Thread

Sorry, worked a bit late today and it shows.

Anyway, my sites we’re also subjects to exploits and I had the same code injected.
I deleted it and the sites are now back functioning the way they should.

Changed user and password and will now change user and password on the server as well.

Thank you all for your swift help!

Fantastic community here.

Yep, same issue here. Same resolution. Just removed the injected code.

any idea if this is directly related to MediaTemple, or to just EE on MediaTemple, or EE in general? is this an exploit within EE itself, or a server security issue with our hosting site?

Hi, Paul - MediaTemple should be able to track down where the hackers got in; this is something you need to follow up with MT about.

Glad you guys got things sorted out.

It seems like the FTP user/pass was compromised, so it doesn’t look like an EE issue.

I would certainly let your host know about the issue. Thanks!

Adam is right in that you guys did fix this.  But I’m re-opening it, please do follow up with us here about what MT says.  Thank you!

Lisa, thanks.

they wrote back:

Thank you for reporting this. We are looking in to this issue and will check the server logs and let you know what we find. I’ve taken a look at the forum posts and we’re investigating these compromised sites.
——-

I’ll tell ya what though,this is the first issue I’ve had with Media Temple. No issues with EE. Lisa, you guys are crazy quick with your forum responses. And Media Temple was pretty quick with their support response as well.

Good combination if you ask me!

Thanks again.

It seems like the attack was aimed at Wordpress installs.  Do you have Wordpress running on the same account?  You might check your top level .htaccess file for code injection as well

Well guys, I’m getting the same issue and I have a Wordpress site in my domain cue. This may have been party of the issue. So, knowing we have a problem and me not being the best sys. admin - what process in detail would you take? I need to make sure I don’t screw up 😉 If indeed I need to do things to the index.php file what exactly am I looking for? Just trying to wrap my head around this and learn -

Thanks EE community

Michael,

Sorry to hear you have the same issue. Please report this to MT as first port of call. Then what you need to do is check what is being hacked or changed? If you look through:

- path.php
- config.php
- index.php

Do you see malicious code being put in there or in other locations?

My suggestion would be to upgrade all installs to the latest version and build, completely replacing all files with known good copies, and change all of your passwords.

Thanks John for the speedy response.

I’m not sure what to look for in this case. Any examples of what was injected anyone? I have all the latest modules and plugins as of last week with the exception of 1.6.8 which is on my radar to update over the weekend. I’m currently on 1.6.7. So, I need to know specifics to look for the malicious code that has been spoken of. Should I use a clean Index.php and make sure that is properly updated to current status? The config and path, too? I guess if I update the 1.6.8 that may take care of the previous questions on files - right?

I have indeed made sure that MT knows that this issue has occurred with me as well. I did back up my DB as well.

Michael,

There is some more information on the following threads

http://ellislab.com/forums/viewthread/134722/
http://ellislab.com/forums/viewthread/134818/

A good idea would be to change your FTP password before undertaking any more work on your server. Also run a local malware/virus scan to rule out anything that end logging your FTP details.

Then attempt your EE upgrade. All you need to do is follow the version update instructions

Thanks John and EE community! The links you provided helped solve the problem and we’re back up. I would like to get updates on this issue so that we’re all in the loop to ensure that nobody in the EE community gets plundered. Thanks again folks -

Glad you are up and running again Michael. We will keep an eye on any more reports on this end and deal with them from here. Hopefully MT will have a reassuring final word on the matter when things have calmed down.

I have this same issue and just wanted to chime in that I do NOT have a any WordPress sites running.

Thanks for everyone’s help and please keep us posted.