Media Temple Hacked

I don’t normally do negative posts about another person or company, but I feel this needs to get out there.  A few hours ago I received an email from MediaTemple, where I host several of my clients.  It was an automated message informing me that:

This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.

Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss.  The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful.  Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:

<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 –><!– 9190819521 –><noscript><ul><li><a href=”http://rg8rhg34h34h.cc/c”>.</a></li></ul></noscript><!– 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>

I asked how in the world did hackers magically guess so many FTP/SSH passwords.  At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable).  Then I was told that the login data was stored in plain text in a database that had been compromised.  My jaw dropped.  In my entire life, I’ve never heard of a company storing passwords in plain text.  This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.

They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented.  I asked when they became aware of this issue, and was told within the past day.  Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.

I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them.  I was told to expect such an announcement.  So wait and see?

About

Christian, Voluntaryist, Marine, Southerner, WordPress enthusiast.

134 comments on “Media Temple Hacked
  1. Kyle Brady says:

    Hi Michael,

    This all surfaced weeks ago, and I’ve been given the same generic responses for weeks – at this point, I’ve had more than enough and will be going all-out the next few days on this.

    Keep your eyes peeled on the Inquisitr, although the super-technical details will likely appear on my own blog and be linked to from the Inquisitr article.

    –Kyle
    .-= Kyle Brady´s last blog ..“Black Friday? Amazon Always!” [Self] =-.

    • Michael says:

      You sure made it here quickly, I just pressed the submit button two minutes ago. 🙂

      Thanks for your input Kyle. I don’t have any of my own sites on my Media Temple account (I have accounts with many hosting companies as well as a number of my own servers in a couple data centers), but I have a few sites I don’t care about there and several client sites. Things happen from time to time, I’m fine with that, but this is something that should never happen. I’m still at a loss as for how they can possibly think it’s a good idea to store passwords anywhere in plain text, in addition to having the database exposed to a hacker.

      • Kyle Brady says:

        Google tells me whenever someone links to me or mentions my name 😉

        The passwords-in-plaintext is something I’ve known about for awhile, and it’s always bugged me. Just like when you call, they want your password to confirm it’s you.

        But that isn’t the real issue – the issue is that someone is somehow gaining server-level access (as opposed to the user’s software) to a majority of the (gs) customers. Tech support doesn’t know anything at the moment, and I have a call in to a high-level guy for more details ASAP.

        –Kyle

        • Michael says:

          Ah, I use Google Alerts as well. That was mighty fast of them. 🙂

        • Michael says:

          I actually got the Google Alert just this minute on my name from this post. 🙂

        • sufehmi says:

          Just like when you call, they want your password to confirm it’s you.

          They can always store the passwords as hash – if you give the correct password, then the hash would match.

          So even if the password list is hacked, all the hacker got is a bunch of hashes. Not the password itself.
          .-= sufehmi´s last blog ..Gempa : Persiapkan Untuk Yang Paling Besar =-.

          • Michael says:

            sufehmi,

            Thank you for your input. You’re correct, just because they ask for your password doesn’t necessarily mean passwords are stored in plain text somewhere, in Media Temple’s defense. We know they’re stored in plain text because MT told us, which is unacceptable and something any college kid writing his first application with a user database should know better.

          • Will Bradley says:

            I know they aren’t hashed, because my password is way more complex than what I say on the phone– I’d have to spell it out letter by letter, with correct case, etc, for the hash to match. I’ve never had to do more than say it.

            I get the feeling that I’m a better security consultant than anyone at (mt), or (mt) management doesn’t care about security.

        • Garrett Williams says:

          Thanks to this comment, I’m now using Google Alerts. Sounds MUCH more useful than waiting for trackbacks 🙂

    • Michael says:

      Oops, sorry about that. When I copy/pasted your url I got everything inside the http:// and the .com That’s what happens when you write a post at 2am I guess.
      Fixed now.

  2. Will Bradley says:

    Yeah, I became suspicious of this the first time MediaTemple tech support asked me what my password was. Nobody should ever ask you for your password. Unfortunately that’s always been their policy, and the fact that they were able to read my password to verify it means that there is no encryption. Looks like that finally bit them in the ass.

    I’m beginning to wonder if MediaTemple is actually an amateur operation with a really good webdesign team? This and their downtime/lack of communication earlier in the year make me wonder.

