InMotion Hosting Hacked

How to restore cached picture "site hucked" from Google tools and google site privew?

My site was show hacked picture too. But now it was automatically restored and worked fine.

Non-technical savvy users are easily fooled by web hosting companies who falsely explain how far a total compromise could go. Security-minded guys will give you the following conclusions.

1 - InMotion said the goal of this mass hack is just to do defacement.
These hosting guys never know hackers have installed rootkits and backdoors for future access. They think that it's safe and simple as restoring clients' web sites from backups.
Once a box is hacked at the root level, it can't be trusted any more.

2 - Hackers could have compromised the inMotion several weeks/months before. Finally, they've been aware that the exploit they use have been discovered/known by other same-minded hackers. They do mass defacement to notify inMotion guys to patch this hole.

We've seen mass hacking these days are not just for fun and fame. They have been used for generating revenue in black markets. Now, some clients are ready to move to other hostings. Others are just staying at inMotion and hoping for this mass hack not to happen again. Rest assured, this hack will not come back as hackers may now have future access at their will using backdoors that ultilize steathy covert channels to remotely do malicious stuffs.

Stay Secure.

wait - wait ...
patient's base ....?

I've got mixed feelings about this hack. On the one hand, I like InMotion's support & responsiveness. On the other hand, this is the third hack that's affected my website and the 2nd in a row that I've had to fix myself.

IMH has been pushing me a bit to upgrade to VPS but this issue and the long impact to dedicated and vps customers there has me totally reconsidering their service and looking at competitors. :(

All my inmotion hosted websites are hacked… I am eager to know the attack and how it was possible….

lol word on the street is that he compromised 700,000 sites, yay im so happy to be part of this :P NOT

"I hack 700000 websites in one shot, this may be a new world Record. After submitting 200,000 domains,zone-h was going down again and again and became almost unresponsive in the end.so i was unable to submit all websites.so i've listed all domains in attachment. It was not just a server hack, actually whole data center got hacked."

Again we are all very lucky the hacker was naive really, and didn't use it for nefarious purposes. But, saying that how do you know? I am restoring backups previous to the hack, and lose a days worth of data changes instead. You can't be 100% sure other things were planted in there, if you don't do this.

there you go, not to say i told you so.....

official word from inmotion for dedicated server peeps

"As you may be aware, our network, and potentially your server, was the
target of a large scale website defacing attack this morning, Sunday,
the 25th. The defacement worked by replacing index files in all
public_html directories with the attacker''s index.php. At this time, it
does not appear to be any more malicious than taking over the web site''s
home page, but we are still reviewing servers at this time.

We understand the method the attacker used to accomplished this and the
main exploit path was through an internal management server that can
control Cpanel on other servers. The management server was used to
change passwords on the Cpanel servers then login with those passwords.

It does not appear that gaining passwords was a goal or was
accomplished, just password changes were used. Access to the management
server was gained from an exploited customer''s server that was within
our network.

Though our team moved quickly to disable the internal management server
and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker
had intended to do more harm.

At this time, we want to be sure you are aware of the attack and your
server''s potential exposure. Please you review your sites if you have
not already done so. If you were affected and you need assistance
recovering the home page or other directory indexes, please contact us.

Further, if you feel your server has been targeted more in-depth than
the index.php defacement, please contact us immediately and we will do
an additional scan on your server.

Though it does not appear gaining passwords was an intent of this
attack, it is recommended that you update all of your passwords related
to your server.

Please note, our billing, domain management, and customer tracking
system (AMP) was not targeted, nor was available to the Cpanel
management server. It is on a separate network and firewall.

Please accept our apologies as we go through this process. We are very
aware of our failure in this situation and we will provide more details
when we have completed the work of recovery.

Again, please review your server and sites if you have not done so
already. Reach out to us immediately if you suspect a more in-depth
attack on your server. "

I have to agree there, almost all my support issues with Inmotion over the years has been the hamfisted way they handle root passwords. I've had them changed / reset without notice (and not to the one I specified either). Where are you going? I'm giving steadfast a look.

@Alex, glad someone is impressed. Coming on 15 hours now, and dedicated server customers still do not have access to their servers (both of mine included). For enterprise level service, this is completely unacceptable; Inmotion has basically told me to go elsewhere with my business by prioritizing $5.95 accounts over $315 servers.

