Hacker replaces index files
By Lucian Constantin Post in theinquirer
A BANGLADESHI HACKER has managed to break into the computer infrastructure of a company called Inmotion Hosting and defaced hundreds of thousands of web sites hosted on its servers.
According to the US web hosting provider, its administrators noticed an attack in progress at around 4am EST on 25 September and immediately moved to block it.
The hacker, who calls himself TiGER-M@TE and previously defaced Google Bangladesh, tried to replace the index.php of all Inmotion-hosted web sites to which he gained access.
It’s not clear how many he managed to deface before being locked out of the system, but his submission to the Zone-H defacement archive resulted in the web site’s server crashing.
Nevertheless, over one hundred thousand requests went through, with his Zone-H profile now listing 167,054 new defacements. A separate text file uploaded by the hacker online contains over 730,000 domain names corresponding to web sites hosted at Inmotion Hosting.
Defaced web sites displayed an image reading “HACKED”, the hacker’s name and the usual “greetz” hackers leave during such attacks. But TiGER-M@TE didn’t just replace the index.php file in every home directory. He did it for all sub-directories as well, making manual cleanup much harder for webmasters.
Fortunately, the company developed an automated system to restore the original files from backups, a process that lasted until late in the day. At 11pm Inmotion reported that it had repaired most of its customers’ web sites.
“The majority of the automated repairs for shared have taken place at this time. We will continue to do repairs as possible tonight and tomorrow. If your site is showing a directory listing instead of your site, you will need to upload a replacement,” the company said in an update on its web site.
It’s not exactly clear how TiGER-M@TE broke in, but Inmotion’s security team suspects a vulnerability in an authentication system. Customer access to Cpanel, a popular web site configuration and management application, was disabled by Inmotion soon after it detected the attack.