  3. Jay Thompson says:

    I got the same email from MT today.

    I find it most curious that tech support told you they became aware of the issue within the past day. Yet the link MT provided in the email to their “knowledge base” points to an article on this matter dated November 11 that says it started on November 6….

    http://kb.mediatemple.net/questions/1715/November+2009+%28gs%29+Security+Exploit+Removal
    .-= Jay Thompson´s last blog ..Half of Arizona Homeowners with Mortgages are Underwater. 23% Nationwide… =-.

  4. OMG disaster! yes i got that email and all my clients complaint X(

  5. nf says:

    “In my entire life, I’ve never heard of a company storing passwords in plain text.”

    Hyperbole much? Stories of this kind have been in the news many times over the past 15 years.

  6. PaulN says:

    Count me and my company among the compromised. Not impressed. MT are fired.

  7. pauln says:

    “In my entire life, I’ve never heard of a company storing passwords in plain text.”

    Have you ever used a UK banking site? Ever wondered how they store passwords if you can “enter the first, third and fourth characters in your password”?

    • Kyle Brady says:

      Simple answer as to how they handle something like that, without using complicated encryption algorithms that are spacing dependent (in PHP, obviously):

      ——–

      $hashPassConcat = “”;
      foreach($passwordInputCharArray as $character) {
      hashPassConcat .= md5($character);
      }

      ——–

      Assuming that is implemented as the password hash algorithm, you can backwards-implement that in a “do the character positions X, Y, and Z match the input characters?” method, and you have a winner for non-plaintext semi-character matching.

      Not that this is advisable – I’m just saying that your assertion is incorrect.

      –Kyle

      • Will Bradley says:

        I wouldn’t call character-by-character hashing “encryption” though, especially using the md5 algorithm!

        The whole point of encrypting a password is to mangle it beyond all hope of recovery or analysis– except that it’s repeatable, and so “if this mangled string equals the one I’ve got stored, then I must have typed it correctly” is as close to deciphering the password as anyone should ever get.

        • Finger wagger says:

          Tsk tsk, you know that hashing isn’t encryption. Encrypted passwords are only slightly better than cleartext, compared to hashed.

        • Kyle Brady says:

          Who ever said encryption?’

          Hashing is used most often to hide passwords because of the ease-of-use, and I was pointing out what should have been obvious.

          The other thing I was pointing out was that if they have a legitimate encryption algorithm that allows partial character matching based on spatial positioning, then that would also be an option.

          Read what you’re critiquing before you get your panties in a twist.

          –Kyle

      • schnalle says:

        dear kyle,

        the script you provided is nothing more than security by obscurity. there are only so many chars (a lot if you allow unicode passwords, but i’d say less than 128 normally).

        so: make a table of all possible pwd-chars and their hashes.

        chunk the hash pass concat into 32 chars (assuming you store the textual hexnum instead of binary) and compary every entry to your table. tadaaa! plain text pwd recovered.

        your method wouldn’t really be more secure than storing plaintext.

        • Kyle Brady says:

          Let’s review how I was trying to show that what had been described can be done without storing passwords in plaintext, not create something hack-proof.

          And, yes, it is more secure than plaintext – the order of the chars could be swapped, extra bits added, etc.

          I wasn’t providing a blueprint on how to create NSA-level security, so let’s get off the high horse.

          –Kyle
          .-= Kyle Brady´s last blog ..MediaTemple’s Continued Inadequacy Issues [Expose] =-.

          • schnalle says:

            kyle, what you did IS storing passwords in plaintext, because they’re reversible without effort.

            secure hashes are one way only, and that’s the entire point of hashing. your combined hash provides no actual security, because a (small) static lookup table is all you need to reverse it. it doesn’t matter how many bits or chars you swap, it will still be a nothing more than a fancy rot13.

            an easy way of implementing the “tell me the 3rd, 4th and 7th char” scheme i could think of would be by storing hashes of all the combinations of chars with individual salts (too much data for more than 3 chars tough). that should be reasonably secure (at least i think so – since i started reading the matsano chargen blog the only thing i know is that i know absolutely nothing).

          • schnalle says:

            disregard the “solution” in my last comment, it’s no real improvement when your database gets leaked as a whole. see, the problem is people like us – who don’t have the faintest idea about security – implementing so-called secure systems 🙂

            go snake oil!

