Comments on: JohnnyA WordPress malware on MediaTemple http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/ If you think nobody cares about you, try missing a few car payments. Tue, 14 Feb 2012 17:35:30 +0000 hourly 1 By: Ann Marie @ CHEESESLAVE http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-2/#comment-295 Ann Marie @ CHEESESLAVE Mon, 20 Dec 2010 19:58:10 +0000 http://www.uhleeka.com/blog/?p=529#comment-295 This is the first blog post I've found in MONTHS that has adequately explained how to easily go and find malware and delete it. Thank you thank you thank you! I really appreciate you taking the time to write this post and to explain everything so clearly. You saved me! This is the first blog post I've found in MONTHS that has adequately explained how to easily go and find malware and delete it. Thank you thank you thank you! I really appreciate you taking the time to write this post and to explain everything so clearly. You saved me!

]]> By: Greg K. http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-2/#comment-294 Greg K. Tue, 14 Dec 2010 18:35:01 +0000 http://www.uhleeka.com/blog/?p=529#comment-294 Thank you for sharing this method. I was able to find file using "grep" that Sucuri missed. Thank you for sharing this method. I was able to find file using "grep" that Sucuri missed.

]]> By: La herramienta de medición que yo desearía no haber tenido que utilizar nunca : Mundo PPC http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-2/#comment-292 La herramienta de medición que yo desearía no haber tenido que utilizar nunca : Mundo PPC Sat, 16 Oct 2010 00:35:19 +0000 http://www.uhleeka.com/blog/?p=529#comment-292 [...] http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/ [...] [...] http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/ [...]

]]> By: Soccer Dad http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-2/#comment-284 Soccer Dad Fri, 27 Aug 2010 12:50:56 +0000 http://www.uhleeka.com/blog/?p=529#comment-284 Man what a mess. Stuff was everywhere. Setting the open_basedir flag is paramount because I had infected files in webroots of *dead* domains. Anyway - in addition to all the listed things above, I found some JS exploits similar to Tison, but encoded. They're at the top of all sorts of random js files - not just jquery. They look like this: <code> var st1 = 0;document.write(unescape('%3C%73%63%72%69%........%69%70%74%3E'));var gr0=0; </code> Slammed into the first line with whatever was on the first line stuck at the end. Note the escaped string is MUCH longer. Man what a mess. Stuff was everywhere. Setting the open_basedir flag is paramount because I had infected files in webroots of *dead* domains. Anyway – in addition to all the listed things above, I found some JS exploits similar to Tison, but encoded. They're at the top of all sorts of random js files – not just jquery. They look like this:
<code>
var st1 = 0;document.write(unescape('%3C%73%63%72%69%……..%69%70%74%3E'));var gr0=0;
</code>
Slammed into the first line with whatever was on the first line stuck at the end. Note the escaped string is MUCH longer.

]]> By: Zach Wingo http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-279 Zach Wingo Tue, 24 Aug 2010 06:48:08 +0000 http://www.uhleeka.com/blog/?p=529#comment-279 There is a known XSS exploit that affects the latest Wordpress version 3.01 http://www.majorsecurity.net/wordpress-3-xss.php There is a known XSS exploit that affects the latest WordPress version 3.01

http://www.majorsecurity.net/wordpress-3-xss.php

]]> By: CLRH2O http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-277 CLRH2O Sun, 22 Aug 2010 07:55:38 +0000 http://www.uhleeka.com/blog/?p=529#comment-277 @dashboards IN answer to your question - you can only modify the permissions of the files MediaTemple changed for you (us) by way of the file manger within your account center. From there you can make the file readable and finally move or delete as you see fit via FTP or SSH. As for myself - I've been hit all three times... and Hard. Google is still listing one of my domains (the most important and active of our record labels currently) as harmful even after having being reviewed for reconsideration on the 11th of August. The time I've lost, MONEY we've lost due to having to cancel advertising campaigns based of traffic being routed to the tufflvoedubs.com domain and so many other things I could literally pull my hair out! I'm a label guy, a music man and a long time web designer who's learned everything I know by way of my own hands and needs at the time. Did I want to learn how to grep for base64 exploits? HECK NO.. but I have. And it's more time wasted against what I should be doing with my days. Had this not now turned into three separate attacks, what is gaining on close to 80 different password updates across some 18 domains (each time) and the loss of so much time (ie, money) I'd be a little less at my wits end. And now - after reading the comments here to come and find out that with all my hardening, all my work, all my cleaning - it very likely will happen again due to either A) something left over in a database that pumps out JavaScript or B) that the actual compromise is below the domains level of user accounts (actually a MT Grid-service level attack). I'm just over it. Utterly. This has been going on for MONTHS! @dashboards

