The popular web hosting provider MediaTemple has
posted a security advisory on a huge security breach they just had.
Unfortunately, MediaTemple was slow to act on this intrusion, and still is not admitting to customers the extent of the security breach.
My understanding of the incident, (as also blogged
here and
here), is that someone got ahold of many of the admin passwords for Grid Service (GS) accounts and thus
had full SSH and FTP access to such accounts. This was noticed some time after it happened, when malicious scripts started popping up on people's accounts.
Read more below...
For me, almost all of my sites contained hacked .php files. MediaTemple had contacted me weeks before the aforementioned security advisory telling me about some scripts that were sending out spam from my accounts.
At this time, I spent a good amount of time cleaning up my sites, analyzing files, and trying to find out where the original intrusion came from.
Fast forward to today--I receive an email from MediaTemple telling me they reset my admin password (without my permission):
Dear Valued Customer,
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
I was concerned so I immediately tried to log into my account and look around. I couldn't, though, because
their admin site, "Account Center", was down for at least two hours. (Screen shots available.) And you can't reset your password without the admin site. It sounds like this may have been a self DOS (denial of service) attack; they email everyone to come and fix your reset password, and their elite hosting solution chokes on the load---not sure though.
I do know that their
current security advisory is still not an honest admission of what actually happened. In the security world, trying to cover these things up does more harm than good. Some highlights of incorrect things in the advisory:
What was the exploit?
"The exploit involved a hacker redirecting websites to a 3rd-party advertising website. At this time, this is the only malicious activity we have seen. No billing information was exposed."
Not true. My account had compromised .php files, uploaded images that were being hosted on my account. All my data and databases were compromised. Full read and write access was given to some remote attacker. They had access to all my database configs and passwords.
"...First, your databases have not been compromised. ... "
Not true. Databases were compromised. This is because remote attacker(s) were given read/write access to all files in my whole account, and those files include the config files for things like Drupal CMS, Wordpress, PhpBB, etc. use to connect to the database. These config files contain our DB passwords. There is no proof these people didn't read these config files, then connect to the database and download or alter tables. A malicious script I removed from my account was set up to do this.
The attackers could still have our DB passwords today (I changed all of mine as a precaution.)
In Summary: MT Screwed Up, Needs to Make Some Changes
I hate to have to rip MediaTemple so badly, but they've really earned it this time. Poor grasp of security fundamentals in the first place. Poor response to serious intrusions. Really poor communication with your paying customers about what has happened to their data. This is just inexcusable. When there is an intrusion, you need to disclose what happened ASAP and ask for forgiveness. Trying to hide the truth will just cause your customers, and especially your reputation, harm.
MT really needs to fess up on this issue, and show us what changes they are going to make to their team and technology to make sure this kind of crap doesn't happen again. Unless big changes are made-- I can't see being able to trust these guys, security-wise.