          • Kyle Brady says:

            You are still failing to see the point.

            But, by all means, keep preaching. It’s really useful.

            –Kyle
            .-= Kyle Brady´s last blog ..MediaTemple’s Continued Inadequacy Issues [Expose] =-.

          • schnalle says:

            okay, so i’ll keep “preaching”:

            kyle, i fear you are the one who doesn’t understand the REAL problem of what you did there. the problem is NOT that you just proposed a fancy way of fancy-rot13 to solve the plain text password dilemma. the problem is that you created the impression that your solution has anything to do with the original problem pauln mentioned.

            pauln said: “banks store their passwords in plaintext”. you answered: “Simple answer, your assertion is incorrect: they store it in ROT13”. while ROT13 is technically not plaintext, the only problem it solves is against someone shoulder surfing the admin while he reviews the database dump and absolutely nothing else.

            either you fail to understand that (i don’t think so), or (and that is my whole point!) you fail to understand that you unintentionally mislead people by posting bad security advice on the internet.

            i know what making arguments over the internet is like, but if you told children on the disney forums that closing their eyes is a potential solutions to deal with dangers, while failing to tell them the only danger it helps with is going blind when staring in the sun, i do hope somebody would object!

          • Rhys says:

            My god… Kyle Brady hasn’t implemented the code and algorithm he wrote (md5 each character), nor has he suggested that anyone SHOULD.

            He was responding to someone. This person indicated that UK banking sites asked for the 3rd, 5th, and 7th character of passwords and the implication was that such a question would require that said UK banking sites store customer passwords in plain text. Kyle Brady was showing that the passwords did NOT have to be stored as plain text in order to programmatically check for a match.

            No comments as to the advisability of such an algorithm were made. It was merely a direct response to a statement made by another commenter.

            I don’t care how horrified you are that someone would actually use that code, just reading this conversation was annoying. WTF. Reading comprehension, much?.

      • honestly, bluehost always asked for my password too. Never really gave it much thought. but worried now.

        • Rhys says:

          My god… Kyle Brady hasn’t implemented the code and algorithm he wrote (md5 each character), nor has he suggested that anyone SHOULD.

          He was responding to someone. This person indicated that UK banking sites asked for the 3rd, 5th, and 7th character of passwords and the implication was that such a question would require that said UK banking sites store customer passwords in plain text. Kyle Brady was showing that the passwords did NOT have to be stored as plain text in order to programmatically check for a match.

          No comments as to the advisability of such an algorithm were made. It was merely a direct response to a statement made by another commenter.

          I don’t care how horrified you are that someone would actually use that code, just reading this conversation was annoying. WTF. Reading comprehension, much?

    • I’ve never seen a password used in those situations with any of the three UK banks I bank with Pauln.

      I’ve seen “pick the 1st and 5th characters of your memorable word” or similar, but never the password.

      It’s the password that needs to be encrypted. The memorable word is simply to limit the potential for shoulder surfing.

      • Josh Delsman says:

        Barclays in the UK do ask you for characters from the password for 3D Secure authentication, I’m afraid. It should be noted that Ubersmith should be called out as one of the companies that does this in multiple places in their database(s).

        • Dan says:

          Absolutely… unfortunately, where bureaucracy is involved, we must generally assume incompetence and negligence, often backed up by lying and deceit. The press and independent critics need to push this type of issue out into the public eye more and increase awareness/literacy about basic security.

          • mark says:

            Amen to that Dan. Not only is it important with regard to security, but some folks need to get a better idea what they are getting into when they sign up with MT…. I for one, like many others, have had multiple problems and this is just one additional one.

  8. I always found the whole give me your password thing over the phone bizarre. When I questioned it they sounded surprised that I would question its use. Anyways, I did not stick around long and moved on to another company within a couple of weeks.

    Alex
    .-= Alex Rodriguez´s last blog ..Susana + Michael’s Villa Woodbine Wedding =-.

  9. id says:

    Also got that notice. And as you probably know MT shows various passwords on request within the account center interface, so it is obvious they stored them as they were. But when I tried to reset them right after reading the mail, I realised something has changed: it said that passwords couldn’t be shown because they were encrypted. Would that mean new passwords are hashed now?

  10. mc says:

    MediaTemple is overrated and I’ve had nothing but bad experiences as their customer.
    .-= mc´s last blog ..My xBox Has New Home =-.

