Attn: WordPress Installs On MediaTemple

Looking For A New Host

The WordPress installation at motogrrl.com/blog was infected with malware from http://oeooea.com on Friday. The Media Temple support page (WordPress redirect exploit) has not been updated to reflect this new vector, even though Sucuri.net posted an alert on 3 September 2010 and another Media Temple customer used Twitter to alert the public to the problem on 31 August 2010.

According to Sucuri.net, the full path is http://oeooea.com/ve.

In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.

The way to identify the malicious user name is that his password will be set to$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.

The following SQL will fix it up:

delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ’0000-00-00 00:00:00′;

However, this SQL does NOT work on Media Temple:

I am not a SQL expert, so I don’t know how to fix the code so that it works at Media Temple. It has been 16 hours since I first reported this to MediaTemple; it has been 12 hours since MediaTemple has responded to me on Twitter and in the Account Center (letter below).

Here’s the form letter I got from Media Temple:

It looks like there were some additional hacked files. (mt) Media Temple has been actively scanning all data hosted on the (gs) Grid-Service looking for malicious injected code due to these recent malware attacks on our user base. Here is more information on the recent attacks:

http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/

All the files and databases that have been cleaned have been noted in a log which can be found in “*redacted*”

The cleaning that has been done so far has removed malware “payloads” (injected scripts) from your sites. It is up to you and your web development team to secure all running applications on the (gs) Grid-Service. The Wiki articles linked in this response go over hardening various applications and using good website practices. At this time, update all database passwords, administrative passwords, and upgrade all applications/plug-ins. Please look over our (mt) Wiki on Security to ensure you are up to speed on recent security topics and best practices:

http://wiki.mediatemple.net/w/%28mt%29_Security_Resources

Google will still flag your sites as malicious if they have not re-crawled the cleaned websites yet. You can either wait for Google to re-crawl your websites or you can ask them to crawl the sites which will speed up the process. The following link will take you to the Google Webmaster Tools sign-up page:

http://wiki.mediatemple.net/w/Google_De-Listing_Recommendations

Please let us know if there’s anything else we can help you with regarding this topic or any of your services with (mt) Media Temple.

Respectfully,
Michael Handa
Customer Service Supervisor
(mt) Media Temple
<v> 877-578-4000
<f> 310-943-3559
For up to date status information visit
http://status.mediatemple.net

It was this line — “It is up to you and your web development team to secure all running applications on the (gs) Grid-Service.” — that set my teeth on edge.

After the August mess (See “I’ve Been Hacked“), I worked through a comprehensive set of security measures with a great MediaTemple senior customer service agent, Daniel C. He was the ONLY member of the online staff who responded like a person — who actually read my tickets — and his response was the single-most important reason that I decided to stick with MediaTemple instead of looking for a new host.

I’m not the “person” who sets the passwords on the MySQL accounts: that’s MediaTemple’s automated script that is part of their one-click WordPress installation. The MediaTemple-created password on my primary MySQL database is only eight characters. No numbers. No special characters. Not exactly “secure.” [I’m going to try to figure out how to change it.] This password is not nearly as secure as the passwords that I have students create when we do a manual installation of WordPress.

So I am (again) looking for a host. One with a proven track record with WordPress. One that has a relatively easy to use administration/control panel. (Don’t send me to HostGator and FatCow and the like.) Price is not as important as good customer service, an easy-to-use interface, and a good track record with WordPress attacks.

Thanks.