JohnnyA MediaTemple Hack

A few days ago I came to my site only to be first greeted by a warning from my browser that I was about to visit a malicious site. Obviously this was news to me since I hadn’t installed any virus spreading wordpress plugins (hmmm I wonder if there are any) in the last few days. I decided to enter at my own risk only to find that somehow a large bunch of encrypted javascript was making it’s home at the bottom of my web page like. I began to look further into it realising that somehow there was a user by the name of JohnnyA that had admin privaledges to my blog. I then found that I was not the only one and that many MediaTemple users where experiencing the same thing.

To make a long story short I found the offending code, which had taken up residence in the darkest, dustiest corners of my server, and apologized to google, then got my site up and running again. I’ll list the sites that I found useful below rather than regurgitating their content:

 

Details of the actual hack:
http://blog.theflashblog.com/?p=2243

How to fix it (make sure to read users comments too):
http://brettterpstra.com/notes-on-cleaning-up-the-mediatemple-hack-johnnya/

MediaTemples admission of wrongdoing (kinda):
http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/

And their version of how to fix it:
http://wiki.mediatemple.net/w/Recovering_from_a_site_compromise

Hope this helps anyone experiencing the same problems.