Media Temple Hacked

I don’t normally do negative posts about another person or company, but I feel this needs to get out there.  A few hours ago I received an email from MediaTemple, where I host several of my clients.  It was an automated message informing me that:

This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.

Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss.  The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful.  Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:

<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 --><!-- 9190819521 --><noscript><ul><li><a href="http://rg8rhg34h34h.cc/c">.</a></li></ul></noscript><!-- 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>

I asked how in the world did hackers magically guess so many FTP/SSH passwords.  At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable).  Then I was told that the login data was stored in plain text in a database that had been compromised.  My jaw dropped.  In my entire life, I’ve never heard of a company storing passwords in plain text.  This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.

They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented.  I asked when they became aware of this issue, and was told within the past day.  Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.

I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them.  I was told to expect such an announcement.  So wait and see?

 All in One SEO Pack is the most downloaded plugin for WordPress. Ever. Have you upgraded to All in One SEO Pack Pro Version yet? If not, go to Semper Plugins and take advantage of our current $20 off promotion with coupon code THANKYOU.

Article written by Michael

Christian, Voluntaryist, Marine, Southerner, WordPress enthusiast.

140 responses to “Media Temple Hacked”

  1. Bill Bobaggins

    Database programming 001…NEVER put passwords in a TEXT database. I think a HOMELESS person off the street would know that.

  2. Billbo Baggins

    does anyone know where I CAN get secure hosting?

    1. Will Bradley

      Personally, I signed up for a VPS.net node. If a bit of server admin doesn’t scare you, it appears to work great.

  3. Chris

    Billbo Baggins: there is not a thing like secure when you share your host with other’s.

  4. MediaTemple.net | What have your experiences been like? | Adam Daniel Mezei

    [...] Interesting post from back in Nov. 2009 about possible compromised databases and hacking activity over at Media Temple. What’s been your expereince with your host or with MT if you host your site with them? [...]

  5. hsabbir

    I faced similar problem with my host, but I discovered the reason , it was not their problem, my password was stolen by a malicious attacker which stole them from a old version of Cute FTP where those pass were stored.

    They attacked each site which were saved in the CuteFtp, injected a code to each index*.*, default*.* file and within 1 day I started getting call from my clients.

  6. Viktor

    It’s a common decease for some old companies – they still use the outdated code and practices.

    Once my site used a web shop service which stored credit cards along with CVV2 plaintext right within your account. On top of that, password reminder phrases, if you guess them right, did not generate a new password, but just give you the old one.

    So Media Temple isn’t that bad at all (especially since rainbow tables for hashes were invented).

  7. Server move complete – Linode rules! | mou.me.uk

    [...] for nearly 2 years, and I decided enough was enough. Slow load times, dodgy password policies and a rather high profile server wide hack was enough to convince me that it was time to put my new found sysadmin skills to use and move all [...]

  8. Florian

    It’s shocking to hear that passwords are stored as plain text, security is never perfect, but leaving the front door open and expecting noone to simply walk in is very unprofessional in my opinion.

  9. Don

    We host on liquidnet ie ResellersPanel and MANY MANY sites were hacked the same time Your hosting got nailed. Except ResellersPanel is in full denial mode blamming each customer for 100s of lost or hacked websites.

    They are out right rude to the point of making threats if anyone tells the public.

    Good Luck with yours, we’ll be moving ours.

  10. Thomas

    I had the same expirience with some hosting companies. Now I have my own server and we moved to Linux at the workstations after problems like this. Windows runs only in the Virtual Box to test the IE. Some virus use the open FTP connection at the computer, so if you have a virus at a developer machine you get a big problem. But the same is if the webserver is hacked and they get root permission. Then have all customers at this server a big problem. And the most hosting companies don’t use a virus scanner at a webserver. And if a virus or a stupid staff of the hosting company changed the permission at your hosting, you can’t see the files with the virus or can’t delete or change it. I had two hosting companies with the problem with the permission and they ignored my requests.
    For all that use standard software like phpmyadmin. Please never use the normal path or easy paswords. At every webserver you can see in the logs a lot of requests to /phpmyadmin /phpMyAdmin and so on. The same is with Webmailer. So you can reduce the risk with change the path name.