  11. EB says:

    I have also had to press MT support staff for full extent of the breach. Although they refused to admit the login db was compromised, I see no other explanation. Were you able to find out the extent of login info, which was taken? I was assured only FTP/SSH was hacked and account login credentials, email, etc are safe. Any insight if this is true?

  12. Brent Housen says:

    Just a heads up, I found an injected link on a few of my MediaTemple sites that was not in the footer.

  13. Aaron Adams says:

    They ask for your password over the phone? That’s unbelievable. I’d had no idea. That alone is enough to make me consider the painful process of switching hosting companies entirely. It’s amateur hour over there, apparently.

    Storing passwords in plaintext says Media Temple is completely ignorant of even basic security sensibilities. They’d better have quite the response on the way, and — while I normally hate to see such a thing happen — in this case, when you’re talking about this kind of gross incompetence, heads had better roll. I mean, really, who’s to say the passwords weren’t retrieved and sold by a Media Temple employee? That’s the most basic of reasons that you hash passwords. Need I be concerned about my credit card information as well? Who wants to bet it could be retrieved from the Media Temple database with ease?

    The initial policy of providing employees with access to plain-text passwords, the ultimate disclosure of all those same passwords, and the pathetic lack of transparency in the aftermath adds up to one ugly situation. I’d never been particularly thrilled with my Media Temple hosting, but today I stand in awe.

  14. Raphael Carrier says:

    While they do have a nice looking website and an impressive customers list, i have heard really bad things about them from various sys admins and web developers, i guess this only confirms my doubts on MT.

  15. Craig Webster says:

    I got a bit annoyed at seeing a few too many codebases that store passwords either as plain text or in ways that are fairly easy to break.

  16. Dinke says:

    The same happen to me today, they simple changed my pass and sent me that generic email crap. I’ve checked all my files and luckily haven’t seen anything hacked, so I sent them support request with question to give me more details about “security issue”. Still waiting for their answer 🙂

  17. Alex Williams says:

    I found about a dozen domains (some inactive) which were modified and didn’t even have FTP accounts… so I have a feeling someone actually had access to the (mt) servers, not just the passwords, unless they FTP’d with the “main” account.

    I also ssh’d to the server and noticed the timestamp on modified files were set to November 12, 2009… which means this happened 2 weeks ago.
    .-= Alex Williams´s last blog ..Scripted MySQL Replication Consistency Checks =-.

  18. Michael Murray says:

    We were hacked last evening, and again this morning, they were hacked. No doubt about it, noone in the world could have guessed our password.

  19. Dan says:

    They knew about this problem weeks ago, and rather than warn us ahead of time so a simple password change could be made to prevent being cracked, they just let it ride.

    Will’s question is most important: Is MediaTemple actually an amateur operation with a really good front/webdesign team?

    The (gs) has been a chronic mess with only very minor, very recent signs of improvement. They keep talking about the (cs), but I think you’re best off with the (dv) or going somewhere else. The problem is, where else? Where else you can get multi-site service for <$50/mo that isn't going to be just a raw command shell for the most part?

    • Rhys says:

      Lots of places? Like Dreamhost? Not saying they’re perfect, but I’ve hosted several sites there for years with minimal problems. Would depend on your mileage, though, because they are shared hosting.

  20. Albert says:

    Media Temple didn’t even tell me about it, they didn’t send me the email. After nearly 2 hours of not connecting thru filezilla, i finally hit them up on Twitter and on their support page.
    They promptly sent me an email (that i’ve seen before) about changing your password on their site, which I thought was vague and odd, but i quickly changed pw and got back in.
    then it hit me…so i had no clue about the hack and the need to change your pw. my host didn’t send me the email about it. wtf. seriously. i wrote them early this morning about that…have yet to hear back.

  21. Andres says:

    Hi all. Happy thanksgiving!

    I also questioned the password over the phone thing and was given an attitude! I had signed up already so changing company was more than needed hassle. Can someone please let them know that it’s bad to keep passwords public!!! I agree their web design is impressive, but what worries me most is that most of their clients are top notch web design/developers which haven’t complained loud enough. Can there be a correlation between pretty design and overlooked security, even by our web industry leaders. Scary.

    Please be careful, especially with a client’s business site. Also, if you are moving away from media temple, can you post the best alternatives?

