Hosting Provider InMotion Hacked, Thousands of Sites Affected

InMotion, a large hosting provider based in California, was compromised in recent days and the attackers were able to replace the index files of thousands of sites, defacing them and in some cases making it difficult for site owners to recover and reload their sites.

InMotion, a large hosting provider based in California, was compromised in recent days and the attackers were able to replace the index files of thousands of sites, defacing them and in some cases making it difficult for site owners to recover and reload their sites.

The attack occurred on Sunday and the company posted a notice on its site about the incident, but many users posting on the company’s forums complained that they were never notified about the attack by InMotion. Some of them said that they only learned that their sites had been defaced when a customer or other third party informed them about it.

In a message posted on the company’s support forum, InMotion’s president said that the company had identified the vector that the attacker used to compromise its systems and determined that the only goal was to deface customer sites.

“The hacker used a system exploit to change a system password to allow him to access index files. We have blocked the exploit and changed the system password. As always though, it is recommended that you update your Cpanel and FTP passwords,” Todd Robinson wrote in the message. “Our systems team has blocked the exploit and is aggressively scanning for any other potential exploits.”

Some of the customers posting on the InMotion support forum said that when they connected to their sites while they were displaying the defaced page, they were getting alerts from their antimalware programs about a JavaScript-based piece of malware. It’s possible that the attacker’s goal in defacing thousands of sites was to load some malware on the pages to be used in drive-by download attacks against visitors. This is one of the more common and effective techniques employed by attackers right now, and viewing the mirrors of the hacked InMotion sites hosted on Zone-H will produce an alert from antimalware applications about a JavaScript Trojan.

A hacker going by the handle Tiger-M@te claimed responsibility for the attack, and in a message posted by someone else in the InMotion forum, the hacker claimed that he had defaced 700,000 sites during the attack. The InMotion officials did not specify how many sites were affected, just saying that it was in the thousands. The author of the forum message said that he had spoken with the hacker via IRC. From the message:

“I hack 700000 websites in one shot, this may be a new world Record. After submitting 200,000 domains,zone-h was going down again and again and became almost unresponsive in the end.so i was unable to submit all websites.so i’ve listed all domains in attachment. It was not just a server hack, actually whole data center got hacked.”

 

Suggested articles

Discussion

  • Anonymous on

    Wow is all i have to say. customers expect to be protected from this type of attack. Nothing is Fort Knox on the internet, but come on. 

  • Anonymous on

    Goes to show the weakness of the cloud.  Find a weakness in one area and you have the same weakness on all services provided by the service provider. 

  • Remote-Exploit on

    Non-technical savvy users are easily fooled by web hosting companies who falsely explain how far a total compromise could go. Security-minded guys will give you the following conclusions. 

    1 - InMotion said the goal of this mass hack is just to do defacement.    These hosting guys never know hackers have installed rootkits and backdoors for future access.    They think that it's safe and simple as restoring clients' web sites from backups.   Once a box is hacked at the root level, it can't be trusted any more.

    2 - Hackers could have compromised the inMotion several weeks/months before. Finally, they've been aware that the exploit they use have been discovered/known by other same-minded hackers. They do mass defacement to notify inMotion guys to patch this hole. 

    We've seen mass hacking these days are not just for fun and fame. They have been used for generating revenue in black markets. Now, some clients are ready to move to other hostings. Others are just staying at inMotion and hoping for this mass hack not to happen again. Rest assured, this hack will not come back as hackers may now have future access at their will using backdoors that ultilize steathy covert channels to remotely do malicious stuffs. 

    Stay Secure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.