I don’t normally do negative posts about another person or company, but I feel this needs to get out there. A few hours ago I received an email from MediaTemple, where I host several of my clients. It was an automated message informing me that:
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss. The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful. Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:
<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 –><!– 9190819521 –><noscript><ul><li><a href=”http://rg8rhg34h34h.cc/c”>.</a></li></ul></noscript><!– 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>
I asked how in the world did hackers magically guess so many FTP/SSH passwords. At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable). Then I was told that the login data was stored in plain text in a database that had been compromised. My jaw dropped. In my entire life, I’ve never heard of a company storing passwords in plain text. This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.
They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented. I asked when they became aware of this issue, and was told within the past day. Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.
I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them. I was told to expect such an announcement. So wait and see?
134 thoughts on “Media Temple Hacked”
Billbo Baggins: there is not a thing like secure when you share your host with other’s.
I faced similar problem with my host, but I discovered the reason , it was not their problem, my password was stolen by a malicious attacker which stole them from a old version of Cute FTP where those pass were stored.
They attacked each site which were saved in the CuteFtp, injected a code to each index*.*, default*.* file and within 1 day I started getting call from my clients.
It’s a common decease for some old companies – they still use the outdated code and practices.
Once my site used a web shop service which stored credit cards along with CVV2 plaintext right within your account. On top of that, password reminder phrases, if you guess them right, did not generate a new password, but just give you the old one.
So Media Temple isn’t that bad at all (especially since rainbow tables for hashes were invented).
It’s shocking to hear that passwords are stored as plain text, security is never perfect, but leaving the front door open and expecting noone to simply walk in is very unprofessional in my opinion.
We host on liquidnet ie ResellersPanel and MANY MANY sites were hacked the same time Your hosting got nailed. Except ResellersPanel is in full denial mode blamming each customer for 100s of lost or hacked websites.
They are out right rude to the point of making threats if anyone tells the public.
Good Luck with yours, we’ll be moving ours.
I had the same expirience with some hosting companies. Now I have my own server and we moved to Linux at the workstations after problems like this. Windows runs only in the Virtual Box to test the IE. Some virus use the open FTP connection at the computer, so if you have a virus at a developer machine you get a big problem. But the same is if the webserver is hacked and they get root permission. Then have all customers at this server a big problem. And the most hosting companies don’t use a virus scanner at a webserver. And if a virus or a stupid staff of the hosting company changed the permission at your hosting, you can’t see the files with the virus or can’t delete or change it. I had two hosting companies with the problem with the permission and they ignored my requests.
For all that use standard software like phpmyadmin. Please never use the normal path or easy paswords. At every webserver you can see in the logs a lot of requests to /phpmyadmin /phpMyAdmin and so on. The same is with Webmailer. So you can reduce the risk with change the path name.
> especially since rainbow tables for hashes were invented
Using a salt when hashing the password renders rainbow tables useless 😉
I’ve had the same code injection attack occur on two of my websites. Both use shared hosting but both are with different companies. It seems like it is quite common with shared hosting.
I have read about this hack on numerous boards … I also have had a server compromised by the same hack. Here is what I know is true, first off we are not with the aforementioned hosting companies, and yes they had several servers compromised. It was not only blogs, but actually php based coded apps and sites. The hacks occured in the same time frame as those mentioned here. One of our clients had a virus on a office computer, and the hacks occured on the sites in his ftp client. The code injected into our sites was the same as was seen in ours and others … etc …
nevermind, big hosting in the planet got hacked 🙂 so “no one 100% secure” statement is right 😀 anyway, great blog!
I’ve been nothing but impressed with Media Temple. For the last 6 years they have done what they said they would do and more.
Media Temple is still dealing with the fallout from this big security breach. They’ve been changing out passwords, including database credentials, on the many accounts affected by this incident.