  22. Storing your passwords in the clear is simply inexcusable. *No* sane sys-admin would ever do such a thing. This indicates to me, quite clearly, that this company cuts corners and that is not acceptable for an organization that purports such tremendous uptimes, speed and reliability.

    I am former Red Hat Sr. Technical Support Engineer specializing in the areas of security and the LAMP stack. I own and operate Penguin Militia Networks, an ISP dedicated to the speed, reliability and security of its customers sites. We’ve been in operation since June of 2003 and have never, ever had such a severe security incident. We’re presently offering 50% in honor of the holiday and I would happy to assist anyone affected by this highly avoidable incident.
    .-= Aaron Brodney´s last blog ..The Works =-.

  23. I have a customer running wordpress projects whose hosted with Media Temple and gone through all these problems!

    The problem seems to be related to media temple and wordpress, maybe a a combination in between weak media temple security and wordpress vulnerability.

    What is curious is that any other customers that I have which are running movable type projects on media temple didn’t yet report any problem.
    .-= Mihai Bocsaru´s last blog ..Blog Survey =-.

    • Its not a wordpress hack. All my plain handcoded HTML sites were ALSO hacked, as were some forums and CGI based CMS run websites.

      It’s nothing to do with WordPress, never has been. Even though when I was first hacked LAST MONTH MediaTemple tried to claim it was a WordPress problem.

      It never was.

  24. I have a customer running wordpress projects hosted with Media Temple and he went through all these problems!

    The problem seems to be related to media temple and wordpress, maybe a a combination in between weak media temple security and wordpress vulnerability.

    What is curious is that any other customers that I have which are running movable type projects on media temple didn’t yet report any problem.
    .-= Mihai Bocsaru´s last blog ..Blog Survey =-.

  25. Eddie says:

    hashes are decryptable via rainbow tables. ftp passwords are sent in clear text anyways. they should not know your network (SSH, FTP) password at all… instead, there should be another (phone only) password, much like godaddy or most banks.

    sending passwords via email are a big NO NO… I never trust a company (that needs to be trusted with sensitive information) that sends me a password in an email.

    that being said, imagine what goes on in those smaller, more disorganized hosting companies… MT is one of the best out there (heck, even rackspace got hacked with the WHT incident)

  26. PaulN says:

    @Jonathan Hollin
    “I’ve never seen a password used in those situations with any of the three UK banks I bank with Pauln.”

    You’re wiser than I and do not use NatWest then: http://tinypic.com/r/307xp5l/6

    • Oh now that is really scary. I’m sure that’s unique to NatWest. I don’t see that at Barclays, Lloyds or the Bradford & Bingley. I’d never have believed a bank would have done that.
      .-= Jonathan Hollin´s last blog ..Tyler Durden =-.

      • Dan says:

        Speaking of banks, I just got a fairly good phishing attempt (sent to my primary media temple email account) that pretends to explain why I was unable to activate an online account for a new Bank of America card. In reality I have had exactly this kind of failure happen within the past 10 days or so, and it is not yet resolved although the card is with Barclay’s, not BoA. I do have a BoA account as well.

        This seems like very specific, targeted phishing attempt, and if it is not coincidence it would have to be based on the fraudsters having compromised the Barclay’s site, (mt), or my email (which is not kept on the mailserver long)–or they found some way to listen in on network traffic somewhere.

        Who knows, but it seems very targeted and more intelligent than usual. Google Chrome blocked the linked phishing site.

  27. Eddie, being the owner one those “smaller, more disorganized hosting companies” I can say that we’re forced to take these issues far more seriously than the “big hosts.” As a consequence of being small, all of my customers are important to me. I take the security of their data and the availability of their sites very seriously and would not mess-around with clear-text passwords.

    While it may be *possible* to break a hash, especially one with known collisions, it’s a lot harder than reading a plain text file.

    The best hosts have policies and procedures in place to prevent these sort of incidents and if not prevent, then limit their scope. MediaTemple’s behavior in this instance is completely unacceptable.

    I have seen evidence that this issue was known to them a lot longer than a day or two ago and as you’ll soon find out, they’re attempting to cover this all up. Good job, Media “Temple.” Best go and pray for some common sense.
    .-= Aaron Brodney´s last blog ..The Works =-.

