Thread

http://kb.mediatemple.net/questions/1715/Working+with+a+php+injected+website

From what we know so far, this is not a case of PHP injection. I seem to remember that MT admitted that the attacks were carried out via regular FTP. Either way, let us know if there are new developments, please.

Hi Ingmar,

I’m struggling to understand how so many people using secure passwords could have ftp password violations at the same time without some sort of breach. Am I just really naive, or does this strike you as unlikely as well?

It might very well be a hosting issue of some sort, but only MT would be able to tell you about it. It certainly does not look like an EE issue at this point, if only for the fact that these incidents seem to be limited to MT, and do affect all index.php files (actually breaking EE in the process, making it easy to spot.)

I do not believe it to be an EE issue - code has been added to every index file (php/html) on every domain hosted on my server. As well as htaccess rewrite spam. EE sites are simply the only ones that break right away. MT has an uphill battle convincing me that this is due to my ftp password being unsecure.

MT has an uphill battle convincing me that this is due to my ftp password being unsecure.

Yes, I think you’ve got a point there. I probably wouldn’t be entirely convinced, either.

The same “hack” has just happened to me again!  I have now changed my passwords for FTP and will see if that makes a difference.

Please let us know. Again, we take security seriously. Thanks for all of your hard work reporting this!

Hi there,

I’ve included the MT response here - it doesnt address what happened, and tells me to do what Id already done. The attacks affect any index & htaccess file - regardless of whether theres a CMS installed or which CMS it is.

Thanks for contacting us regarding this issue. It appears that your service was compromised as code had been injected into many parts of your account. Our engineers noticed an influx of IP addresses on the internet attempting to access your server, so we changed your Server Administrator password as a security precaution. We would recommend at this point that you consider auditing your code to make sure there have not been any changes made to it that you did not authorize. I’ve had an engineer scan and remove any malicious code or content from your scripts.

If you find anything else in your files, we recommend that you immediately remove the offending code, and do an audit of any software you might have installed (along with any plugins for that software) to make sure you are running the most current version. I’ve provided a link to our KnowledgeBase article on things to check for: http://kb.mediatemple.net/questions/1715/

If you have any other questions, or need further clarification, please let us know.

Thanks for the feedback on what MT said, kev_horan.

Don’t hesitate to post again as needed.