InMotion, a large hosting provider based in California, was compromised in recent days and the attackers were able to replace the index files of thousands of sites, defacing them and in some cases making it difficult for site owners to recover and reload their sites.
The attack occurred on Sunday and the company posted a notice on its site about the incident, but many users posting on the company’s forums complained that they were never notified about the attack by InMotion. Some of them said that they only learned that their sites had been defaced when a customer or other third party informed them about it.
In a message posted on the company’s support forum, InMotion’s president said that the company had identified the vector that the attacker used to compromise its systems and determined that the only goal was to deface customer sites.
“The hacker used a system exploit to change a system password to allow him to access index files. We have blocked the exploit and changed the system password. As always though, it is recommended that you update your Cpanel and FTP passwords,” Todd Robinson wrote in the message. “Our systems team has blocked the exploit and is aggressively scanning for any other potential exploits.”
Some of the customers posting on the InMotion support forum said that when they connected to their sites while they were displaying the defaced page, they were getting alerts from their antimalware programs about a JavaScript-based piece of malware. It’s possible that the attacker’s goal in defacing thousands of sites was to load some malware on the pages to be used in drive-by download attacks against visitors. This is one of the more common and effective techniques employed by attackers right now, and viewing the mirrors of the hacked InMotion sites hosted on Zone-H will produce an alert from antimalware applications about a JavaScript Trojan.
A hacker going by the handle Tiger-M@te claimed responsibility for the attack, and in a message posted by someone else in the InMotion forum, the hacker claimed that he had defaced 700,000 sites during the attack. The InMotion officials did not specify how many sites were affected, just saying that it was in the thousands. The author of the forum message said that he had spoken with the hacker via IRC. From the message:
“I hack 700000 websites in one shot, this may be a new world Record. After submitting 200,000 domains,zone-h was going down again and again and became almost unresponsive in the end.so i was unable to submit all websites.so i’ve listed all domains in attachment. It was not just a server hack, actually whole data center got hacked.”