I am currently dealing with this with a large hosting company. I do not want to go through this again. I have registered a couple of domains with Media Temple but haven’t launched yet. Is there ANY Shared Hosting system that is SAFE?
Laughing Squid for RackSpace?
I came to Media Temple because of their great reputation but after getting their letter about the password change was very unsettling.
I don’t gauge a web hosting company by their lack of problems, but the way and the speed at which they deal with problems. Media Temple has continued to show forward thinking, regular equipment upgrades, and they do a good job communicating with their customers. Plus, their technical support is excellent.
I have been with them since 2005 and have dozens of subdomains hosted with them and none of my servers have been compromised or hacked to my knowledge. You won’t find a perfect web host, but Media Temple has a good track record, and we are pleased to do business with them.
Unless you are on a newer or as yet not overcrowded cluster, check your http and database latency. It’s insanely bad. SQL container helps.
@DDD I completely agree with the latency. I love MediaTemple’s interface but their service, even at cluster 6, was insanely slow. I just canceled 🙁
I have the same fill, but they compromise 120 clients web sites, I have to change all my clients out side, because if I upgrade to other kind of server they cant migrate 3400 emails acounts and 280 websites included wordpress and joomla CMS websites, I have to change one by one in less a weak, because the problem in my country (MEXICO) dosnt have a real infraestructure and any provider to make a real webhost. In this time I have just 2 server in MT but they make the charges for entry year, soo I just end the terms and migrate this clients too.
The response for the MT staff was add in my acount 2 free moths or services like a 120 usd.
woah…wondering if my DB on Media Temple has been hacked…
for some reason, for the past 2 days, my email has gone bonkers…I cannot access it, password not accepted via my Mail software and even webmail is not allowing me access…
scary…but I do agree that they are very good in terms of support…
One of my clients is on media temple and today the 5th of august we got attacked. we couldnt understand the issue and in order to minimize impact on our business, we had to change hostings.
And here we are again at the end of August 2010. Three weeks ago, MediaTemple suffered an identical attack affecting thousands of users.
After spending countless hours recovering from the attack we were promised the system was now secure.
And then yesterday it happened AGAIN.
MediaTemple is an unmitigated DISASTER. Be extremely careful using them for hosting. Their systems are simply not secure. They are completely clueless about security.
Following your comments, i approached MT to find out about them providing a backup service for my websites.
Seems difficult. Or rather, they dont offer it. Do It Yourself.
I will give Media Temple credit, there interface is good, and the products for most part are pretty good and do not need much attention. Pretty much run on their own. What I do have to say is the level of customer service I just experienced. They apparently let a brute force attack hit my box resulting in my box getting hacked, there response was “shutdown” my server until I reinstalled.
Which took me about 12 hours because even after the reinstall things did not work as they were supposed to. When I called tech support they told me I was on my own, and they can only help if the box was not running. And it was running just not working right. After calling back several times I finally got a person who was not only nice, but went out of his way to help me.
Did I mention a previous tech set my websites to use the “admin” account and password just to get my databases up and running because he could not get the mySQL user accounts I setup to work. I would never use the “admin” account for this purpose, and yet they did.
stupid domain name? This comes from dealing with Web Media.com Web Media Mall.com or Web Blogging.com. Of course I am an idiot!! Saw in the domain register that they used an All in One SEO Pack 22.214.171.124. by Michael Torbert of Semper, Fi Web Design. I am so sick over paying $25,ooo to Web Media for this web design that attracts absolute NO ONE. Of course I had no input as I thought I would have (stupid me). I fell for one big scam. This web design is used over and over and over in many so called web site designed with my interests. HA HA HA
Web Media is laughing all the way to the bank. I in turn have contacted anyone and everyone who might be able to help me. If you can help me get my money back (probably another BIGGER laugh) please contact the Louisiana Attorney General Office. or stupid me and I do know how to get the info to those who care about true Americans
I’m sorry you feel cheated by that company. I’m not associated with them. They are just using my WordPress SEO software.
