10/25/11

Cyber 911 For the Average Small Business Person | After the Tiger-Mate Hack -Project Notes

Project Notes

Who do you call when your web sites is hacked – “cyber 911 -may I help you”. The hosting service -no way, no they’re too busy fixing the attack, and what to say at a press release!

We hear a lot of politician talk about helping the small businessman. Well Sunday 9/25/2011 @(4am)  about 500,000 (half a million) small business were hacked. gAtO’s site was hacked too, we are still waiting to hear-  about declaring InMotion and it’s hacked site into a disaster area.  gAtO say – we have not heard a word about some cyber political person flying around InMotion and touring the 500k websites that were hacked by Tiger-M@te and his crew(z).

Tiger Mate has been tied to the Google Bangladesh cyber attack, this is a real hacker not the wanna be like, Anonymous and LulzSec. One shot 500k website, that’s “The Biggest Hack in the World” that we know of. Could this hack be a practice run for something worst. Could it be an intelligence gathering, the raw data of all the sites could be a gold mind for spam. Did the hack page effect anyone with a trojan. This is a great way to deliver a virus. One Hosting service, to many content providers and to their readers. One to Many Distribution Attack- One hack and it could potentially deliver hundred of thousand of zombie computers to a BotMaster. There is some talk the attack also infected the http_Access file. So far it only infected blog’s not static sites. Is there any Politician out there.. HeLLo …

gAtO has not seen it, but were was the cyber Community Emergency Response Teams (CERT). This is the kind of government programs that are needed in the new age in Cyberspace. How can we create a cyber team to help situations like this attack.

After I took care of my own site, I started to look around for others that were infected to see if I could help and was lucky to run into 2 great sites. The  Urban Cowboy and Leo Blanchette’s clipartillustration.com these two cyber heroes took the fight to the streets and showed leadership. People helping people.

What to do when your site’s been hacked. Some of the lessons learned from the recent Tiger-M@te attack on inMotion are right in front of our face. For the average website/blog content creator, we all have our special thing we do. But as we saw the provider’s blog (InMotion) was down, they had to shut down, save everything for forensics, evaluate and find the hack, then a plan for a sanitize re-boot and disinfect the hacked sites. The attacker Tiger-M@te set his target on “wordpress”. Why?

It’s a favorite amongst bloggers, and it has a wide distribution installation base, to get the most bang from your buck (attack)…Who do we call when our sites are down. I’m not sure. I would like to see our government get in and help us small business with the problems we have in cyberspace. New jobs for the new world – cyber-Police?.

Later,

My 2© cents – gatoMalo_at_uscyberlabs_dot_com

 ———lab Notes

InMotion  Forum about the Hack  –> http://forum.inmotionhosting.com/viewforum.php?f=57

Timeline -InMotion release -see below

http://www.webhostinghub.com/support/website/website-troubleshooting/status-of-september-tiger-mte-attack


http://www.citizencorps.gov/cert/
Community Emergency Response Teams (CERT)

Tiger Mate

The bangladeshian hacker “Tiger Mate” has been very active and has hacked some high profile websites in the past such as bangladesh airtel and local american express website.

We are in good company, check out the also-afflicted. http://zone-h.org/archive/notifier=TiGER-M@TE

 

Mass compromise at inmotionhosting.com

Mass compromise at inmotionhosting.com | Sucuri

According to zone-h, they defaced at least 1,000 sites, and a list of the attacked sites can be viewed here: http://zone-h.org/archive/notifier=TiGER-M@TE

*It seems that some of the compromised sites were also at webhostinghub.com (both owned by the same company)
**We are tracking more than 10k sites already defaced.
***Update from their in their Twitter account: “inmotionhosting InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now. “

Comment for Sara @ PoliticalUSA

The largest hack ever made in a single shot !!!!

It was not just a server hack, actually whole data center got hacked.”

