JohnnyA Misery; a post mortem

September 10, 2010 - By

As was better publicized elsewhere, in early July or so there was a massive hacking onslaught on the Media Temple* gridservers by a mysterious source often referred to as “JohnnyA” (the name of the admin account that was added to WordPress sites). I personally had over 20 sites hit by the attack – and it could not have come at a worse time. I was putting in heavy overtime with work for a series of deadlines, and I was in the throes of the Dad thing (first born child being born that week and all). The hacking wasn’t limited to WordPress sites either, the damage was pretty rampant – even on single page sites like ◉.ws.

Sadly I couldn’t react as quickly as I would have liked. I hired my brother to make a series of updates and obvious fixes for me to buy time and prevent something possibly worse from happening.

Somehow in my bleary sleepless state I would find time to Google the issue – several bloggers wrote about their experiences and some lengthy discussions were sparked in the comments. No doubt this would be invaluable reading – but there was a lot. The time investment aside, I also wasn’t relishing the prospect of SSH command prompt type of work which was the thrust of a lot of the talk.

What my simple Googling didn’t produce as a result (and thus my reason for blogging about this now) was the easiest way of finding the problem: Google Webmaster Tools, which I’ll come to in a moment.

First things first though: if you’re having this issue what is the source? I have no idea if the vulnerability was my own, or if it was possibly someone else hosted on my server (read about some vulnerability in TinyMCE used in Drupal). I have no idea how this hosting works. Best practice though is to upgrade everything. For me this was a load of WordPress sites and plugins. I also deleted any unused sites as well as every JohnnyA admin.

Next, I made a list of all my affected sites (sites triggering the red warning screen of malicious content) – this is where the priceless Google Webmaster Tools comes in. Adding the affected site would bring a warning of the site being in violation in some way. By clicking some kind of a “more info” link you could see exactly what the offending page was! This made clean up a much simpler process.

I hope this helps some other tired Dad somewhere out there.

*by the way Media Temple has in no uncertain terms made it clear to the universe that this exploit was in no way their issue, but that of third party software etc.

Categorized in:

This post was written by ArleyM