First let me wish you all a happy holiday season and I hope the upcoming year brings you the best!
It seems that Media Temple was exploited yesterday evening and you may be in danger. As you know, Armeda is on Media Temple and I really enjoy their service.
Last night I received an email which was followed up this morning with a second communication that their was some irregular activity:
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
Please take this opportunity to create strong passwords for your Server Administrator, Account Center contacts, and any Email accounts associated with your service. Typically, strong passwords should be at least eight characters in length, combine numbers and letters, and not include commonly used dictionary words.
I reviewed all of my instances of WordPress and I don’t seem to be in the group that was affected by what seems to be a wide spread hack of Media Temple yesterday evening.
Later in the emails they sent, they also included the following:
We also strongly suggest examining your website content for anything suspicious that may have occurred as a result of this FTP activity. If you find files, folders, or code that seem suspicious please delete them as soon as possible. As always, keeping working backups is encouraged.
We have provided some examples in a Knowledge Base article detailing the most common exploit associated with this recent activity. See http://kb.mediatemple.net/questions/1715/ for more details.
You can also see a post on Digging into WordPress by Chris Coyier.
Food for Thought
1. I went through and changed all of my passwords and I recommend you do the same, if you haven’t been affected yet, it doesn’t mean the risk doesn’t exist.
2. I’ve also done a visual overview of all of the WordPress files that seemed to have been affected, just to ensure no malicious code was introduced into my environment. Again, I recommend you do the same!
A couple more tips and I’ll leave you to your turkey day celebration
3. Back-up your databases and download them off of the Media temple environment. Some folks are doing fresh installs of WordPress but this seems to have affected theme files as well so again, it’s a good idea to do an overview of your files.
4. Lastly, there are various host integrity checking tools out there, it’s a good idea to use one. What they do is alert you any time a file is changed on your host account. I recommend Sucuri Security. Sucuri will email or tweet you any time a change occurs.
Conclusion
I am not sure what the root causes and actions taken are yet but I will say that it seems Media Temple was quick to notify all of their users to the problem. They have always been pretty good to so in my book.
Things like this happen and it helps if you are taking steps like monitoring your site, regular back ups, and adhering to best practices when it comes to WordPress and security principles.
Have you been affected? Let me know if you received the emails from Media Temple and please expand on my post if you can