securitypost.jpg

This post was recently updated (8/7/10 10:30 AM) to convey new information. Please look for new content in the color orange.

Recently, the hosting industry has experienced a large influx of malware attacks against websites running popular blogging, content management, e-commerce applications and static content as well. At (mt) Media Temple we take these threats very seriously and we have taken several parallel steps to help our customers stay secure. This blog post is an attempt to do a better job in explaining the often confusing nature of security issues – some of which are specific to (mt) and some of which are non-specific to (mt). We would like to assure our customers that we are focused on this subject and that the (mt) infrastructure is not “hacked”.

Recent Attacks

The most recent customer attacks we’ve seen vary in complexity and scope, but a common denominator is the injection of malicious code into customer web pages and databases. The attackers gain access into customer websites using a variety of methods which we describe herein.

Generally, How do attackers gain access?

  • Exploiting vulnerable, usually outdated, versions of web software.
  • Exploiting vulnerabilities in the hosting infrastructure itself.
  • Harvesting credentials from web applications that are not properly secured.
  • Individual computers are being compromised thus leaking sensitive login information.
  • Email is being spoofed and end-users are being phished for site login data.
  • Non-secure FTP connections.

For what purpose are sites being attacked?

  • Redirecting website traffic via Google to “spam sites” selling illicit pharmaceuticals or other products, in an effort to drive revenue and Google page rank to questionable vendors.
  • Redirecting website traffic to malicious websites prompting the download of malicious software to a user’s computer, often disguised as anti-virus or anti-malware software, which give attackers backdoor access in an effort to steal information and possibly take complete control of a user’s computer.
  • Hiding pages buried deep within website sub-directories that host phishing forms attempting to harvest bank or other financial login credentials.

Is (mt)’s hosting infrastructure being directly exploited?

No. We have fully analyzed recent attacks and have found they are being exploited by-way-of vulnerable or non-securely configured customer-installed web applications. In a past incident, it is true that we were the victims of infrastructure exploit which caused a wide-spread attack against our (gs) platform, which was addressed and fixed. (please see public incidents #1026 & #1047 ). Since that time we have conducted investigations of all subsequent attacks. We’ve hired new internal security staff and we’ve hired external independent security advisors to help. We’ve also consulted with other large hosting companies who are also targets.

For the most recent customer attacks, we have found the most common way of gaining access is through non-secure customer-installed software. Vulnerable customer software (blogs, CMS, PHP apps) give attackers access to view and steal database passwords from application configuration files, illicitly inject code, and create backdoor access to user applications.

How can I fix an infected site?

We have created an easy to follow guide on the steps necessary to disinfect your website. Visit this link. Also, you may want to bookmark our main Security URL (http://mediatemple.net/security) which contains several resources concerning security, incidents, how-tos, site scanning, professional services, etc.

Information on Google Safe Browsing advisory warnings.

Google is now reporting a large number of websites on the Internet as “suspicious”. This includes sites on a variety of web hosts including (mt) Media Temple. Modern browsers tap into Google’s Safe Browsing system to protect users from potentially malicious content or scripts.

The alert may look similar to this: http://mdtm.pl/cjIxOq

If your site is appearing suspicious to Google, you may easily remedy the matter by removing the infection from your website and re-submitting your website to Google. Information on how to accomplish this is contained within our Security Resources Wiki.

How can I stay secure in the future?

Regularly update your installed web application software packages and change your user and database passwords using strong passwords. Look for indications that you are currently infected using Google Safe Browsing and look for small javascript snippets included at the header or footer of your page content. Make sure that your personal computer is secure by regularly updating your operating system. Always use secure protocols when using FTP, and when configuring your email client, and also when you check email over the web.

WordPress has been mentioned a lot lately. Is this application specifically vulnerable?

No. WordPress is a high-quality project that updates their software whenever a security problem is found. The latest versions do not contain any vulnerabilities that we are aware of. If you are running an old version, please update yourself. This is a common practice and should be familiar to any Windows or Mac OS X desktop user.

This being said, due to the ubiquity as one of the world’s most popular open-source publishing systems, WordPress is often the target of the payload with code injections and backdoor entry points after the attackers have maliciously gained access to a user’s website. The fact that WordPress is frequently a payload target DOES NOT mean that WordPress itself is vulnerable. It just means it’s popular and very powerful. You should continue to use it and we think it’s great software.

What is (mt) doing to help?

  1. Removed all use of “plain-text” passwords across the (mt) service architecture.
  2. Initiated a required database password change for at-risk users.
  3. Implemented security scanning technology across our infrastructure.
  4. Improved logging for frequently targeted services.
  5. Tuned IDS (intrusion detection) systems.
  6. Remedied “cross account” weak permission attacks .
  7. Hired dedicated security personnel.
  8. Engaged 3rd-party experts to help with testing and auditing.
  9. Helped form a Security Alliance with other hosting providers.
  10. Further strengthened the (gs) Grid-Service to protect a small group of customers who had weak permissions.
  11. Proactively fixing customers sites with new automation and new versions of internal removal software.
  12. Working with Google to help get corrected sites expeditiously de-listed.

Going further…

We have also created a Security Resources Wiki which contains a variety of additional information to help our customers. Please follow this URL to gain access to information such as:

  1. List of any open or resolved security incidents relating specifically to (mt.).
  2. How-to’s on fixing an attacked site.
  3. Suggestions from WordPress on running a secure blog.
  4. And tons of other links providing security information on popular software apps.

Feedback?

We hope this post has been useful to you. If you have any comments, or if you think we missed anything, please let us know by sending an email to security {at} mediatemple.net. Thank you.