Nuvo Server Gets Hacked

Share on Facebook
Tweet this Article
Digg This
Bookmark on Delicious
Stumble Upon This
Print this page
Subscribe to the feed

At approximately 2:00PM today, I noticed a strange occurrence in the backend of WordPress. Safari detected that the site I was visiting was suspicious and could infect my machine—yes, I’m on a Mac. This all came across as very strange to me, since I was in the backend of my own site and there was no way I’d installed anything like that…

Discovering the symptoms

I spent the best part of three hours researching what had caused the problem, discovering many cases of the same issue with other people but no answers. It was, and still is unclear whether this was a problem caused by WordPress or Media Temple—or a combination of both for that matter. I eventually found this article with a detailed compilation of the problems that many people have been experiencing with the issue. However I wasn’t suffering from all of the symptoms these people were—at least I didn’t think I was.

What had happened was an SQL injection into all of my databases, causing three main problems;

My backend no longer functioned, almost all links (especially in the Settings area) were marked as malware by both Firefox and Safari.
One hundred or so links were sneakily being created at the bottom of my code, inbetween the Google Analytics script and </html> which lead to the third problem…
My code no longer validated.

Fixing the problem

I decided to call Media Temple tech support, something I hate having to do. They however, identified the problem almost instantly and asked me to remove a couple of lines of code from my .htaccess file that had been injected by the malware. What they failed to do was tell me the second half of the removal process—the spam links that were placed in my footer!

It wasn’t until a few hours later that I decided to run a validation check on my code after making some updates, and noticed some odd links and list elements that weren’t validating. I checked my source only to find one hundred odd links to random ads and sites all over the web. The links were being generated by a line of code that somehow made it’s way to the index.php file in the root of my WordPress install. I removed the code (and actually re-created the file) and everything was fine. The 6 warnings I was getting on the validation check were gone and I was spam-free once again.

Preventing it from happening again

I changed all of my passwords; FTP, WordPress, Media Temple login—you name it! I also upgraded to the latest version of WordPress. I ran some scans on my WordPress database to check for any remnants of the malware and sifted through all of the hidden files on my server to check for any dodgy code.

The server is now clean once again and has double the security it had before—let’s hope it doesn’t happen again!