Yes. Mostly on MediaTemple sites. These all appeared to uploaded via FTP in the logs that we had access to.
One other note, is that on the MediaTemple sites, the file and folder permissions were all changed. Or, I should say, were all wrong. We monitor file and folder permissions and all of the MediaTemple sites infected in this round had their permissions changed to 777 on folders.
I know you’ve blogged about file and folder permissions so if anyone has been infected by these recent attacks, they should check all of their file and folder permissions.
One thing we’ve been testing is not allowing execution rights on the images folder. As you know, the gifimg.php is usually found in the images folder. However, when you take away the execute right, it appears to block that from working.
A small step, but every little bit (no pun intended) helps.
I’m a bit confused. Are we talking about the same hacks?
I can hardly imagine such massive attack limited to certain hosting services can use stolen FTP passwords (unless they are stolen from a central database, and according to MT they have “removed all use of “plain-text” passwords across the (mt) service architecture”)
And that gifimg.php hack doesn’t seem to be connected to this case. (Of course, some MT clients are affected by Gumblar, but not a thousand in a single day)
Yes I believe we’re talking about the same hacks. In many of the cases we’ve seen, the shell scripts were uploaded via FTP according to the logs.
We’re still trying to figure out how the hackers got the FTP credentials. But we did see the original files, often times id.txt or id1.txt, fun.txt, etc. were uploaded via FTP and then renamed after that.
But these were on MT sites and they were the “this.b=this.M” or “var st1″ infections.
I was just using the gifimg.php as an example of setting the non-execute rights on a folder. I should have left that out totally from my post. Sorry.
Wait, really? Because if you’re right and these injections really did occur via FTP, it sure looks like MT’s security *has* been compromised, and that this *is* a MediaTemple problem and not a lax webmaster problem.
Was MT’s database of username/passwords accessed illegitimately?
How could so many sites on the same host suffer simultaneously from an FTP-based attack, without some centralized password database being compromised?
I did some preliminary poking around, and on the gridserver that they are using, I must say, it didnt feel exactly ‘hardened’ to me. Im used to shared environments where Im restricted to my home directory on down, but if ssh into my account, and I can easily traverse around the whole tree. In fact there seems to be a *lot* of wide open permissions, additionally there are several examples of setuid scripts that I can execute but probably dont need to (ever heard of jailshell MT?) I know enough to know this looks fishy, but not enough to see how a MT customer could root their shared box, but since these gridservers probably have to mount all the filesystems, root on one box is probaby good enough to get to a whole host of magic.
Theres open access to /var/tmp which houses a bunch of logs that might reveal vulnerablilities. The apache conf files, while protected from my prying eyes also happend to be under git version control, and i could certainly look at the git logs to see some of the changes made.
This sounds like mediatemple needs to stop sending people to their howto for security until they get their own shit straight.
After 3+ years with Media Temple, I’m moving all of my clients (over 60) off and shutting down my account. After the 4-day downtime in May 2009, I stuck around because they gave me a year for free, but if you add up all the hours I’ve spent cleaning up infected files and multiply it by even half my hourly rate, I’m several thousand dollars behind.
Add to that the ill will it’s created among my clients, and their diminished confidence in the security and stability of the sites I host for them, and it’s just no longer worth it. I can’t recommend strongly enough that you find another host.
Right now, if Media Temple wanted to keep me as a client, they’d have to deposit $5,000 in my bank account – to cover what they’ve already cost me in lost hours over the past year, plus what I anticipate they would cost me in future losses if I remained their customer.
But that’s just putting numbers to losses. There’s no way I’m staying with them, because I’m at the point now where, if my customers have much more problems like this, I might have to shut my doors as well, and a $40/mo web host service just ain’t worth it.
[…] a quick bit of Googling landed me at the Unmask Parasites Blog where the post, Pqshow .org Scripts – New Plague On MediaTemple Sites, explained what to look for and how to help protect against further […]
There’s something else going on in addition to all these script injections.
Folders are being created, mainly inside the “images” folder (or if you don’t already have one, one is created).
The folders have names that are random-looking letters, for example: boxoa… fuvesa… pupado…
Inside these folders are index.php files, all identical, full of CURL commands. I haven’t examined them closely, but at a glance they look identical or very similar to the PHP that’s being injected at the head of some scripts.
Another thing that occurs to me…
In the beginning of this rash of infections, a lot of attention was given to the idea that this was a WordPress vulnerability that was being exploited.
Obviously if it were *purely* a WP exploit, we wouldn’t expect to see non-WP installations affected, but we are. As noted above, PHP, HTML and JS files in non-WP domains are being equally compromised.
But correct me if I’m wrong: The WP installation chmods the wp-content/uploads folder for you – it doesn’t depend on you to chmod it via FTP or SSH.
Now combine that with the way, also noted above, that MT has its grid servers set up, specifically the ability to traverse the entire domain tree of a single account, and I have to figure there’s your most likely path of attack.
I’m at the limits of my knowledge about servers at this point, so I have no idea how the attackers are getting outside of one account and into others, but suffice it to say that I think we’re looking at either a systemic weakness in Media Temple’s gridserver configuration – something that can’t be remedied short of a radical redesign and/or taking the whole system down for a considerable period of time; or we’re talking about an inside job: Wouldn’t it be well worth it for these hackers (given that they’re doing this to pump up search engine results for their clients) to pay someone on the inside for info on how to continue hacking Media Temple?
Taking the gridservers down for any period of time (remember last year’s 4-day downtime? I do… I got a year of free hosting because of it, too) probably means economic catastrophe for MT.
An inside job is even worse… I can’t imagine what kind of nightmare they’re up against trying to root that one out.
At any rate, I’ve said it before and I’ll say it again: Media Temple is heading straight toward a complete implosion if they don’t fix this right and fix it fast. You can only go for so long with thousands and thousands of customers affected, before they all leave, and word gets out such that MT can’t replace the customers who left. After that your only choice is to shut your doors.