MediaTemple’s Database exploit and why I’m Glad I left
I had been a huge advocate of MediaTemple, even sent clients there to host their sites on their servers. But recently when it came time to renew my virtual server I shopped around and found an amazing deal with GoDaddy. Four times the server for the price I was paying with MediaTemple. I could have a 4 GB server for cheaper than what I was paying for a 1 GB server on Media Temple. And because my need was for only 2 GB it was like a birthday present to save $64 a month and still have 1 GB more RAM than before. Not to mention a new version of Plesk and cheaper backups.
But the last straw came when we found out a few of our clients sites had been infected by hackers. MediaTemple seems to want to blame WordPress and hackers figuring out passwords–I can only tell you that I use a password software and 12 digit passwords with special characters and numbers. And if WordPress was exploitable why haven’t the 20 sites I host on GoDaddy infected too? Or on anyone else’s servers. This was a MediaTemple exploit. Hackers somehow infiltrated the gridservers on MediaTemple’s servers and were able to access databases. That is very scary.
So, if you end up seeing this code in your WordPress hosted site on MediaTemple: http://ao.euuaw.com/9
You better get it off. Immediately. And then switch hosting providers. Sorry, but I went from huge MediaTemple fan to detractor. No matter what people say about GoDaddy, their virtual server is rock solid and outperforms MediaTemple’s hands down. I’m far from a GoDaddy advocate–but this time they’ve got a solid product.
13
Comments
Amanda W
I am a senior technical support rep over at (mt) Media Temple. I respect your reasons for leaving, our services no longer fit your needs and you found more value for your dollar elsewhere. But the information you are providing to your readers regarding (mt) Media Temple’s (gs) Grid-Service integrity is not accurate.
Right now there’s no sign of our infrastructure being breached, or WordPress itself being breached. The vast majority of compromised sites are running 3rd party plugins and themes. These themes appear, at this point, to be the primary point for the malware to be injected into. We cannot confirm 100%, if the themes injected are the primary attack vector, there definitely appears to be other vectors. This is still under investigation.
Additionally, a recent Websense Security Labs Blog post states: “even though the affected websites are hosted at Media Temple, this does not imply any security problems with the hosting company’s servers or infrastructure. Similarly to other hosting providers, Media Temple has had its share of compromised websites under its roof in the past and this is because hackers systematically scan entire address spaces for vulnerable targets, before proceeding to infect them.” You can read more about their finding here: http://bit.ly/91vTvU
We’re working on a blog post to address what customers are facing, and working on helping customers scan and clean up their blogs from these attacks. We’re committed to being as transparent as possible with our findings to aid others being affected, regardless of where they are being hosted. Attacks like this affect the internet community as a whole, it’s important to work together and share information. For the time being, we share our information and resources at http://mediatemple.net/security
If you’re a (mt) customer and have any questions, contact us 24/7.
Charlie
I’m glad Media Temple is doing what they can to clean this up, but I would dispute the plugin and themes portion of your statement. We have one Media Temple hosted site for a client that is a custom built theme and has no plugins and it was exploited. The other client site that was exploited was a 3rd party theme with a few plugins. The custom site with our theme and no plugins isn’t even public facing, its still on the GS url so how was that found? We are still in development and it isn’t even linked to from any website anywhere. It shouldn’t even be able to be found by anyone.
The only things that are similar about those two sites are that they were hosted by Media Temple and that they are on WordPress. So which was exploited? 2 out of 3 of our clients sites were exploited. Those aren’t good stats. We have 20 sites on GoDaddy and none were exploited. I was with Media Temple for years and have suggested clients to your group and now I’m embarrassed that I’ve opened them to exploits.
Julian
Well, if you were using the Access Domain on the (gs) Grid-Service, that URL isn’t exactly a secret. In fact, if you were to increment or decrement that number you would find someone else’s site too. Regardless, we have noticed that if one site on your account was compromised, it is likely that others were as well.
We are still looking into how or why this happened, but we are fairly confident that our infrastructure was not compromised.
I understand how you may feel just by viewing all of the negative press that has come from all of this, but I can assure you that this is something we are actively looking into. We don’t want to become ‘that’ company that no one trusts. Far from it, we are doing everything in our ability to a) find out what happened and b) make sure it cannot happen again.
Again, if you have any questions, or if you’d like to discuss this further, feel free to give us a call. Someone is always here.