  11. Vladimir

    @Viktor:

    > especially since rainbow tables for hashes were invented

    Using a salt when hashing the password renders rainbow tables useless ;-)

  12. bruce

    I’ve had the same code injection attack occur on two of my websites. Both use shared hosting but both are with different companies. It seems like it is quite common with shared hosting.

  13. QWD

    I have read about this hack on numerous boards … I also have had a server compromised by the same hack. Here is what I know is true, first off we are not with the aforementioned hosting companies, and yes they had several servers compromised. It was not only blogs, but actually php based coded apps and sites. The hacks occured in the same time frame as those mentioned here. One of our clients had a virus on a office computer, and the hacks occured on the sites in his ftp client. The code injected into our sites was the same as was seen in ours and others … etc …

  14. Askar Sabiq

    nevermind, big hosting in the planet got hacked :) so “no one 100% secure” statement is right :D anyway, great blog!

  15. Cullen

    I’ve been nothing but impressed with Media Temple. For the last 6 years they have done what they said they would do and more.

  16. Dan

    Media Temple is still dealing with the fallout from this big security breach. They’ve been changing out passwords, including database credentials, on the many accounts affected by this incident.

  17. Linda Sherman

    I am currently dealing with this with a large hosting company. I do not want to go through this again. I have registered a couple of domains with Media Temple but haven’t launched yet. Is there ANY Shared Hosting system that is SAFE?

    Laughing Squid for RackSpace?

    I came to Media Temple because of their great reputation but after getting their letter about the password change was very unsettling.

    Linda

  18. Changing Technology = Problems

    I don’t gauge a web hosting company by their lack of problems, but the way and the speed at which they deal with problems. Media Temple has continued to show forward thinking, regular equipment upgrades, and they do a good job communicating with their customers. Plus, their technical support is excellent.

    I have been with them since 2005 and have dozens of subdomains hosted with them and none of my servers have been compromised or hacked to my knowledge. You won’t find a perfect web host, but Media Temple has a good track record, and we are pleased to do business with them.

  19. DDD

    Unless you are on a newer or as yet not overcrowded cluster, check your http and database latency. It’s insanely bad. SQL container helps.

  20. Andres

    @DDD I completely agree with the latency. I love MediaTemple’s interface but their service, even at cluster 6, was insanely slow. I just canceled :-(

  21. Alberto Hernandez

    I have the same fill, but they compromise 120 clients web sites, I have to change all my clients out side, because if I upgrade to other kind of server they cant migrate 3400 emails acounts and 280 websites included wordpress and joomla CMS websites, I have to change one by one in less a weak, because the problem in my country (MEXICO) dosnt have a real infraestructure and any provider to make a real webhost. In this time I have just 2 server in MT but they make the charges for entry year, soo I just end the terms and migrate this clients too.

    The response for the MT staff was add in my acount 2 free moths or services like a 120 usd.

  22. Patrick Ong

    woah…wondering if my DB on Media Temple has been hacked…

    for some reason, for the past 2 days, my email has gone bonkers…I cannot access it, password not accepted via my Mail software and even webmail is not allowing me access…

    scary…but I do agree that they are very good in terms of support…

  23. News fix

    One of my clients is on media temple and today the 5th of august we got attacked. we couldnt understand the issue and in order to minimize impact on our business, we had to change hostings.

  24. popo

    And here we are again at the end of August 2010. Three weeks ago, MediaTemple suffered an identical attack affecting thousands of users.

    After spending countless hours recovering from the attack we were promised the system was now secure.

    And then yesterday it happened AGAIN.

    MediaTemple is an unmitigated DISASTER. Be extremely careful using them for hosting. Their systems are simply not secure. They are completely clueless about security.

  25. KBSD

    Following your comments, i approached MT to find out about them providing a backup service for my websites.

    Seems difficult. Or rather, they dont offer it. Do It Yourself.

    Mmmh….

  26. Got Hacked. Want to understand how.

    [...] see this post from last year about the original fiasco (warning, it will piss you off). It’s gone downhill from there. I [...]

