Some of you visited my site in the past month and received a notification from either your browser, or your virus protection saying that my site was hosting malware. I thank you all for notifying me immediately of what you all were seeing on my site.
After thinking it was a rougue plug-in and trying to find off-site links in my site, I couldn’t find anything. I contacted my host about it, and they told me that my site may have been compromised, but it sounded like the issue was coming from your end.
After ignoring my site for almost a month, Google decided to black-list my site until I investigated in further detail, removed the malware, and prevent future attacks.
At this point, I was upset.
Tearing through my website, I discovered that there was an admin user other than myself on my install! But it didn’t stop there, no. My entire grid was infected. Every WordPress install I had on my server, was infected with this attack by “johnnyA.” Naturally, I Googled it. I found this article explaining what happened, how to fix it, and what was going on about it.
To my surprise, this attack was only a Media Temple related WordPress attack. They gave me good information on how to fix attacks by johnnyA.
My theme files were mostly infected. It would be some random file like single.php or archive.php with injected JavaScript. Also, in each case, the footer.php file was also injected. In some cases, my jQuery files were compromised. And lastly, even my non-WordPress hosted client, a flash site, was also compromised, with injected files into their directory. They were deleted. The attack happened at approximately July 11, 2010 at 10:34 am; system wide.
None of my database tables were infected, to my surprise, only theme files, and jQuery files. Naturally, after safe removal of everything, I changed all passwords, etc for basically everything.
So. The point of this post is simple: If you’re hosted by Media Temple, and have a WordPress blog, you need to make sure that you were not attacked. Just check your admin users and make sure you’re the only one there.
Thank you all for your continued support of AlisonFoxall.com!
Wow I wonder how this was perpetrated (was it a WordPress exploit?), not a lot of detailed info in their statement. It would be nice to know if the security breach which allowed this virus to move from site to site has been addressed. I know a lot of people don’t like captchas but I think they help prevent automated script injections just as well as they prevent spam.
Good point. I checked out wordpress.org for this exploit, but again, the similarity was that we were all MT customers. The script must have had access to all my directories, because some are not public. So I’m really thinking that some sort of breach happened with MT.