Inmotion Hosting Hacked by Tiger-M@te. Users Greeted by Lame Looking “Hacked” Page.
September 25, 2011
This snippet explains a bit about the tiger-m@te inmotion hack which defaced thousands of people’s websites. Leave comments below.
To see how to fix this problem if you were affected, >click here<.
What happened?
Some hacker(s) decided to take on one of the world’s largest hosting companies, inmotion, and replace everyone’s index.php file with a cute little 1990′s style “Server Hacked!” splash page. It plays a rap song (given your dumb enough to stay on the page long enough for it to automatically download…which I was).
If inmotion gets hacked and 700,000 websites with it (including this humble one I make a living on) , that should say plenty about the internet, no? Its not easy to hack someone like inmotion. I love inmotion by the way. It just shows nobody is immune to getting hijacked in the pirate-infested waters we call the internet.
That being the case, what if a site like facebook gets hacked? Facebook deals purely in information – your information – so no doubt that would cripple society’s identity as a whole. I guess the internet is only as trustworthy as the hackers that run it.
The fix:
Its an easy fix. Just replace your index.php file with your back-up version. Multiple directories were affected, so if you use wordpress, check out folders wp-admin, wp-content, and wp-includes. Replace them with their respective index files from the default install. Also, inmotion hosting is running an automated repair on websites that have done backups in the past, so you may never have to touch it.
the Splash Page
Here is the splash-page I was greeted with. Hackers seem fond of 1990′s style web design (done by teen-age geeks with too much time on their hands).
Remember WaRez? Remember the old days of hacking when teenagers used to run shady websites from their bedrooms while their parents were completely ignorant to what their kid was up to? The design of this webpage smacks of that era 1990's. If he was going for the vintage hacker look, I suppose he did well. But for a modern 700,000 webpage defacement notoriety getter?
Related illustrations on Tiger-M@te hacking news:
Leo Blanchette
Latest posts by Leo Blanchette (see all)
- Explore The Ocean – Master’s Degree.net – December 27, 2012
- Cops and Robbers! Two New Orange Man Characters – September 18, 2012
- New Orange Man Explorer Vector Illustrations – September 18, 2012
Jill says:
What is inmotions hosting doing about the problem? My website has been hacked as well.
Tony G says:
Hi Leo,
I just transferred my Hosting about a week ago.
And this happened.I am only small time too and rely on my Site to supplement my Pension.
Why don’t these children “Get a Life”
At least Posting here helps my frustration a little.
Cheers,
Tonyg
b says:
Thanks for posting this. My site, too, is hosted by Inmotion, and I happened to check it first thing this AM. It was interesting to see your post so promptly after mine went down.
I know what you mean about FB. I don’t share anything there. But the sad thing is, friends and family of mine post photos and info about me all the time. Kiss privacy goodbye.
chris says:
If you are running a wordpress website on Inmotion hosting, you can find the fix for the Tiger M@te hack here: http://iamweare.nl/webhostinghub-inmotionhosting-hacked/
Jenny @ Kerrfect! says:
This just happened to me this morning, no one at my server (WebHosting Hub) seems to be up or even aware of the problem yet. I have a small vintage/craft blog that recieves very little traffic, it’s just sort of something I do for fun. HOWEVER, I would be really bummed out if the 5 years I’ve put into it was all for nothing now. Were you able to restore your index page or was it gone for good unless you had it saved somewhere else? I’m not sure that I still have my index file backed up anywhere since a recent computer malfunction.
Leo Blanchette says:
Hi,
To answer you guys, it appears they over-wrote the index.php files in all the levels of everyone’s web directory. Any file called “index.php” in either the top directory, or in another sub-directory (like wp-admin) was replaced with the hacked-version.
Its a simple fix…just get your back-up index (if its wordpress, it should be a simple copy/paste from the default install) and upload it.
Jenny @ Kerrfect! says:
I’m looking at my index.php in the editor right now and it appears to be exactly the same as my pre-hacked version. I’ll try reuploading it again though. Thanks so much for the reply!
Leo Blanchette says:
By the way, *supposedly* the same people pulled a trick on google a while back. Inmotion is an awesome hosting site…I absolutely love it and they’ve been very good to me. I don’t plan to move at all. This could happen to any company (especially the big ones since pranksters foaming at the mouth to target them)
Leo Blanchette says:
Jenny, once I replaced mine it reverted again. I had to replace it a second time. Maybe the battle is still going or they are just trying to restore properly.