700,000 websites hacked in a single shot by TIGER-@MATE

Good Morning, PoliticusUSA; You’ve Been PWNed by TiGER-M@TE!

http://www.politicususa.com/en/politicususa-you’ve-pwned-tiger-mate

Good morning, PoliticusUSA; you’ve been PWNed by “TiGER-M@TE”! “PWN” This is called a “PWN” hack. Yeah, InMotion got PWNed.

I’m writing to you from a secure, non-disclosed location known as GOP Clown Show. Don’t ask, and I won’t tell.

This morning when I opened PoliticusUSA to share my colleagues’ morning stories, an ominous black page replaced my story from last night on Occupy Wall Street. This can’t be good, I thought. Then the page shrank down and began dancing all over my screen.

I chased it around for a few minutes, too sleepy to be alarmed.

Muttering under my breath (to say I am short tempered when it comes to technology is to put it mildly), I cursed the dancing box. I believe I may have called it the devil, but it’s all a blur now. I clicked and clicked and it ran and played.

Finally, I got it: “Server HackeD by TiGER-M@TE”

Ohhhhhhhhh………………

Our host tells us, “InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now.”

Tiger mate hacking Immotion

http://josephtavern.com/?p=63

Apple Support

Sep 25, 2011 6:56 PM

En-route to ASC today I suffered a hack attack by tiger-m@ate …I say I suffered the attack, in fact it seems to have been an attack on either google.co.uk or apple.com. There is some insistence that it can’t be the latter.

New to ASC I started a discussion at:  https://discussions.apple.com/thread/3345813?start=0&tstart=0

…advised that it belongs here instead, it not being an attack on ASC (unconfirmed).

It seems that several hundred servers were attacked today and most likely these were XSS-attacks. My initial research leads me to believe that these attacks are based on the exploitation of server-side vulnerabilities rather than malware on the client-side but I’m no expert.

I’ve always assumed that as much as I try to protect my network against hacking and my computers from physical theft, there will always be a risk. For this reason I ensure my data is well protected: I use 1Password for log-in security, Knox for encrypting my documents and data (whilst retaining portability) and Espionage for securing application data. Nevertheless, it concerns me that my system may have been compromised.

Please contribute if you’ve had a similar experience or can offer advice on the extent of the risk involved.

Andrew

Your system was not compromised. This hackers seems like like to hack DNS servers and poorly secured web hosting providers. It is extremely rare for individual users to be hacked by an individual hacker. It has never happened to a Mac user. Nothing to worry about.

@etresoft  thanks for your response — it seemed to me when I revisted it, that the redirected page had no apparent functionality and appeared to be more of a calling-card …seemingly aimed at increasing the noteriety of tiger-m@te, than to launch any kind of malicious attack on the end-user.

Seeing a browser window shrink, dance around the screen like a sprite and then expand to reveal “hacked” across the screen was a little disconcerting ….and naturally ones immediate reaction is to quit, trash and cut the connection.

Thanks for your input, hopefully it will reassure others.

InMotion Hosting apologizes, says it “understands” method used by TiGER-M@TE

InMotion, in an email to users, said Sunday that the homepage defacement attack launched by the southeast Asian hacker TiGER-M@TE was not meant to do permanent or catestrophic damage to the hundreds of thousands of websites that were hit.

“We understand the method the attacker used to accomplished this and the main exploit path was through an internal management server that can control Cpanel on other servers. The management server was used to change passwords on the Cpanel servers then login with those passwords,” said Todd Robinson, president of the hosting company.

The defacement attacked worked by replacing index files in all public_html directories with the attacker’s own branded index.php. InMotion does not believe that any data was stolen or that any passwords were compromised.

“It does not appear that gaining passwords was a goal or was accomplished, just password changes were used. Access to the management server was gained from an exploited customer’s server that was within our network,” Robinson said. “Though our team moved quickly to disable the internal management server and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker had intended to do more harm.”

This does fit the modus operandi of TiGER-M@TE, who often claims to hack for fun or just to prove that “it can be done.”

Blast Magazine’s network of websites were defaced during the attack on InMotion, as was the offical City of Providence website.

