So far, I’ve found the malicious code in footer.php and archive.php
mt could provide a little more assistance by scanning the server’s php files are removing the malicious code as we learn more about the WP vulnerability.

Solving the problem is not so simple because the exploit may involve MySQL account access.

There goes my Saturday.

Unfortunately scanning your websites for vulnerabilities falls outside the (mt) Media Temple scope of support. For information on working with a hacked or compromised server see our article at http://kb.mediatemple.net/questions/1577.

I was not asking for this, i ask you to tell me if mysites are exposed to a more dangerous type of hacking. A defacement is still a problem we can handle, but having 10-20 sites put down is an isssue. For me, MONEY! Money that i gave you to host my sites. I am sure a small buyer, sure not a big company. So, i don’t deserve explanations?

I had all my top domains defaced (joomla, wordpress and plain html sites, not only wordpress, so dont bother please with “hard your wordpress installation”).

The hacker did void the .htaccess and pulled in a index.html, a logo.ong and a flag.jpg file.

I searched thru the entire domains and it seems that nothing else has been touched, except for those strange guys in my wordpress users (johnnyA but others as well).

I spent half an hour to change ALL the passwords (root, ftp’s, emails, databases) and reconfigure them all.

I have to be honest: it seems to be a breach in the server, not in the software. But i am waiting for Mediatemple to clarify.
I have to be honest

It appears that you may need a bit more information to understand the scope of vulnerabilities on the internet as a whole. We are more than happy to discuss these with you (and any client) that wants clarification on the impact and function of various security issues on the internet. If you have the time, please email your contact information directly to andrew[at]mediatemple[dot]net and we will contact you ASAP to discuss the matter.

The simple fact is, this hack is related to vulnerabilities within WordPress and/or plugins. It is also possible that a backdoor was planted in your software previously. Think about it this way, when your PC gets a virus, do you blame the computer manufaturer for the vulnerabilities built into the Windows OS?

The simple fact that there are commonalities across the compromised sites indicates that this is a large scale attack being run against websites with similar configurations. If this were a vulnerability unique only to (mt) Media Temple hosted domains, there would be no other reports of simlar hacks against sites hosted on our competitors. However, over the past few months, we have seen a significant increase in WordPress and related PHP application compromises:

Nearly identical hack at Rackspace:
http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/

The notorious Pharma Hack:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

We are looking into the possibility of offering a new service to our customers that would help ensure the security of their websites. We don’t like hearing that our customer’s sites are exposed to attack without any chance for resolution. Please help us determine the best way to proceed by filling out this quick survey:

http://mdtm.pl/a3lhQc

Yes, and a fresh Windows installation for those who visited your unsecured website mr. cultra. Meanwhile, it’s great to see you are ‘… going to make a ton of money because of it. DS’.

P.O.S.