On Sunday, September 25, 2011, a very devious hacker called TiGER-M@TE from Bangladesh attacked the servers of thousands of web sites hosted by InMotion. Numerous big sites, such as Stand Up America and sites used by some political compaigns were also affected. The web hosting service InMotion, a very reputable firm used by many thousands of web sites acknowledged the breach and gave the following statement:
“At around 4 a.m. EST, our system administration team identified a website defacement attack affecting a large number of customers. We are still investigating, but it appears that files named index.php have been defaced. We are evaluating how this has occurred and our security team will have more information shortly,”
InMotion said in a statement. “While we review this issue, cPanel and SSH access has been disabled on various platforms. For additional security, we are rotating passwords on a number of accounts."
This hacking attack does not breach security per se, as it was strictly a defacement attack, but as a precaution, you should change all of your cPanel and FTP passwords if you are hosted on inmotionhosting.com servers
In defense of my host, they are a very reputable firm hosting large numbers of accounts, with several data centers across the US. They do acknowledge this hack as a failure on their part to provide adequate security and in my view, that is enough. I am reluctant to change hosts at this time, because other hosts I used had a lot worse vulnerabilities. I can not count how many times my website was down at my previous host due to DDoS attacks.
Does this affect any of you? No, unless your web site is hosted by InMotion Hosting or the management of your host’s cpanel management servers were breached.
Is there a defense against this? No, your host must provide adequate protections against hacks. There is nothing you can do as the breach is at the management server of the host.
How did it occur? The hacker managed to access an admin function the host had to set the passwords on the management server that controls all of the VPS accounts hosted on subsidiary servers. There the hacker changed the password, then accessed all the accounts controlled by that server and began changing or adding index.php files exactly 12,500 kb in size. This affected the root folders off public_html and the next level child folders. Nothing deeper than that was affected.The email I received from InMotion hosting is below:
As you may be aware, our network, and potentially your server, was the
target of a large scale website defacing attack this morning, Sunday,
the 25th. The defacement worked by replacing index files in all
public_html directories with the attacker''s index.php. At this time, it
does not appear to be any more malicious than taking over the web site''s
home page, but we are still reviewing servers at this time.
We understand the method the attacker used to accomplished this and the
main exploit path was through an internal management server that can
control Cpanel on other servers. The management server was used to
change passwords on the Cpanel servers then login with those passwords.
It does not appear that gaining passwords was a goal or was
accomplished, just password changes were used. Access to the management
server was gained from an exploited customer''s server that was within
our network.
Though our team moved quickly to disable the internal management server
and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker
had intended to do more harm.
At this time, we want to be sure you are aware of the attack and your
server''s potential exposure. Our systems team has moved to repair the
index files, but the automated system is still running and may take a
few hours to finish all sites.
Please you review your sites if you have not already done so. If you
have a backup of your site, you may upload your index.php files to
correct this. You will most likely need to do this for each directory.
If your site uses an index.html or index.htm, you will need to upload
those files, then delete the index.php.
If you were affected and you need assistance recovering the home page or
other directory indexes, please contact us.
Further, if you feel your server has been targeted more in-depth than
the index.php defacement, please contact us immediately and we will do
an additional scan on your server.
Though it does not appear gaining passwords was an intent of this
attack, it is recommended that you update all of your passwords related
to your server.
Please note, our billing, domain management, and customer tracking
system (AMP) was not targeted, nor was available to the Cpanel
management server. It is on a separate network and firewall.
Please accept our apologies as we go through this process. We are very
aware of our failure in this situation and we will provide more details
when we have completed the work of recovery.
Again, please review your server and sites if you have not done so
already. Reach out to us immediately if you suspect a more in-depth
attack on your server.
Sincerely,
Todd Robinson
President
InMotion Hosting