IN answer to your question – you can only modify the permissions of the files MediaTemple changed for you (us) by way of the file manger within your account center. From there you can make the file readable and finally move or delete as you see fit via FTP or SSH.

As for myself – I've been hit all three times… and Hard. Google is still listing one of my domains (the most important and active of our record labels currently) as harmful even after having being reviewed for reconsideration on the 11th of August.

The time I've lost, MONEY we've lost due to having to cancel advertising campaigns based of traffic being routed to the tufflvoedubs.com domain and so many other things I could literally pull my hair out! I'm a label guy, a music man and a long time web designer who's learned everything I know by way of my own hands and needs at the time. Did I want to learn how to grep for base64 exploits? HECK NO.. but I have. And it's more time wasted against what I should be doing with my days.

Had this not now turned into three separate attacks, what is gaining on close to 80 different password updates across some 18 domains (each time) and the loss of so much time (ie, money) I'd be a little less at my wits end. And now – after reading the comments here to come and find out that with all my hardening, all my work, all my cleaning – it very likely will happen again due to either A) something left over in a database that pumps out JavaScript or B) that the actual compromise is below the domains level of user accounts (actually a MT Grid-service level attack). I'm just over it. Utterly. This has been going on for MONTHS!

]]> By: Recent Malware attack on AlisonFoxall.com « Alison Foxall, Media Designer http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-274 Recent Malware attack on AlisonFoxall.com « Alison Foxall, Media Designer Fri, 20 Aug 2010 02:25:55 +0000 http://www.uhleeka.com/blog/?p=529#comment-274 [...] my server, was infected with this attack by “johnnyA.” Naturally, I Googled it. I found this article explaining what happened, how to fix it, and what was going on about [...] [...] my server, was infected with this attack by “johnnyA.” Naturally, I Googled it. I found this article explaining what happened, how to fix it, and what was going on about [...]

]]> By: dashboards http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-269 dashboards Wed, 18 Aug 2010 04:18:40 +0000 http://www.uhleeka.com/blog/?p=529#comment-269 It seems MT did update the files. I got one infected footer.php in the themes directory and it has footer.php as well footer.php.mt_backup_Thu_Aug_12_10:04:48 I cannot read nor change the file attributes for footer.php.mt_backup_Thu_Aug_12_10:04:48. Any idea how to view it? It seems MT did update the files. I got one infected footer.php in the themes directory and it has footer.php as well footer.php.mt_backup_Thu_Aug_12_10:04:48

I cannot read nor change the file attributes for footer.php.mt_backup_Thu_Aug_12_10:04:48. Any idea how to view it?

]]> By: dashboards http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-268 dashboards Wed, 18 Aug 2010 04:14:03 +0000 http://www.uhleeka.com/blog/?p=529#comment-268 one of the jquery.js file is also infected but then i find jquery.js.1435 file which I cannot read nor change the file attributes. The timestamp is the same when the jquery.js got infected one of the jquery.js file is also infected but then i find jquery.js.1435 file which I cannot read nor change the file attributes. The timestamp is the same when the jquery.js got infected

]]> By: Ian Schaefer http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/comment-page-1/#comment-262 Ian Schaefer Sun, 15 Aug 2010 19:05:31 +0000 http://www.uhleeka.com/blog/?p=529#comment-262 Thanks uhleeka for creating this very helpful page. Thanks to JohnnyA, I've had several WP databases hacked, and general nastiness throughout all my sites on (mt). Your detailed instructions put me back on track. First rate work! Cheers! Thanks uhleeka for creating this very helpful page. Thanks to JohnnyA, I've had several WP databases hacked, and general nastiness throughout all my sites on (mt). Your detailed instructions put me back on track. First rate work!

Cheers!

]]>