InMotion took responsibility for failing to prevent the damage. Some estimates have the attack hitting more than 500,000 websites, making it historic in its proportions if not in its level of damage.

“Please accept our apologies as we go through this process,” Robinson said. “We are very aware of our failure in this situation and we will provide more details when we have completed the work of recovery.”

http://blastmagazine.com/the-magazine/technology/tech-news/computers/inmotion-hosting-apologizes-says-it-understands-method-used-by-tiger-mte/

Timeline -InMotion release 

At around 4am EST, our system administration team identified a website defacement attack affecting a large number of customers.  We are still investigating, but it appears that files named index.php have been defaced.

We are evaluating how this has occurred and our security team will have more information shortly.

While we review this issue, cPanel and SSH access has been disabled on various platforms.  For additional security, we are rotating passwods on a number of accounts.  We will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we’re able.  FTP is still operational should you wish to access your files at this time and correct any issues you see yourself.  We will be working diligently to make cPanel access available again as soon as possible.

If there is a defacement on your account, please know that our Systems team is working to get your site back online.  If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part.  At this time, we do not have a definitive timeframe for resolution, but we will update this page as we gather more information.

We do apologize for this issue, let us know as you have further questions, we’ll be glad to answer them as we’re able.  Please understand it will take our security team some time to review this issue before we can have a full explanation available.

11:45 AM EST Update

If you have a backup of your site, you may upload your index.php files to correct this. You may need to do this for each directory. If your site uses an index.html or index.htm, you will need to upload those files, then delete the index.php. You can find more help at How to restore a backup file.

It is possible our automated restore system will also be working on correcting the issue while you are. If you see this happen, just upload again.

If you do not have a backup of your site, it is best to wait until our automated system has completed its attempt at restoring. At this point, we feel that should solve a majority of the defaced sites.

We will be updating this page every hour, please check back here versus calling or chatting. Our team is currently working very hard and we are bringing in additional people, but the volume is greater than our Sunday staff is able to handle quickly at this time.

1 PM EST Update

Systems has been successful in restoring a portion of the affect sites. They are refining their repair method now and should be able to begin deploying the update to additional sites shortly. Please bear with us for another 1 hour when we feel we will have more information to share.

4:00pm EST Update
Our system’s team is still working on the automated repairing. We have restored over 65% of the affected sites at this time and are continuing to do so via an automated process and with our technical support team.

For people who are fixing their sites themselves, we have a few additional suggestions. First, be sure to check all directories, the hacker targeted all directories within the public_html.

If you are not sure how to do this, once our system’s team has completed their automated restores of home pages and general review of the changes we have made, they will be running an additional cleanup process that will look in directories for the hacked files. If the hacked files are found, they will be saved to hacked_page in the same directory.

Second, we have additional advice if you do not have a backup on your computer of your index.html and you are now seeing a directory listing instead of your site when you visit your URL. This means our automated restore system could not find a suitable file to restore to your account. Please go here, Site Backup Restore Options, for a few options to deal with this.

Most users should not see defacement on their site. If you do, it may be cached in your browser. Please refresh your browser by restarting it or by pushing CTRL-F5 (usually works, restart is best though). If you still see defacement, please do contact us via support@webhostinghub.com immediately for priority handling.

If you are seeing an empty directory, our system has not been able to locate your index files yet. If you have a backup of your index files, please upload them via ftp now (index.php, index.html, index.htm, etc.)

For those who do not have the files or who are unable to upload, our team is working on an automated solution now. Please see this link, Site Backup Restore Options, for a solution that may work for you.

Currently, Cpanel is disabled on all platforms as we evaluate the situation and apply patches to the security problems that allowed this to occur.  We should be able to enable access later today after running our final checks.   FTP access is still available though.

