JohnnyA WordPress malware on MediaTemple
My MediaTemple (gs) account got hit by JohnnyA a couple weeks ago. I assume that it occurred because I was slow to update my WordPress to version 3.0. Lucky for me, I actually looked at my blog only 4 days (yikes!) after the exploit occurred. Avast caught the site attempting some sort of JavaScript exploit, which clued me in to the problem.
After digging through the site using Firefox and the Firebug plugin, I found the offending JavaScript and stumbled upon the WordPress Administrative user, “JohnnyA”. So I deleted the code from the file and disabled the database user, only to have the exploit reappear less than 24 hours later.
Confused by its reappearence (I had updated WP to the latest version of 3.0), I contacted MediaTemple support. (mt) politely informed me that the problem was mine own and pointed me to this “System Status” link: http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/, which states in bold “…this is not exploiting any architectural or system vulnerability” which translates to “Fix it yourself or pay someone to do it for you.”
Anyhow, noting that an Adminstrator, username JohnnyA, had been created, I searched and stumbled upon this thread: http://wordpress.org/support/topic/421834. Realizing that there was a .php vector to this attack in addition to a .js vector, i opened up an SSH session and grepped through my “domains” directory. After finding and neutralizing the offending .php file and offending .js file, the site was back to normal and has been malware free for the last 48 hours.
I have since been passively monitoring my site with a plugin called “WordPress File Monitor” which fires off an email every time a file is modified on the site. Hopefully, that will provide an alert of future exploits. I have also installed several other security-related Plugins. Check out http://digwp.com/2010/07/wordpress-security-lockdown/ for a good rundown on WordPress security.
Bottom line, MediaTemple is not at all to blame for this. If I was to exploit a WordPress vulnerability, I would target hosting companies like MediaTemple for the sheer number of (un)managed WordPress installations. Lesson learned? Keep your software up to date!
Edit (2010-07-30): After further looking into this, it appears, IMHO, that MediaTemple (gs) architecture may be at fault. They have acknowledged that there were some sort of permissions issues that allowed neighboring (gs) accounts to read each others data. So they implemented Access Control Lists as a fix (http://weblog.mediatemple.net/weblog/category/system-incidents/1408-gs-grid-service-cluster-issues/). Reading between the lines, something (?) was wrong and MediaTemple took steps to fix it. Transparency? Not really.
The new bottom line is: Something happened to compromise my (gs).
Lesson learned: Don’t issue an opinion based on spoon-fed incident reports. My apologies to WordPress.
Edit (2010-08-06): The comments are well worth reading.
How to Install ExpressionEngine on MediaTemple (gs)
After having done several ExpressionEngine deployments at MediaTemple, I decided to post my steps…so I wouldn’t have to remember them. [ Read more » ]
How to Install WordPress on MediaTemple (gs)
After successfully trying the 1-Click Applications installer offered by the MediaTemple (gs) control panel, I decided I would rather know what was going on behind the scenes…not to mention that they have all sorts of warnings saying “DO NOT(!) use the one-click installer to upgrade any…yada yada yada or we will torture small animals to scare you…yadda yadda.”
Although it was a very straightforward process, after having stepped my way through the manual install, I felt inclined to record my paces. [ Read more » ]