    • Eddie says:

      Indeed Aaron. There are numerous boutique shops where you will receive better service than at many of the big ones, for that very reason you mention. But I imagine that the prevalence of proper procedures is more common at larger operations than at smaller ones. I could be wrong though, I am not in the hosting business….
      .-= Eddie´s last blog ..Bem-vindos =-.

      • One would think a big shop, especially one with the reputation of MediaTemple, would have the proper procedures in place. I just want(ed) to emphasize (and I know I’m preaching to the choir) that some of the smaller shops can be good too. I think it boils down to this:

        When you have a competent staff many of the risks and hazards can be easily avoided. An accessible, clear-text-file with such sensitive information is really inexcusable. In 6 years of operation I have not once had to tell one of my customers that we’ve suffered a major security breach. Everyone has the occasional problem — it really is to be expected, but what’s also expected is that some care be taken with such personal information. Mitigate, Mitigate, Mitigate.

        Michael may rightfully mod me for this shameless self-promotion, but I feel as though my team excels because we’ve all got a deep-understanding of what is going on at the machine-level, and because we understand what is at stake: our customers livelihoods in many cases and our reputation.

        I hope that MediaTemple has learned an important lesson in cutting corners.

  28. Mark says:

    hmmmm…

  29. saad says:

    Condolence to all of you on facing this.It is really ridaculous that passwords were bring stored in a plaintext file.one of the most expensive hosting company is doing this?Its so sad.

  30. Jack Bauer says:

    My largest client’s site was compromised. The site was down for about an hour or so. Some of the code in the CMS (CMS Made Simple) were changed.

    This is strange given that CMS Made Simple is very secure, file permissions across the site are solid, and the passwords are uncrackable.

    MediaTemple has given me credits for their errors in the past. They better do it again AND fix their security issues.

    • Dan says:

      It has nothing to do with CMS Made Simple. The intruders likely had full access to your account and root ftp–that is the extent of the problem being discussed here.

      Why has nobody mentioned what must be the primary concern? –> An unknown number of individuals have had full access to many (gs) accounts for the better part of November. Are they so stupid that the only thing they could figure out to do with this information is add some porn links and redirect traffic? They had access to all the email accounts in each (gs) account. The holiday weekend now is a great time to exploit stuff like that.

  31. MTvictim says:

    I found this file in one of my dirs. Fri, Nov 13, 2009. I did not put it there, i saw it appear as I was refreshing a dir. I don’t use pureftp so I knew someone else was in.

    .pureftpd-upload.4afe211c.15.4f94.c9a2b70

    weaksauce MT.

  32. ben says:

    Yep, enjoyed a nice Thanksgiving grepping session on all my (gs) accounts to find all those porn links. Good times! I’ve been unhappy with (mt) for the past year or two, but this does it for me. Done.

  33. Dan says:

    What is this plugin that grabs the “last blog” item from the commenter? That’s part of ComLuv? And it pulls in the first feed it can find at the URL the commenter leaves in the “website” field in the comment form?

  34. Rob J. Caskey says:

    Can anyone tell me anything about the following files found in /users/.home
    ./compromisedfileslistn (created 2pm EST yesterday)
    ./sitefix.log (created 12:05AM EST today)

    Both are blank, my theory is that this particular domain was unaffected, and had it been affected these particular logs would still be blank.

    Thoughts?

    • Dan says:

      (mt) techs working there for you in the background?

    • Dear Rob,

      To answer your question directly, you may see the files ‘compromisedfileslistn’ or ’sitefix.log’ in your home directory. This only means we checked your site for the php injection exploit. If we came across any exploited files we removed the malicious code and restored your files. We also made backups with the ‘.bak’ extension and changed their permissions to prevent access. You can take a look at these files if you like. Any altered files would be listed in the ’sitefix.log’ file. If that file is empty your site is “clean.”

      • Any response to the claims that your organization has known of this issue for weeks and has been quiet about it? Also, what web host modifies the sites of a client without permission, hack or no hack? I hate to make a bad pun but you guys are the hacks.

        • Dear Aaron,

          At the time we had limited information ourselves regarding the security risks involved, and were focused on defining the scope of the issue. We did send targeted emails to affected customers as reliable information was made available to us. All of our (gs) customers then received an email notifying them of password changes as we determined the scope of this incident.

          Aaron, if we are able to remove known exploited code and restore a customers site on a managed service, I don’t feel that’s a bad thing.