Best Regards,
The Web Hosting Hub Team

09/28/11

Tiger-M@te Hack Project Notes

gAtOmAlO – My site got hack…Tiger-M@te — ahhhhh …race for the litter box and hide….. – Further investigations follows. Good Job (2 of my cyber heroes) “The Urban Cowboy and clipartillustration.com helped lot of people who were hacked. This is the new “Cyber Militia“ they are helping one another, web owners everywhere got together on these 2 sites. These net-citizens answered comments from people that got there sites hacked and helped many. This was a stupid hack. I hear 700,000 websites, and 200,000 websites. It does not matter how many site it affected, there has to a be a reason why. What was important about this hack. A splash page, “wooppy” some people let the hack page download and heard an MP3 song. Bad choice in my opinion—run antivirus “pronto”. I saved the hackers code and plan to reverse-engineer it and see what the code really did. Could this be an intelligence gathering or someone who only wanted fame? With the fame comes money, offers to hack someone else. This may be only a show off- but “what if”.

Tiger-M@te self portrait -a HakkEr

Why InMotion, they are a hosting service for lots of little guy’s like me. I don’t keep valuable information on my site but other may. The attack seems to only go after dynamic sites.( ..eg WordPress). Lot’s of people with static sites, said no damage. To get to this level I have to assume “root” was compromised. Also a simple “ls -AcFlR > info_inmotion.txt” this would grab every filename and directory in the system- add to that 200,000 other websites. That’s a lot of intelligence. How much would the raw data be worth.

As we settle back to normal and relax, I hope to hear from InMotion about this hack. I said it before, I think they did a good job and dealt with it as best they could. Below are some of my notes some of the comments from the people that got hacked.  They are interesting to me anyway, to compile the information for this ongoing report of the Tiger-M@te-attack Project. I hope to keep you informed as I continue my search about this hack and hacker. We at uscyberlabs think that there’s more than meets the eye about this simple deface hack.. ———gAtO-oUt

lesson learned – do a backup of your site—NOW!!!!!

Reference:

ClipArtIllustration – Inmotion Hosting Hacked by Tiger-M@te. Users Greeted by Lame Looking “Hacked” Page. http://www.clipartillustration.com/38552/inmotion-hosting-hacked-tiger-mte-users-greeted-lame-hacked-page/#comment-14463

The Urban Cowboy – My Server Was Hacked by Tiger-M@te http://theurbancowboy.net/2011/my-server-was-hacked-by-tiger-mte/

On the posting from the attack I see that lot’s of people did backups of their sites. After the attack, so lesson learned.

Notes about – InMotion Hack

That being the case, what if a site like facebook gets hacked? Facebook deals purely in information – your information – so no doubt that would cripple society’s identity as a whole. I guess the internet is only as trustworthy as the hackers that run it.

make sure you go to your admin panel and re-install your blog software…like wordpress, or whatever you use. They have hacked ALL the index files.

Also, look in all your folders for NEW index files that he may have added.

Jenny, once I replaced mine it reverted again. I had to replace it a second time. Maybe the battle is still going or they are just trying to restore properly.

Sib says:

Overwriting the index file is only a temporary fix, as the htaccess file has been modified. New folders were created and under each folder (the new and existing ones) this hacker’s index file was dropped in. For it to be resolved, I had to clean up the htaccess file (if applicable) and delete the folders and files that were dropped into my web directory.

This is the second time InMotion has been hacked in this way. It also happened last year around this time by some Turkish Hacker.

Inmotion Hosting Hacked by Tiger-M@te. Users Greeted by Lame Looking “Hacked” Page.

http://www.clipartillustration.com/38552/inmotion-hosting-hacked-tiger-mte-users-greeted-lame-hacked-page/#comment-14463

This snippet explains a bit about the tiger-m@te inmotion hack which defaced thousands of people’s websites. Leave comments below.

To see how to fix this problem if you were affected, >click here<.

What happened?

Some hacker(s) decided to take on one of the world’s largest hosting companies, inmotion, and replace everyone’s index.php file with a cute little 1990?s style “Server Hacked!” splash page. It plays a rap song (given your dumb enough to stay on the page long enough for it to automatically download…which I was).

If inmotion gets hacked and 700,000 websites with it (including this humble one I make a living on) , that should say plenty about the internet, no? Its not easy to hack someone like inmotion. I love inmotion by the way. It just shows nobody is immune to getting hijacked in the pirate-infested waters we call the internet.

That being the case, what if a site like facebook gets hacked? Facebook deals purely in information – your information – so no doubt that would cripple society’s identity as a whole. I guess the internet is only as trustworthy as the hackers that run it.

The fix:

Its an easy fix. Just replace your index.php file with your back-up version. Multiple directories were affected, so if you use wordpress, check out folders wp-admin, wp-content, and wp-includes. Replace them with their respective index files from the default install. Also, inmotion hosting is running an automated repair on websites that have done backups in the past, so you may never have to touch it.

I’ve been hacked as well. But I’m on WebHostingHub, not Inmotion.

Mine was hacked in InMotion hosting. Time stamp is 4:15AM eastern time. This guy did interview as shown in
http://thehackernews.com/2011/01/exclusive-interview-with-tiger-mte.html

Sib

September 27, 2011 at 2:03 am

Replacing the defaced home page is only a short-term fix. It is an .htaccess redirect. The htaccess file needs to be cleaned up.

The Urban Cowboy

September 27, 2011 at 5:22 am

Hey Sib, I checked my htaccess files, and didn’t find anything out of the ordinary.

Sib

September 27, 2011 at 10:06 am

My htaccess file had been extensively motified. Quite frankly, I didn’t quite understand the coding (I am not a programmer), but I knew what the htaccess was like before (had previously been hit by a virus and got quite familiar with it at that time – and I kept a back-up copy of the previous htaccess file, as I would recommend ANYONE to do – as the htaccess file is most vulnerable and most often targeted). Anyhow, it looked like a php redirect. I restored the previous htaccess file and hope this is the end of it. Sibylle.

But what happened? and now we are safe ?

The Urban Cowboy

September 25, 2011 at 9:59 am

I think InMotion had a security hole, they will have to determine how they were hacked and fix accordingly.

The Urban Cowboy

September 25, 2011 at 10:07 am

InMotion Hosting has released this announcement:

Systems Announcement

Alison Charm

September 25, 2011 at 12:27 pm

Thank you for posting this. I’m unable to access my index files, so I really appreciate your diligent updates about this.

Thank you again,
Alison

The Urban Cowboy

September 25, 2011 at 12:37 pm

Glad to see you are up.

merl

September 25, 2011 at 10:12 am

All or most are Apache with linux platform

Jacquie

September 25, 2011 at 10:40 am

Thanks for posting this info. I use a MAC and using Firefox browsing in google when it came across.

I don’t have a website so I am okay?
Thanks –

The Urban Cowboy

September 25, 2011 at 10:42 am

Yep, you are okay. It was the website you visited that was hacked, not your computer. There was also no virus attached.

Brenda

September 25, 2011 at 10:54 am

Just checking email and this swirling black window came up…. so I should be ok? I closed it right out.

Greg

September 25, 2011 at 11:55 am

Yes, I had three sites hacked last night. Two were WordPress sites and the third was a phpBB site Strangely, none of my static sites were touched. I too host at InMotion hosting. They have some explaining to do.

All my sites are back up. The only reason I even knew how to fix the issue was because of your post. I have received no communication from inmotion.

The Urban Cowboy

September 25, 2011 at 12:01 pm

Glad to hear you are back up, Greg!

OneMom

September 25, 2011 at 12:24 pm

Shoot. Deleting the file called “hacked page” brought my websites back up, but when I try to get into my wordpress-admin, I am still getting the hacked page. Suggestions?

The Urban Cowboy

September 25, 2011 at 12:30 pm

That is because he corrupted all our folders with his hack. You have another hacked file in your admin folder. Go there the same way you fixed your site, you should find another file to delete or replace.

db

September 25, 2011 at 12:47 pm

He got my zen cart site as well. Hub/InMotion chat responded immediately even though it said offline. They say the will send a report out. http://www.inmotionhosting.com/20110925-systems-announcement.html should also have another update within the hour.

Rachel

September 25, 2011 at 4:10 pm

Help! I don’t have a website, I’m just a plain old Mac OSX user. I visited some website last night and all of the sudden my browser window shrunk down, bounced around, and the ‘Tiger M@te’ site popped up. How do I get rid of this? Again, I don’t run a website or anything. This is happening just when I go to a standard website like google or facebook…

The Urban Cowboy

September 25, 2011 at 4:34 pm

I really don’t know…you actually may have a virus. Do you have a virus scanner?

tom

September 25, 2011 at 4:28 pm

Same, with IMH. Site root file was ok, just every */administration/index.php file was modified or inserted on the HTML sites I have. Can’t blame IMH, they’ve been the best hosting for me to date, but stuff happens.

My sincerest thanks to The Urban Cowboy for coming up high on Google for this problem! You rock dude!!!!!!!

The Urban Cowboy

September 25, 2011 at 4:41 pm

Glad to hear your site is back among the living.

This type of thing really is horrible. I’ve come across other sites where they are basically kissing his a@@, exclaiming how HE ‘rocks’ for corrupting our servers.

But what about US…the people who rely on our sites for so much? If you ask me, this cat is nothing more than a little kid looking for attention. It’s too bad, with his knowledge he could actually be doing good by helping people instead of hurting them.

Tommy Callaway

September 25, 2011 at 5:02 pm

I have multiple sites hosted on inMotion, on the same account, on the same server… but only one of them was harmed. Strange. It was also only the ‘admin’ portion of the site.

Either way, found the hacked file, deleted it, and re-uploaded my index.php.

I’m also downloading a full backup of the site, and doing a full search for any more of that tiger bullcrap. I’ll let you know if there are any other files affected..

The Urban Cowboy

September 25, 2011 at 5:09 pm

Good to hear you are doing a back up. As far as I know, only the index.php files have been infected, but there could be more than one. I found numerous index.php files that either were infected or did not belong.

Tommy Callaway

September 25, 2011 at 5:22 pm

You were right. There were multiple instances of index.php’s added, regardless if there was a pre-existing one. It looks like it target was public_html/, and it opened every folder within that, and either added hacked_page, or added/replaced index.php (12,500b file size), or both.

Unlucky for him, I’m a web developer and create backups like I have OCD. The purpose of today’s backup was 1. to do a mass search for “hacked”, and 2. if inmotionhosting blows up my crap, I will have a recent file set.

The Urban Cowboy

September 25, 2011 at 5:31 pm

Good thing you backed up your site. That was the first thing I did after getting back online. You never know what our hosting provider will do now.

TiGER-M@TE is the same hacker who successfully deface Google Bangladesh website. We interviewed TiGER-M@TE, who claimed to be hacking since 2007, working alone, and only using private exploits and zero-day attacks.

The hack saw the homepage replaced by the words “Server HackeD by TIGER-M@TE” alongside the hash tag “#Bangladeshi HackeR” and the text “Greetz: aBu.HaLiL501; w7sh.Syria; Sy-Hacker; NmR.Hacker; Wa7sh Hacker; h311 c0d3”. This was accompanied by an email address along with a banner reading “Underground Hackers 2007-2011”.

 

Emai 221 2 days ago

respect Bangladesh FTW! w0ot! 1&1 is next. Rest of you ned to stfu, no one come ur lame sites anyways…

Some hacker(s) decided to take on one of the world’s largest hosting companies, inmotion, and replace everyone’s index.php file with a cute little 1990?s style “Server Hacked!” splash page. It plays a rap song (given your dumb enough to stay on the page long enough for it to automatically download…which I was).

If inmotion gets hacked and 700,000 websites with it (including this humble one I make a living on) , that should say plenty about the internet, no? Its not easy to hack someone like inmotion. I love inmotion by the way. It just shows nobody is immune to getting hijacked in the pirate-infested waters we call the internet.