Media Temple Security Issues
by: Kyle Rush
Categories: CMS, Security, WordPress
Tags: ftp, media temple, ssh
Comments: 2
Nov
27
09
I received an email from Media Temple yesterday (11/25/09) at 9:22pm stating that my FTP/SSH passwords had been reset due to some suspicious activity. The next day I saw a tweet from Jeff Starr about the email I received from Media Temple. Apparently a number of people have received this email and some have had some fairly serious security exploits with their WordPress installs. If you’d like to read more into the problem, Kyle Brady has another post describing his experience with the situation thus far.
I decided to look through my sites and see if anything had changed without my knowledge. I found that the most popular post on this blog had been changed. The title was erased so that only “…” showed up as the title on both the front and back-ends of the site and the content of the post had been changed to where most of it didn’t display correctly. I solved the problem by digging up one of my database backups an copying the post content and title into the post once again (I wish I had taken screen shots for everyone to see).
I haven’t noticed anything else wrong on any of my sites (3 WordPress installs, 1 Expression Engine and 1 custom). If you happen to notice anything peculiar please let me know in the comments.
From my talks with (mt) support, your issue looks unrelated. It was just PHP injections, nothing to do with your SQL databases.
The number of accounts affected is at least 20,000 since (mt) reported that 10% of the (gs) customer base had its root credentials stolen. In 2008 (mt) was reported as having 200,000 people on the (gs), so unless they've lost business, it's probably a bigger number than 20,000.