  27. A Small Orange hacked | Michael Torbert

    [...] hosting company, A Small Orange, sent this email to its customers today. I’m reminded of when Media Temple was hacked recently. However, while A Small Orange still hasn’t let us know all the details, [...]

  28. WordPress Performance Server Stack - Debian w/ Nginx, APC and PHP-FPM

    [...] and Rackspace as I’ve had problems with both and they’ve had well documented  security vulnerabilities in the past.Next Page: Connecting to your server the first time. Pages: 1 2 3 4 5 6 3 [...]

  29. SomeGuy

    I will give Media Temple credit, there interface is good, and the products for most part are pretty good and do not need much attention. Pretty much run on their own. What I do have to say is the level of customer service I just experienced. They apparently let a brute force attack hit my box resulting in my box getting hacked, there response was “shutdown” my server until I reinstalled.
    Which took me about 12 hours because even after the reinstall things did not work as they were supposed to. When I called tech support they told me I was on my own, and they can only help if the box was not running. And it was running just not working right. After calling back several times I finally got a person who was not only nice, but went out of his way to help me.

    Did I mention a previous tech set my websites to use the “admin” account and password just to get my databases up and running because he could not get the mySQL user accounts I setup to work. I would never use the “admin” account for this purpose, and yet they did.

  30. Yvonne

    stupid domain name? This comes from dealing with Web Media.com Web Media Mall.com or Web Blogging.com. Of course I am an idiot!! Saw in the domain register that they used an All in One SEO Pack 1.6.13.4. by Michael Torbert of Semper, Fi Web Design. I am so sick over paying $25,ooo to Web Media for this web design that attracts absolute NO ONE. Of course I had no input as I thought I would have (stupid me). I fell for one big scam. This web design is used over and over and over in many so called web site designed with my interests. HA HA HA
    Web Media is laughing all the way to the bank. I in turn have contacted anyone and everyone who might be able to help me. If you can help me get my money back (probably another BIGGER laugh) please contact the Louisiana Attorney General Office. or stupid me and I do know how to get the info to those who care about true Americans

  31. Stu

    I used to use MediaTemple (around the time you posted your article). Just googled them and found your post. Glad I left! Thanks for sharing your experience.

    Stu.

  32. Halil

    This will be somewhat like resurrecting an old post but, hence some security-conscious people seem to come here from time to time, it looked me like an OK place to mumble this.

    Surprise surprise! By default, all recent versions of Plesk including 8, 9 and 10 (most probably old versions too), store all account, ftp, database and email passwords in plain in a database named “psa”. This is a well-known fact for years.

    Shared hosting is insecure. But Plesk gives you even more options to dis-secure it: it allows to use PHP as a module with Apache, without any suexec and suPHP options.

    Any shared hosting provider which properly locks up everything? I’ve yet see one. This is because securing a shared server is unresourcefully time-consuming, and no shared hosting provider I know of does meaningfully more than the installation defaults.

    I’m not telling these to dis any server panel or any hosting provider. Since I can be considered fairly involved in this business too, I can see their positions. And yet decently secure shared hosting providers can exist. And if you know one, please tell us! But I wouldn’t hold my breath, if you can measure the security of a shared provider, you are probably quite ahead of using one.

    Looking for a secure shared hosting? Start training yourself on *nix file permissions, chrooting, suexec/suPHP, hidden (non-)holes (re: PHP cgi_fix_pathinfo on nginx, of which even an nginx book writer seems to be unaware of), server log parsing, fail2ban, logwatch, audits, SELinux, etc etc.

    And by the time you have some grasp on these, I bet you wouldn’t be looking for shared hosting any more :) This is of course, if you really mind security, unlike most of the businesses and customers out there, which you don’t have to :)

  33. Leyden

    Check out FireHost. They are all about security. An option for those who can afford it.

  34. Got Hacked. Want to understand how - Just just easy answers

    […] see this post from last year about the original fiasco (warning, it will piss you off). It’s gone downhill from there. I […]

  35. WordPress Performance Server – Debian “squeeze” with Nginx, APC and PHP from the Dotdeb repos | Sys-admin's Notes

    […] Media Temple and Rackspace as I’ve had problems with both and they’ve had well documented  security vulnerabilities in the […]

Let me know what you think!

%d bloggers like this: