InMotion, in an email to users, said Sunday that the homepage defacement attack launched by the southeast Asian hacker TiGER-M@TE was not meant to do permanent or catestrophic damage to the hundreds of thousands of websites that were hit.
“We understand the method the attacker used to accomplished this and the main exploit path was through an internal management server that can control Cpanel on other servers. The management server was used to change passwords on the Cpanel servers then login with those passwords,” said Todd Robinson, president of the hosting company.
The defacement attacked worked by replacing index files in all public_html directories with the attacker’s own branded index.php. InMotion does not believe that any data was stolen or that any passwords were compromised.
“It does not appear that gaining passwords was a goal or was accomplished, just password changes were used. Access to the management server was gained from an exploited customer’s server that was within our network,” Robinson said. “Though our team moved quickly to disable the internal management server and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker had intended to do more harm.”
This does fit the modus operandi of TiGER-M@TE, who often claims to hack for fun or just to prove that “it can be done.”
Blast Magazine’s network of websites were defaced during the attack on InMotion, as was the offical City of Providence website.
InMotion took responsibility for failing to prevent the damage. Some estimates have the attack hitting more than 500,000 websites, making it historic in its proportions if not in its level of damage.
“Please accept our apologies as we go through this process,” Robinson said. “We are very aware of our failure in this situation and we will provide more details when we have completed the work of recovery.”