          • Dan says:

            It’s a bad thing that you are not explicitly alerting people when you find an exploit on one of their sites. When you find those exploits, what it really means is that someone with root FTP and server control panel access got in there. What if they also compromised some email accounts, secondary FTP users, and/or SQL users? To be 100% paranoid-protective, you’d have to change all those credentials.

            I don’t recall a part of the (gs) controls where you can restrict remote database access. This should be locked by default–is it? Otherwise, someone who can FTP into your public_html can grab the config file for your PHP/mySQL CMS, and then they have a way into your CMS database to do damage, harvest emails and minimally encrypted passwords, etc…

  35. Dan says:

    Saw this today…

    FierceCIO: “Number of lost personal records grows to 220 million”

    “There were fewer actual breaches reported by businesses and government agencies so far this year compared to 2008, but the number of actual personal records stolen soared. The Identity Theft Resource Center (ITRC) identified 435 breaches as of Nov. 17, a number that is on track to be a 50 percent drop compared to last year….”

  36. Rukishou says:

    I’m using WordPress and the theme Thesis and I wonder: how do I find out if I have this code snippet (and for that matter, what does it even do?) and where that would be?

  37. mp says:

    Out of curiosity, what authentication method would people prefer if asking for passwords isn’t acceptable? DOB? SSN? Another passphrase? Obviously, they need *some* way to verify that you are who you say you are when you call in for help or to make changes.

    • We’ve since added a new option, Support PINs.

      Support PINs allow customers to optionally generate temporary passwords inside the AccountCenter which are only active for a short period of time.

      This new measure keeps your password both verbally and electronically private inside an encrypted database at all times.

  38. Dave says:

    The fact that we got hacked is not what upset me or was the reason to cancel and go to rackspace. I think as a customer I should have been taken care of better. Just getting an email about this problem, automatically shutting down the server and basically leaving me in the dark to re-install my server isn’t good business.

    Sorry MT, you lost two big accounts. No good customer service.

    I may pay 5-10x more now but I know someone has my back.

    David

  39. That link was in my blogs too! I could have sworn it was a hacker. I was trying to figure out what to do about it for a day then it just disappeared. MediaTemple obviously fixed the problem. Kinda scary though.

    They should make it public though.

    -Seth Goldstein
    http://www.a2sm.com – Addicted to Social Media Blog

  40. Chris says:

    When you log in to the control panel and edit the root user, it lists the password as ****** with a link to “show password” (or at least it did). There was no way this would be possible if they were using one-way encryption.

    Its the ultimate example of convenience over security. Fact is, it really wouldn’t have taken them long to implement a “forgot password?” link on the user page and use the same secure practices every other major website has been using for years.
    .-= Chris´s last blog ..Fixing Eclipse in Ubuntu 9.10 Karmic Koala =-.

  41. Eric Gray says:

    Another reason I am glad to be a former MT customer. The only thing good about MT is the flashy marketing — and I fell for it. Got all my money back, not that it compensates for the tons of downtime experienced there.
    .-= Eric Gray´s last blog ..InformationWeek: Hyper-V Not For Enterprise =-.

  42. As of today, December 20, the people at Media Temple apparently remain in the dark over the exact cause or depth of their internal security breach. I received the following message from MT today, which seems quite defensive in tone:

    Let me try to be transparent in saying we still have not determine the actual cause of the security breach. With that said, we are being as transparent as possible as we are conducting an investigation. The likely scenario is that someone did hack out database containing FTP passwords.

    Be advised that this information is as much as I know about the breach and as well as our higher level staff.
    .-= David Henderson´s last blog ..For DC, a Massive Snow Storm =-.

    • Dear David,

      We will continue to be as transparent as possible. The cause of the issue is still under investigation and I’d like to steer clear of giving you false information. I’m looking forward to providing you more details as they are available.

      • You mean you guys were compromised weeks ago and you still have no idea why? MediaTemple is sooooo impressive. Be truly transparent with us, Scott: exactly what does MediaTemple store “in the clear” about its customers?

  43. CD says:

    honestly, bluehost always asked for my password too. Never really gave it much thought. but worried now.

