Thousands of sites compromised following hosting provider hack
California-based hosting provider InMotion has suffered a compromise that resulted in the defacement of thousands of home pages of websites hosted on their infrastructure, which were allegedly set to serve malware.
The compromised was confirmed by InMotion president Todd Robinson in a post published on the hosting provider’s forum on Monday, in which he said that the “large scale website defacing attack” happened on Sunday, September 25th, and that the hacker’s goal was only to deface websites.
“At this time, the attack does not appear to have been any more malicious than replacing the web site’s home page; the defacement worked by replacing index files in all public_html directories with the attacker’s index.php file,” he wrote. “Gaining passwords was not a goal and was not accomplished. The hacker used a system exploit to change a system password to allow him to access index files. We have blocked the exploit and changed the system password. As always though, it is recommended that you update your Cpanel and FTP passwords.”
He also made sure to emphasize that their billing, domain management, and customer information system (AMP) was not targeted or, indeed, even available through the affected servers and network.
But according to ThreatPost, some of InMotion’s customers have piped in and claim that when they accessed their defaced site(s), their AV software began warning them of the presence of JavaScript malware.
This could mean that the ultimate goal of the attack wasn’t only defacement, but spreading malware via drive-by download.
The hacker, who identifies himself with the handle “Tiger-M@te”, allegedly boasted of having compromised over 700,000 websites in one go. “It was not just a server hack, actually whole data center got hacked,” he wrote in a message posted to the InMotion forum by a proxy.