Brent Lagerman
same story here, every site on our grid service account has been hit and all themes we make are custom, the plugins vary from site to site but if you search this exploit you will see that all people that get this script inserted by wordpress are on MediaTemple, and there’s plenty of infected sites out there… Not possibly a coincidence. Also when I’m in MediaTemple’s admin area and go to the databases and click to go to phpMyAdmin it brings a ‘this is not a trusted site’ page on FireFox… very scary stuff… The thing that concerns me most about this is how adamant MT is about how it’s not their fault, blaming it on anything they can when it’s pretty obviously their problem…
I can’t say I’m happy with GoDaddy though, in the past I’ve used them and found their admin area a pain in the butt to get around… Wish there was something comparable to the grid service out there that I could point clients to, at the moment I’m searching…
brent
@
mimoYmima.com
Charlie
Brent,
If you get a Virtual Server and Plesk you don’t need to use GoDaddy’s admin area. Plesk is really easy to use and you are then in charge of your virtual server. You can get that for the price of a Grid Server. Or go to 1and1 Hosting. They are very good too. I had issues with GoDaddy in the past too for their general shared hosting, but have a completely different experience with the Virtual Server–even though at first I had issues–which I blogged about. Part of that was my fault and part was GoDaddy’s lack of providing decent documentation.
Thanks!
Charlie
Brent Lagerman
I’ve never wanted to use a VPS because I don’t want to deal with my server being upgraded and protect it’s security manually, I figured that being on a shared server provided more security because if something goes wrong they’d fix it right away, but it seems like shared servers are becoming targets for hackers…
Charlie
They have firewalls in place on the server and at the hosting provider. I’ve never had an issue with a VPS on any host we’ve had for 6+ years. There is a small learning curve to get started–but once you did you’ll love the freedom.
Brent Lagerman
thanks for the advice, I already know a good amount about apache, so I think I could figure it out. I just figured someone more qualified should be doing the sys admin work, but being hands-off with the server has gotten me into this situation… so maybe it’s time for a switch…
Elijah Johannson
Why were my comments not approved? I have been using Rackspace and had 3 of 4 WordPress sites hacked this past week. I found at least a dozen other people on twitter that are non-Media Temple customers two others were Rackspace also and the others were various hosts. What concerns me most is this is a WordPress probably a WordPress vulnerability but no one is looking for it because they’re busy blaming Media Temple and Rackspace. I think you’re being pretty narrow minded blaming the hosts when these types of attacks where a single/few hosts have been targeted. Back in May Godaddy, Bluehost and Dreamhost were all the target of attacks while most other hosts were left virtually untouched. All I know is I will not be using WordPress anymore.
Zach Wingo
You accuse Media Temple of being at fault here and jumped to conclusions which were based on nothing more than weak theories only to find out that you were wrong. Several of Media Temple’s customers reported on their forums that they were running WordPress v. 2.9.2 while others said they were using the latest version. Well guess what? The latest version is about 2 week old and they’ve now reported it’s vulnerable to Cross Site Scripting attacks. So all those people who used the latest version and blamed (mt) should be angry at WordPress and bloggers like yourself who jumped to conclusion because it’s easier to make assumptions than look at the facts. The fact is Media Temple was not to blame nor was Rackspace. Yes, I know it’s probably a shock to you that Media Temple wasn’t the only host affected by a larger than normal number of hacked WordPress sites. A simple Twitter search and a little time would have revealed the dozens of reports from customers of other hosting companies reporting their WordPress sites being hacked even though they were using the latest version.
The real shame is that so bloggers like yourself not only don’t apologize for your irresponsible and unfounded comments about a company, you usually attempt to justify your comments by trying to accuse the company of deserving it because of their history. Which for the record, with the exception of one (1) security problem they had with FTP passwords, Media Temple has had the best security and been the most open and proactive hosting company I’ve used.
Zach Wingo
BTW, http://packetstormsecurity.org/filedesc/major_rls80.txt.html
Craig
Same story for us as well. Every site on eachof our clients’ unique grid service accounts have been hit and all themes we make are custom as well. Like Brent all of the plugins vary from site to site and the only sites that have this script inserted by WordPress are on MT. We’ve been using MT for the last year and things were great until about a month ago. Both WordPress and the sites themselves are ridiculously slow, and every couple days we continually have to clean out the script that Charlie has been talking about (http://bit.ly/91vTvU).
We will be moving all of our clients over to a new host very soon, canceling our accounts, and until this issue is sorted out we won’t be adding any new clients’ sites to MT.
MT get your shit together.
Charlie
I did some research and Rackspace did experience the same problem. It’s a lack of updating patches on their system. And then it took until today for them to notify anyone about the issue. We had clients forwarding us emails about the issue today. Sure, Media Temple was fixing the issue, but I wrote about this on the 6th and it was a known problem. That’s not great service. I have as many hosts on other hosting companies and none experienced the problem. It would seem to me that GoDaddy and 1and1 would be prime targets as well.
Leave a Reply