9BoEN & http://bit.ly/hYosgJ […]
About this blog
Occasional posts from the developer of Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.