Jenny @ Kerrfect! says:
yeah I just replaced mine and it is still there, I’ll try it again, otherwise I am not sure what to do, especially since my host has taken their 24/7 chat offline forsome reason. THEIR main page and everything seems to be working just fine :/
Jenny @ Kerrfect! says:
yeah second time didn’t work, lol just my luck!
Leo Blanchette says:
Their main page had it too, for a few minutes.
Paris says:
I have two sites on a primary account with inmotion. Thanks for the update above every1.
To avoid displaying the hack page, i set up a temp. divert in cpanel to divert http://www.sitename.com/ and http://www.sitename.com/index.php to http://www.sitename.com/anything/ as a landing 404 page until inmotion resolve the issue.
Does anyone know if inmotion will be able to revert to an earlier server backup (via inmotion’s server backup) of server files for all 25,000 sites and how soon? The Inmotion hosting company webpage is fine. There are no posts about this problem on the forum. Let’s hope inmotion hosting sort this problem out fast & soon!
Leo Blanchette says:
They have updates on their support page. http://support.inmotionhosting.com/
abdulrahman says:
mine is hacked too, i am calling inmotion.com from saudi arabia and everytime gives me busy tone or they play stupid waiting music.the problem is i didnt take any backup for it.
phillip says:
This is the second time InMotion has been hacked in this way. It also happened last year around this time by some Turkish Hacker.
I’m highly demotivated to work on my site to say the least.
John says:
Thanks for posting this. Why is inmotionhosting not answering their phones ?
Thanks for the fix as im replacing all my index pages. I also rely on my website for a living and had i lost it my life would be ruined.
Paris says:
Thanks
Also inmotion twitter is useful for latest:
http://twitter.com/inmotionhosting
5 mins ago:
@inmotionhosting:
‘If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part.’
Hope this helps & we get our sites back up!
Leo Blanchette says:
Awesome!
The Urban Cowboy says:
Wow…they really got a lot of us!
My Server Was Hacked by Tiger-M@te
Leo Blanchette says:
Definitely a black-hat stunt they pulled. Glad the Urban Cowboy is with the white hats!
Paris says:
Cheers Urban Cowboys,
Your blog post was insightful to read for fellow inmotion clients affected by this disruption:
http://theurbancowboy.net/2011/my-server-was-hacked-by-tiger-mte/
Any new updates appreciated from all.
Roy says:
Here are some quick fixes to get your website back up if you were hacked:
http://www.kenta.ro/blog/fixing-your-hacked-inmotion-hosting-site/
Sib says:
Overwriting the index file is only a temporary fix, as the htaccess file has been modified. New folders were created and under each folder (the new and existing ones) this hacker’s index file was dropped in. For it to be resolved, I had to clean up the htaccess file (if applicable) and delete the folders and files that were dropped into my web directory.
Leo Blanchette says:
I checked out the htaccess file the first time and didn’t see anything. I’ll see if I overlooked anything.
Leo Blanchette says:
Let me know what they changed. I’m pretty sure mine hasn’t changed at all, but maybe I’m missing something…
gAtOmAlO says:
I agree Leo. InMotion sent me an email 4 hours after the hack 4am. They did a good job. I am a security researcher, I don’t think it was pranksters. 700,000 websites -that’s big to me. As we hear more about targeted spear fishing attacks this looks like a prank, but maybe an intelligence gathering troll. It did’t get all my sites and I see it happened to a lot of us. Questions I like to answer.
I am doing research on the Tiger-M@te Attack that hue all of us. If you have anything to share I would love to collect it and report my findings.
My 2© cents – gatoMalo_at_uscyberlabs_dot_com
http://USCyberLabs.com/blog/
http://cyber.uscyberlabs.com
http://ChinaCyberWarfare.wordpress.com
http://HacktivistBlog.wordpress.com/
Leo Blanchette says:
I’d love to hear if it were anything more than a “prank” level hack. To me it just seemed like an elaborate attention getter. Update this page here if you find anything. I’d love to know!
Pingback: Tiger-M@te Hack Project Notes | US Cyber Labs - Blog
Random Poster says:
I previously worked at Inmotion and can assure you that they are very committed to their customers.
If you’re looking for further information from Inmotion regarding the hack please see the following posting on their forum page:
http://forum.inmotionhosting.com/viewforum.php?f=57
You can also find information on the notice to the customers at the following URL:
http://www.inmotionhosting.com/20110925-systems-announcement.html
Leo Blanchette says:
I have no doubt. They’ve been awesome to me. Great on-phone service too.
Artist Website Hosting says:
This shows the importance of backing up your site and database.