Mass injections and malware infections at Media Temple

storm-mt-malware.jpg

Since at least the spring of 2010, a swarm of infection has been found in Media Temple (mt) web hosted sites. In all fairness to Media Temple, it is not the only web hosting provider to suffer from continued hacks. By popularity, Media Temple web host company is ranked 20th in the United States and 36th in the world. It provides web hosting for ABC, Adobe, NBC, Starbucks, Sony, Time, Toyota, Volkswagen and approximately 350,000 other domains internationally. Many of its sites run WordPress which is a wildly popular target to hackers and cyber criminals.

Google Safe Browsing diagnostics states that of the 66,060 Media Temple sites tested in the last 90 days, 12,423 had malicious content. 311 sites have functioned as intermediaries to infect 900 other sites. Also in the last 90 days, 28 Media Temple hosted sites have distributed malware to 650 other sites.

storm-malwaremarkedsite.jpg

Besides WordPress attacks, or other PHP-based platforms, Unmask Parasites reported that Media Temple was hit with a mass injection to ads, rogue code to JS files, and a week later there was another mass injection attack and "new plague" to Media Temple sites. Even today, some website owners are ticked and tweeting;  Media Temple is tweeting replies to infected site owners.

Media Temple's Am I hacked? security explanations from July where moved to Security Facts. The text in orange is considered new and addresses some of the recent hack attacks which resulted in thousands of malware-laden sites hosted on Media Temple. The web host has a list for customers to follow in fixing an infected website. The security resources site states that a couple incidences are closed, like #1404 WordPress redirect exploit  and #1378 information about compromised sites. According to Security Facts, there are no open security incidents even though some websites continue to be hacked and blocked by Google for containing malware. 

I noticed that Media Temple has partnered with Sucuri for malware scanning and lists Unmask Parasites as another great place to scan for malware. Even though Media Temple can offer customers a discounted rate for Sucuri to clean up infected sites, the burden of cost, time and reputation is still on the site owner. 

It took six days for Media Temple to answers to my questions. And no wonder, since it wasn't only the security team to answer the questions. The reply states, "These answers were prepared collectively by (mt) Media Temple's management team which includes executives and operation engineers."

Interview with Media Temple (mt)

Do you believe Media Temple has been specifically targeted or are other major hosts experiencing the same amount of attacks?

Media Temple: While many hosting providers were targeted, we believe we were particularly attractive to attackers because we are publicly known to have a large install base of Wordpress sites - which is a popular application for attackers to attempt to inject malware.

Our incident system is designed to communicate and track issues and failures with our service and infrastructure. After we ruled out any open internal vulnerabilities we closed incidents #1378 and #1404. We continue to see some customers with malware infected sites. This is primarily due to customers not following our best practice security recommendations which includes updating to strong passwords, updating installed software, fixing file permissions, and removing vulnerable plugins and themes.

I did read what was listed under What is (mt) doing to help? But those who have contacted me had to manually take care of their own sites. Was it not possible for Media Temple to scan for and/or notify owners of the "small snippets" that site owners were to look for?

Media Temple: Our scanner and cleanser system has fixed hundreds of sites automatically for infected customers. When the automated scanner is unsuccessful, our customer service department has interactively helped customers fix their situation. We very much want to speak with any customer who believes they are still infected.

Do you offer any kind of repair to a site's reputation after it is marked as suspicious or malicious?

Media Temple: We have developed new security scanning and cleansing automation which actively detects and cleans infected sites everyday. As we learn about new malware signatures we update our systems quickly. Unfortunately, after we automatically clean a given site, we have no programmatic way to tell Google to re-scan that site. Google does not provide such tools for service providers. Individually, each customer has to manually ask Google to re-scan their site. Unfortunately many customers are unwilling or are failing to do this; thus their sites may appear to be infected even when they may not be.

Is it possible for you to change settings globally, to force secure modes in WordPress and other web properties that are listed in the Wiki article?

Media Temple: There are two main areas where our infrastructure was initially weak with security. 1) The ability for cross-site attacks. Example; if a user had set a sensitive configuration file to be world-readable, it was possible for other system users to read that data. This issue has been resolved. 2) Our Wordpress one-click installer used the default file permissions configured by the software itself which lead to some files being non-secure. This issue has also been resolved. We have also fixed a number of other smaller findings. Unfortunately some customers are not following our security recommendations and they continue to get re-infected.

I did not get the specific answers to vulnerabilities or infrastructure that I hoped for, more like standard corporation KYOA answers, but I hope this might help you. Many websites are marked as suspicious in programs like ZoneAlarm, long before Google marks the site.

Interview with ZoneAlarm:  

How do you determine a site is suspicious? Is it based upon that site, the host, the content, the length of time a website or domain has been registered or published?

John Gable, Director of product marketing at ZoneAlarm, offered this: 

ZoneAlarm: We use a combination of technologies to evaluate the safety of a site, including a signature list from Netcraft of known dangerous sites and our own specialized heuristics. Our heuristics look at several different things, including:

  • The source of the site - where it is physically located.
  • How long the site has been active.
  • How the site is signed or registered, does it have a SSL certificate signed by a trusted authority, and how strong is that certificate (some certificates are inexpensive, others are more expensive with better protections).
  • How the site is formatted: how does it use graphics and layout the page, for example, does it share some visual characteristics with a legitimate site (like a bank's logo) but is not actually that site (the bank).

Depending on what we discover, we may block the site if we believe it is dangerous or just show a yellow alert if we think it is suspicious. 

Do you see any trends in suspicious or malicious sites?

ZoneAlarm: Malicious sites are using lots of different attack vectors at the same time - a "blended threat". Not only do they continue to create new dangerous sites all the time (hoping to pass defenses and signature lists by pure quantity and speed), but they combine or blend attacks. For example, you will often find a phishing site (that pretends to be a legit site that asks for a password) that also includes a drive-by-download (which exploits a vulnerability in your browser or plug-in to silently download viruses, spyware, etc direct to your PC).

To reiterate, Media Temple is not the only major web host provider to be attacked. Many customers are upset and frustrated with the seemingly never-ending hassles.

One of the sites that Media Temple does recommend for malware scanning, Unmask Parasites, posted this:

To MediaTemple

I want to hear from MediaTemple how exactly hackers manage to injects malicious scripts into web sites of their clients. If it's a vulnerability in a third party software then let us know what exactly is vulnerable. If it's is because of insufficiently strict file permissions, then let us know what are the secure permissions.

When hackers manage to compromise thousands of sites in a very short time, and do it again and again during this summer, they should leave traces. You should have all the logs and tools to find them. Compare access logs of affected sites and find common IPs and suspicious access patterns (e.g. access to .php files on WP blogs with a "pretty permalink" structure). Check who was logged in when this happened, who used mySql, etc. Create honeypot accounts.

I know this means a lot of work and a lot of data to analyze - but this is the only way to find out what makes such massive hacks possible. And once you find this out, you should close rogue accounts (if they exist) and then do exactly the same thing that hackers do to find vulnerable accounts and, instead of hacking them, close the security holes by yourselves or notify webmasters and instruct them on how to secure their sites (and I don't mean general instructions here). Until you do it, your infrastructure should be considered insecure. The fact that you haven't yet figured out the exact attack scenario and couldn't prevent consecutive massive attacks only proves this. The same applies to RackSpace.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies