Media Temple Hacked
I don’t normally do negative posts about another person or company, but I feel this needs to get out there. A few hours ago I received an email from MediaTemple, where I host several of my clients. It was an automated message informing me that:
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss. The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful. Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:
<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 --><!-- 9190819521 --><noscript><ul><li><a href="http://rg8rhg34h34h.cc/c">.</a></li></ul></noscript><!-- 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>
I asked how in the world did hackers magically guess so many FTP/SSH passwords. At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable). Then I was told that the login data was stored in plain text in a database that had been compromised. My jaw dropped. In my entire life, I’ve never heard of a company storing passwords in plain text. This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.
They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented. I asked when they became aware of this issue, and was told within the past day. Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.
I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them. I was told to expect such an announcement. So wait and see?
No related posts.
Kevin Eklund (12)
Dan (10)
Aaron Brodney (9)
Kyle Brady (7)
Scott D. @mediate... (7)
Jeffro (4)
schnalle (4)
Will Bradley (4)
Billbo Baggins: there is not a thing like secure when you share your host with other’s.
I faced similar problem with my host, but I discovered the reason , it was not their problem, my password was stolen by a malicious attacker which stole them from a old version of Cute FTP where those pass were stored.
They attacked each site which were saved in the CuteFtp, injected a code to each index*.*, default*.* file and within 1 day I started getting call from my clients.
It’s a common decease for some old companies – they still use the outdated code and practices.
Once my site used a web shop service which stored credit cards along with CVV2 plaintext right within your account. On top of that, password reminder phrases, if you guess them right, did not generate a new password, but just give you the old one.
So Media Temple isn’t that bad at all (especially since rainbow tables for hashes were invented).
It’s shocking to hear that passwords are stored as plain text, security is never perfect, but leaving the front door open and expecting noone to simply walk in is very unprofessional in my opinion.
We host on liquidnet ie ResellersPanel and MANY MANY sites were hacked the same time Your hosting got nailed. Except ResellersPanel is in full denial mode blamming each customer for 100s of lost or hacked websites.
They are out right rude to the point of making threats if anyone tells the public.
Good Luck with yours, we’ll be moving ours.
I had the same expirience with some hosting companies. Now I have my own server and we moved to Linux at the workstations after problems like this. Windows runs only in the Virtual Box to test the IE. Some virus use the open FTP connection at the computer, so if you have a virus at a developer machine you get a big problem. But the same is if the webserver is hacked and they get root permission. Then have all customers at this server a big problem. And the most hosting companies don’t use a virus scanner at a webserver. And if a virus or a stupid staff of the hosting company changed the permission at your hosting, you can’t see the files with the virus or can’t delete or change it. I had two hosting companies with the problem with the permission and they ignored my requests.
For all that use standard software like phpmyadmin. Please never use the normal path or easy paswords. At every webserver you can see in the logs a lot of requests to /phpmyadmin /phpMyAdmin and so on. The same is with Webmailer. So you can reduce the risk with change the path name.
@Viktor:
> especially since rainbow tables for hashes were invented
Using a salt when hashing the password renders rainbow tables useless
I’ve had the same code injection attack occur on two of my websites. Both use shared hosting but both are with different companies. It seems like it is quite common with shared hosting.
I have read about this hack on numerous boards … I also have had a server compromised by the same hack. Here is what I know is true, first off we are not with the aforementioned hosting companies, and yes they had several servers compromised. It was not only blogs, but actually php based coded apps and sites. The hacks occured in the same time frame as those mentioned here. One of our clients had a virus on a office computer, and the hacks occured on the sites in his ftp client. The code injected into our sites was the same as was seen in ours and others … etc …
nevermind, big hosting in the planet got hacked
so “no one 100% secure” statement is right 
anyway, great blog!
I’ve been nothing but impressed with Media Temple. For the last 6 years they have done what they said they would do and more.
Media Temple is still dealing with the fallout from this big security breach. They’ve been changing out passwords, including database credentials, on the many accounts affected by this incident.
I am currently dealing with this with a large hosting company. I do not want to go through this again. I have registered a couple of domains with Media Temple but haven’t launched yet. Is there ANY Shared Hosting system that is SAFE?
Laughing Squid for RackSpace?
I came to Media Temple because of their great reputation but after getting their letter about the password change was very unsettling.
Linda
I don’t gauge a web hosting company by their lack of problems, but the way and the speed at which they deal with problems. Media Temple has continued to show forward thinking, regular equipment upgrades, and they do a good job communicating with their customers. Plus, their technical support is excellent.
I have been with them since 2005 and have dozens of subdomains hosted with them and none of my servers have been compromised or hacked to my knowledge. You won’t find a perfect web host, but Media Temple has a good track record, and we are pleased to do business with them.
Unless you are on a newer or as yet not overcrowded cluster, check your http and database latency. It’s insanely bad. SQL container helps.
@DDD I completely agree with the latency. I love MediaTemple’s interface but their service, even at cluster 6, was insanely slow. I just canceled
I have the same fill, but they compromise 120 clients web sites, I have to change all my clients out side, because if I upgrade to other kind of server they cant migrate 3400 emails acounts and 280 websites included wordpress and joomla CMS websites, I have to change one by one in less a weak, because the problem in my country (MEXICO) dosnt have a real infraestructure and any provider to make a real webhost. In this time I have just 2 server in MT but they make the charges for entry year, soo I just end the terms and migrate this clients too.
The response for the MT staff was add in my acount 2 free moths or services like a 120 usd.
woah…wondering if my DB on Media Temple has been hacked…
for some reason, for the past 2 days, my email has gone bonkers…I cannot access it, password not accepted via my Mail software and even webmail is not allowing me access…
scary…but I do agree that they are very good in terms of support…