14 DAY TRIAL // Media Temple customers were hit by a new wave of mass injections, in what starts to look like a weekly occurrence, despite the hosting provider working very hard to clean affected websites and secure them.
According to Denis Sinegubko, the creator of the Unmask Parasites online website scanner, which can detect if Web pages have rogue code injected into them, the new attack is similar to the previous one and involves obfuscated JavaScript being added to existent .js files.
The new malicious code comes with two levels of obfuscation and has the purpose of loading a script from an external bl.pqshow.org [don't visit] subdomain.
When no pre-existent .js files are found, the rogue scripting is added to the regular html files and is enclosed within an <ads> </ads> pseudo-element, probably to avoid drawing suspicion to it.
The hackers are also trying to hide the infection by keeping the modification date of the affected files intact, possibly via the touch UNIX command.
Sinegubko notes that the only common denominator he could find, as an external observer of the attacks, is that all affected websites use MySQL, or are hosted on an account with at least one MySQL-driven application.
This might point to an SQL injection attack or some other form of database compromise. However, there's no indication of any particular vulnerability in any specific application being exploited.
The researcher takes an issue with Media Temple's repeated statements that its infrastructure is secure and not to blame for the attacks.
"If it’s a vulnerability in a third party software then let us know what exactly is vulnerable. If it’s because of insufficiently strict file permissions, then let us know what are the secure permissions.
"When hackers manage to compromise thousands of sites in a very short time, and do it again and again during this summer, they should leave traces.
"[…] Until you do it, your infrastructure should be considered insecure. The fact that you haven’t yet figured out the exact attack scenario and couldn’t prevent consecutive massive attacks only proves this," the researcher writes in an open message to the hosting provider.