Media Temple Hacked
I don’t normally do negative posts about another person or company, but I feel this needs to get out there. A few hours ago I received an email from MediaTemple, where I host several of my clients. It was an automated message informing me that:
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss. The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful. Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:
<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 --><!-- 9190819521 --><noscript><ul><li><a href="http://rg8rhg34h34h.cc/c">.</a></li></ul></noscript><!-- 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>
I asked how in the world did hackers magically guess so many FTP/SSH passwords. At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable). Then I was told that the login data was stored in plain text in a database that had been compromised. My jaw dropped. In my entire life, I’ve never heard of a company storing passwords in plain text. This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.
They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented. I asked when they became aware of this issue, and was told within the past day. Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.
I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them. I was told to expect such an announcement. So wait and see?
No related posts.
Kevin Eklund (12)
Dan (9)
Aaron Brodney (8)
Kyle Brady (7)
Scott D. @mediate... (7)
Jeffro (4)
schnalle (4)
Will Bradley (4)
Billbo Baggins: there is not a thing like secure when you share your host with other’s.
I faced similar problem with my host, but I discovered the reason , it was not their problem, my password was stolen by a malicious attacker which stole them from a old version of Cute FTP where those pass were stored.
They attacked each site which were saved in the CuteFtp, injected a code to each index*.*, default*.* file and within 1 day I started getting call from my clients.
It’s a common decease for some old companies – they still use the outdated code and practices.
Once my site used a web shop service which stored credit cards along with CVV2 plaintext right within your account. On top of that, password reminder phrases, if you guess them right, did not generate a new password, but just give you the old one.
So Media Temple isn’t that bad at all (especially since rainbow tables for hashes were invented).
It’s shocking to hear that passwords are stored as plain text, security is never perfect, but leaving the front door open and expecting noone to simply walk in is very unprofessional in my opinion.
We host on liquidnet ie ResellersPanel and MANY MANY sites were hacked the same time Your hosting got nailed. Except ResellersPanel is in full denial mode blamming each customer for 100s of lost or hacked websites.
They are out right rude to the point of making threats if anyone tells the public.
Good Luck with yours, we’ll be moving ours.