I used to use MediaTemple (around the time you posted your article). Just googled them and found your post. Glad I left! Thanks for sharing your experience.
This will be somewhat like resurrecting an old post but, hence some security-conscious people seem to come here from time to time, it looked me like an OK place to mumble this.
Surprise surprise! By default, all recent versions of Plesk including 8, 9 and 10 (most probably old versions too), store all account, ftp, database and email passwords in plain in a database named “psa”. This is a well-known fact for years.
Shared hosting is insecure. But Plesk gives you even more options to dis-secure it: it allows to use PHP as a module with Apache, without any suexec and suPHP options.
Any shared hosting provider which properly locks up everything? I’ve yet see one. This is because securing a shared server is unresourcefully time-consuming, and no shared hosting provider I know of does meaningfully more than the installation defaults.
I’m not telling these to dis any server panel or any hosting provider. Since I can be considered fairly involved in this business too, I can see their positions. And yet decently secure shared hosting providers can exist. And if you know one, please tell us! But I wouldn’t hold my breath, if you can measure the security of a shared provider, you are probably quite ahead of using one.
Looking for a secure shared hosting? Start training yourself on *nix file permissions, chrooting, suexec/suPHP, hidden (non-)holes (re: PHP cgi_fix_pathinfo on nginx, of which even an nginx book writer seems to be unaware of), server log parsing, fail2ban, logwatch, audits, SELinux, etc etc.
And by the time you have some grasp on these, I bet you wouldn’t be looking for shared hosting any more 🙂 This is of course, if you really mind security, unlike most of the businesses and customers out there, which you don’t have to 🙂
Check out FireHost. They are all about security. An option for those who can afford it.
I woke up yesterday to a customer contacting me on Facebook saying our site was hacked. I checked and it was hacked. I immediately tried to chat with Media Temple…the 1st guy disconnected the chat after directing me to Knowledge base!!!!! So I called and talked to a real cool rep who tried his best to help us. He was excellent. We paid for disaster recovery….then while on the phone with him he told us the last back up by MT was done that same morning so no way of recovering nothing. Now we have to wait for the refund of $79. Last but not least I discovered every single site we have with MT was hacked. We have Been with them for 6 years we are a small design firm. I absolutely hate MT right now. They have changed allot since we first started with them. They had no back up plan or any sympathy, basically was rushing us off the phone. Now we are basically out of business until we fix all of this. Today is day two of the hack. Stay away from Media Temple. 25 sites even the domain names had x.htm and a .htaccess file in each root and html folder not to mention what we don’t know.
FireHost is my go to for A lot of hosting their by far the most secure. I also utilize managed WordPress hosting. I would say that if you are truly concerned about security simply sign up with Firehost and then you will not deal with these problems anymore.
If the cost is something that makes this impossible. I recommend a managed WordPress hosting company.
If somebody does not want to spend more than $15 on hosting obviously cutting it close but digital ocean offers a 100% SSD VPS 512 Mb of RAM for $5 with your own dedicated IP address. to completely secure it at Sucuri CloudProxy WAF for $9 a month. You will have a decent server for the money.
Last but not least if you’re a WordPress user GetFlyWheel offers a $15 plan with firewalls and WordPress specific security methods including if it’s hacked will fix it for free.
They utilize digital ocean as well, but you get a completely managed infrastructure and a deal if you ask me.
Remember Firehost is rock solid and not WordPress specific you can host anything on it and they’re my main suggestion.
I gave the high and the low pricing offering if you want to know more ask me and I will post more Info.
To balance it out a top-end managed WordPress hosting company is PressLabs
Pressable is extremely secure as well.
All manage WordPress hosting companies utilize Sucuri to fix malware issues if they occur. However they’re all very very good at keeping them out.
If you’re worried about security check out that CloudProxy WAF it rocks.
and stay away from shared hosting.
wow ! thanks man!