  44. so i got this email today about the support PIN from MT. what’s the point? if this scenario repeats itself, and MT changes my password without letting me know, how am i supposed to get access to the PIN?
    this also adds another layer onto the user. why do i have to login to something to get a code for you?
    lastly, MT even your emails suck. i can’t respond to you? i have to login to my account to contact you?
    this email had one link in my gmail account, to mediatemple.net – think i dunno my hosts’ url? oh wait, once i turn images on, then i get another link. mail fail.
    seriously a firm believer that not 1 of your web-stars promoting you has ever used the service us peons get. no way those peeps would tout you as highly as they do.
    or they don’t care so much as they get freebies. but i doubt that.
    really sad. MT, you had me @ 100%. not so much anymore.
    Albert

    • Dear J. Albert,

      The Support PIN’s are another option for accessing our customer support over the phone without the need to share your Account Center password.

      Support PIN’s are temporary and expire shortly, allowing them to be a secure method of authenticating a customer when calling in for support.

      We’ve created PIN’s in an ongoing security initiative and to address the desires of our customers.

      You can simply login to your AC and generate a temporary PIN to share with our support staff.

      Account Center passwords have not been reset and were not included in the resent security concerns.

      • Good to see you guys are doing things to start to take security seriously in almost 2010! Congratulations! How about a real explanation of what happened, how it happened, why it happened and explain exactly why its impossible for it to ever happen again — that’s what I’d like to see.

        Scott, be “transparent” with us: what is the story?

  45. Melih Ablak says:

    My eight site hosted by mt, only one (4nx4.com) hacked this code. I saw it later.. mt good good ?(gs)

    http://4nx4.com/mt-hack-code.txt

    and cleaned this code from index.php who ? : ) .

    backup file remained;

    index.php.bak.Sun_Nov_29_00:25:48_PST_2009

  46. Faust says:

    I thought I’m the only one with compromised hosting, I had malware lurking and spam links injected into my site. Sheesh! What’s wrong with some hosting companies.

  47. Mal Milligan says:

    Media Temple helped to sponsor the latest WordCamp in NYC and we were all grateful for that. But anytime a vendor does not tell the truth immediately about a hack, that should be criminal, and there should be an investigation. Using the passwords over the phone trick is a low intelligence solution and an easy problem to fix. Cell phone voice traffic can be picked up on a cheap scanner. I always cringe when I hear a company give access to client passwords to it’s staff. Anyway, there are a ton of hosting providers… if my security was compromised and I was not notified I would probably do a blog post to but I would shift hosting accounts asap.

    • Dear Mal,

      We are active in the WP community and will continue to do so. WordPress is a fantastic platform.

      To be fair, Michael has not updated this post and we’ve had several related announcements regarding the compromised ftp passwords.

      The ftp password and phone passwords were not stored the same. Let’s please not confuse the two.

      In a separate effort to increase overall security for our customers we’ve created Support PIN’s to be used for phone passwords.

      The Support PIN’s are another option for accessing our customer support over the phone without the need to share your Account Center password.

      Support PIN’s are temporary and expire shortly, allowing them to be a secure method of authenticating a customer when calling in for support.

      • Mal Milligan says:

        Glad to hear about the tightening of security for phone in support Scott. In my old age after working with PC’s full time since 1985 I’m more sensitive to security issues caused due to plain old operations issues. There are a lot of collateral security issues that spring from a single password hack, and ISP’s are frequently a target. In the Fortune 100 data centers I’ve worked at in NYC over the years, we do a lot of work with sniffers of course, and we would bring in a “security specialist” to identify and resolve any security issue of magnitude. Full disclosure to customers regarding hacks is still more of a corporate attitude than a law and I’m happy to hear you guys are out in front with your reporting. Have a great New Year over there at MT. Regards –

  48. Six months ago I felt MediaTemple was one of the best webhosts, but now in the past few days I think it’s one of the worst. Unfortunately I’m going to have to leave to another service provider.
    I experienced this with web.com having problems similar to the ones MediaTemple is now having, and they took more than 2 weeks to transfer all the customers to other server. I feel this compromises any business. 132 of my clients are hosted on MediaTemple, more than 3879 emails acounts, I can’t change this in less than a week.

    But the real problem is the security, others providers have security, your websites are safe from hack.

2 Pings/Trackbacks for "Media Temple Hacked"
  1. […] number of people (Michael Torbert, Kyle Brady, Jeffrey Barke, Adrian Hanft) are reporting that their Media Temple sites have been […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*