Mass compromise at inmotionhosting.com

Thousands of sites were defaced today at InMotion hosting. The defacement was made by “TiGER-M@TE” and all of the affected sites showed the following text:

Server   Hacked   By   TiGER-M@TE

According to zone-h, they defaced at least 1,000 sites, and a list of the attacked sites can be viewed here: http://zone-h.org/archive/notifier=TiGER-M@TE

*It seems that some of the compromised sites were also at webhostinghub.com (both owned by the same company)
**We are tracking more than 10k sites already defaced.
***Update from their in their Twitter account: “inmotionhosting InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now. “

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • onlycy

    http://www.onlycy.com/inmotionhosting-com-has-been-hacked-tiger-mate-bangladeshi
    We managed to recover our websites in very few minutes following the actions described in the above article.

  • http://freefrombroke.com Glen Craig

    Carefully go through a backup and replace index.php files where needed and delete all extra ones.  Make sure you have the correct index file as some are different.

    I was able to get my site back up as well as get back to my dashboard.  I scanned my site here and everything looks good.

  • http://www.liveleak.com/ ronnie raygun

    happened 3 times to my servers this year…. everytime we think we have them blocked they find a hole…

  • BradM

    Hi dd,

    This is Brad with InMotion Hosting. I just wanted to stop by and say that we are hard at working on resolving this issue, and we are very sorry for the frustration and headaches that our customers had to wake up to this Sunday morning. We definitely understand how everyone feels. If anyone has questions, more details can be found at inmotionhosting.com/status

    Thanks,
    – Brad

    • http://freefrombroke.com Glen Craig

      Brad, what is being done on InMotion’s end to prevent this from happening again?  What exactly caused this hack in the first place?

  • Pingback: InMotion Hosting hacked Something like 10k sites affected… « Meganet Central Industrial()

  • Pingback: Cyber 911 For the Average Small Business Person | After the Tiger-Mate Hack | US Cyber Labs - Blog()

  • Kernel

    Non-technical savvy users are easily fooled by web hosting companies who falsely explain how far a total compromise could go. Security-minded guys will give you the following conclusions. 

    1 – InMotion said the goal of this mass hack is just to do defacement. 
        These hosting guys never know hackers have installed rootkits and backdoors for future access. 
        They think that it’s safe and simple as restoring clients’ web sites from backups. 
        Once a box is hacked at the root level, it can’t be trusted any more.

    2 – Hackers could have compromised the inMotion several weeks/months before. Finally, they’ve been aware that the exploit they use have been discovered/known by other same-minded hackers. They do mass defacement to notify inMotion guys to patch this hole. 

    We’ve seen mass hacking these days are not just for fun and fame. They have been used for generating revenue in black markets. Now, some clients are ready to move to other hostings. Others are just staying at inMotion and hoping for this mass hack not to happen again. Rest assured, this hack will not come back as hackers may now have future access at their will using backdoors that ultilize steathy covert channels to remotely do malicious stuffs. 

    Stay Secure.

Share This