Comments on: Notes on cleaning up the MediaTemple hack (JohnnyA)

By: kev grant

kev grant — Tue, 17 Aug 2010 14:07:31 +0000

Yep, client hit for the second time today too, after full re-installs on WP and the non WP sites affected last week. so much for their new scanning procedures eh?

its exactly the same as the incidents with Godaddy a few weeks ago, you spend hours and hours putting it right to wake up and find it done again.

at least Godaddy have a "revert to date" feature on their backup system so you can just revert to your last known safe date files, MediaTemple is a f'in nightmare by comparison.

By: jon

jon — Mon, 16 Aug 2010 19:33:47 +0000

Happened twice to us too. Cleaning up now.

By: Brett

Brett — Sat, 14 Aug 2010 21:11:21 +0000

I feel your pain. The hack has ripped through all of my sites again, and this time I KNOW I was secure. I'll be talking with MT as soon as I can reach somebody, and will post whatever I can find out (including how we're all going to be compensated for this crap).

By: Sherri

Sherri — Sat, 14 Aug 2010 21:07:35 +0000

I began dealing with this on 8/6. My affected site is using Wordpress [newest version. In fact, I upgraded the night before this began] via Media Temple. Media Temple didn't give me much help, aside from posting a bunch of links in reply to my support ticket of what "might be" the issue. I ended up reading about "johnnyA" after doing tons of searches. I deleted the user, found malicious code in a sidebar.php and deleted it, requested another Google review. My site began working fine. Now, a week later, I'm right back where I started - with my site being blocked and Media Temple "looking into it".

The problem for me is I'm an idiot when it comes to this stuff and I'm not tech savvy at all. So, while those of you who know what you're doing had a rough time searching for code, etc - imagine what it's like for me, someone who hasn't a clue what to do, what to look for or even what the hell "grep" is.

The kicker is that my personal site is running Wordpress NOT via Media Temple and I haven't had one issue at all. I feel like I've received some sympathy from Media Temple, but not any help. Whether it's a security issue on their end or not [I still believe it is], I can't possibly figure out how to fix things by any instructions I'm finding online because when it comes to this stuff, I'm about the intellectual equivalent of a toddler.

I'm really aggravated. I was able to look at a dropdowns.js within my Wordpress theme and did find the var st1 = 0;document.write(unescape .. thingy. I'm not even using the dropdown feature so I deleted it, but also have a fresh one that I just downloaded in case I do need it.

Seriously - this entire situation has been frustrating for many people who KNOW what they're doing, yet what about us who don't?

PS: I've been told so many times by Media Temple to make sure my Wordpress and plugins are up-to-date, that it truly makes me believe they feel I am the reason for this happening. My plugins and Wordpress were up-to-date, which makes this even more frustrating. I'm basically at the mercy of someone at Media Temple "possibly" helping me. The $20 credit they've given me over this doesn't nearly cover the time and aggravation I've spent trying to understand how to fix this myself.

By: Brett

Brett — Sat, 14 Aug 2010 15:14:38 +0000

Yeah, me too. Definitely some bullshit going on here.

By: mcummings

mcummings — Sat, 14 Aug 2010 15:13:37 +0000

Ugh, he got me again!

I am so DISENCHANTED with mediatemple! Sure, we can say "they have to" product their business from liability of downed site. But this is so obviously not a general WP issue: it is one specific to WP@ mediatemple! LAME B.S.

By: JohnnyA MediaTemple Hack | Make Some Code

JohnnyA MediaTemple Hack | Make Some Code — Wed, 11 Aug 2010 10:01:16 +0000

[…] How to fix it (make sure to read users comments too): http://brettterpstra.com/notes-on-cleaning-up-the-mediatemple-hack-johnnya/ […]

By: jon

jon — Mon, 09 Aug 2010 16:22:23 +0000

I've been dealing with this problem too. Found the JohnnyA as a wordpress user.

The problem with not knowing how the initial upload occurred is that it is difficult to seal definitively.

It might be worth looking around on hacker sites to see if the bragging reveals any details. I could imagine, for instance, an exploit that used some of the file upload plugins for TinyMCE.

By: mcummings

mcummings — Mon, 09 Aug 2010 00:32:01 +0000

I found another named fwrite.php

thanks to all contributors (what a pain/waste of a day)

By: mcummings

mcummings — Mon, 09 Aug 2010 00:11:58 +0000

I also found eregi.php is_writable.php is_file.php

thanks to all contributors (what a pain/waste of a day)

By: JohnnyA Hack on MediaTemple grid server | Netscraps

JohnnyA Hack on MediaTemple grid server | Netscraps — Sat, 07 Aug 2010 20:15:14 +0000

[...] Notes on cleaning up the MediaTemple hack (JohnnyA) [...]

By: (mt) Travis O.

(mt) Travis O. — Sat, 07 Aug 2010 19:20:42 +0000

By the way, we updated our blog post regarding security. I invite you to please read it and let us know if you have any further questions:

(mt) Media Temple Weblog - Security Facts

Thanks!

By: Jeff

Jeff — Sat, 07 Aug 2010 08:29:51 +0000

I’ve been tearing my hair out over this. I was thrilled to find this page after desperately typing “1RqLcpt” into Google. Now, I’m back to hair removal after finding quite a few affected files across multiple domains.

There’s a lot of very useful and important information here. I’m hoping it will eventually be possible to compile all the known resolution methods into some kind of tutorial for systematically tackling the problem. I’ve already lost one client due to their site being blocked/blacklisted, so I’m not happy.

The main thing that concerns me is that (mt) doesn’t know where the hole is — or precisely how it’s being exploited yet. With all due respect to them and their efforts, I have a sinking feeling I’m going to be hunting for obscure snippets of code until they (and the rest of us) do know for certain.

Based on what I’ve read here and seen on my own account, I’m convinced that TinyMCE does play a significant role in this. Here’s something from last year that seems disturbingly relevant:

http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities

I could be wrong, but I suppose we’ll find out.

By: (mt) Travis O.

(mt) Travis O. — Fri, 06 Aug 2010 23:15:53 +0000

I'm very sorry that you've had to go through that.

Honestly, we could not find any consistent connection between users who had been compromised by JohnnyA and users who had edited their /domains/ permissions. Thus, we can't say for certain that it was the source of the breech. Also, unless you had chmod'd the perms for your /domains directory yourself, your sites would not be vulnerable from your neighbors. With regard to the guarantee that access points are sealed off:

The ACLs that we applied across the entire (gs) Grid-Service has sealed up any possibility of neighboring users from viewing any files regardless of permissions.

If you want more information on security at (mt) Media Temple please visit our security wiki page.

By: Brett

Brett — Fri, 06 Aug 2010 22:37:25 +0000

Thanks for chiming in, and sorry about the bizarre formatting on your comments (I've got some Markdown issues to smooth out :). The issue, though, is that my neighbors' carelessness (domains/ permissions) has cost me over 15 hours of cleanup time across 20 some domains, and I have no solid guarantee that the access points are sealed off. I'm thrilled that you found the source of the breech (honestly), but can we get a solid statement that the problem is solved and I won't be spending my evenings grepping anymore?