libertyvid

Media Temple has details about the attack here. Sadly, they haven’t stated any corrective action taken on their part to ensure that such an attack doesn’t happen again.

The easiest way that I found to get rid of all the code was to run an SSH scan using the provided string on that page. I modified it to include ue.oeaou.com/31 which theirs doesn’t.

Running this once should get rid of the redirects from all domains in the domains folder.

cd ~/domains/ && for x infind . -type f -perm -u+r -name “wp-config.php” 2>/dev/null; do if mysql -uegrep DB_USER $x | awk -F\’ ‘{print $4}’-hinternal-db.secho $HOME | awk -F/ ‘{print $3}’.gridserver.com -pegrep DB_PASSWORD $x | awk -F\’ ‘{print $4}’egrep DB_NAME $x | awk -F\’ ‘{print $4}’-e "select post_content fromegrep table_prefix $x | awk -F\’ ‘{print $2}’posts;" | egrep -q "(ae\.awaue\.com/7|ue\.oeaou\.com/31|ie\.eracou\.com/3|ao\.euuaw\.com/9)" 2>/dev/null; then mysql -uegrep DB_USER $x | awk -F\’ ‘{print $4}’-h internal-db.secho $HOME | awk -F/ ‘{print $3}’.gridserver.com -pegrep DB_PASSWORD $x | awk -F\’ ‘{print $4}’egrep DB_NAME $x | awk -F\’ ‘{print $4}’-e "UPDATEegrep table_prefix $x | awk -F\’ ‘{print $2}’posts SET post_content = replace(replace(replace( post_content, '<script src=\"https://ae.awaue.com/7\"></script>', ''), '<script src=\"https://ue.oeaou.com/31\"></script>', ''), '<script src=\"https://ie.eracou.com3\"></script>', ''), '<script src=\"https://ao.euuaw.com/9\"></script>', '');" 2>/dev/null; echo -e "\n$x - Redirect Exploit cleaned in databaseegrep DB_NAME $x | awk -F\’ ‘{print $4}’"; fi; done;