I am really impressed with the way InMotion has been handling this whole mess. Tweeting updates, sending out emails, and even having someone comment on this thread! Impressive.

I'm not leaving because of a hacker, though I do hope they can find some way to assure us this won't happen again.

I found one site that said to delete your wp-includes and wp-admin directories and replace those with the fresh WP ones…

So I got the wp-includes deleted and replaced via FTP but it won’t let me upload the wp-admin folder?…

I get critical error when trying to upload it…

Can I just re-install WP thru cPanel without it affecting anything?...

Any ideas?…

I didn't realize IMH was the same outfit as webhostinghub... http://www.webhostinghub.com/support/news/general/20110925-systems-announcement

Here's the infected Index.php if you like to see it. don't worry, it won't ite anymore :)

http://dreamdare.org/blog/how-to-fix-inmotion-hosting-hack-tiger-mate/

I overwrote the index.php file as a knee jerk reaction and never looked at the hacked index. Were there any clues in the code?

Hello Everyone,

This is Brad with InMotion Hosting. I'd like to first apologize for the issues at hand. We can honestly say we know how you feel in this situation, and we're doing everything we can to resolve the issue. Because of the nature of the hack, it appears only index files were targeted, so if you have a backup of your own site, only the index file should need to be updated. No sensitive customer information has been compromised.

If you haven't read it yet, official updates on the issue can be found here: http://www.inmotionhosting.com/status

Thanks,
- Brad

you can EASILY fix this via FTP. In Wordpress, you will need to replace 3 index.php files since it looks like they got them all. The one in the mail public_html folder, the one in the wp-content folder, and the one in the wp-admin folder. If you don't have these files saved on your computer, head on over to wordpress.org and download the latest version. Then just copy those index.php files over to your site via FTP. i just had my 30 sites hosted at InMotion fixed within 5 minutes. I'm sure InMotion is swamped with calls right now so take it into your own hands and stop bothering them... they are working on it obviously.

Please see http://www.inmotionhosting.com/status for a current update regarding this matter.

Here are some quick fixes if your site was hacked:

http://www.kenta.ro/blog/fixing-your-hacked-inmotion-hosting-site/

Any help for a web novice? I'm getting married next Saturday and have the wedding website on InMotion. I am not savvy enough to replace my index.php file (and do not know if there is a backed-up copy anywhere). The person who set the website up for me (as a favor) is away for a few days. Any thoughts are appreciated.

Have a dedicated server with InMotion, replaced index.php's in all folders which worked for now. Luckily we are still a few weeks away from launching this new site with our customers.

If the server was hacked at the root level and I change the password, how does the hacker gain access to the new password?

Yes constant busy tone and not able to reach anyone with chat. This is disgraceful. I have been with inmotion for 6 years.

Anyone know a better hosting provider...? Also I have been dependent on Inmotion's daily backup which has never been a problem but I"m sure it will take them a while to be able to implement that. :( any ideas?

I run my Wordpress site (http://www.WiltonBlake.com) on the Genesis Network.

My Wordpress phps were changed, but my Genesis phps were uneffected, thanks to the rock solid security of Genesis.

If you are interested in Genesis for added security follow this link (it is an affiliate link, and I advertise my affiliation at the end of every blog post, I'm that happy with Genesis): http://www.shareasale.com/r.cfm?B=242694&U=547985&M=28169

we were on hold for a long time and then disconnected. UGH.

I tried to call them for several times but I couldn't.
A engineer of my friend showed me that I'd better to take NO action until they would take SOME actions to resolve fundamentally and for guarantee.

I tried to change the password of the WHM through AMP and though it allows me to change it, it doesn't let me in.

At first I was worried that just one of my websites got hacked and then I looked at all the websites that I host and manage and they were all hacked. Good thing I found this site and this discussion so I feel much better.

I was hacked too... I replaced the index.php (There are five of them, some can be deleted, while the others need to be replaced), reinstalled wordpress, and am doing a full DB backup, backing up images.

check them out on http://twitter.com/#!/InMotionHosting they have some more news on there.
it seems our cc info and shits are safe ...

My site was hacked and manually switching all the index.php files seems to have worked. I run WordPress, so I reinstalled wordpress as well. It seems to have caught everything. Now I'm backing up everything again to make sure I have a fresh copy in case something else comes up.

As for InMotion, you'll be waiting forever because this attack has them all scrambling. The lines are busy, and you can't even "chat live" anymore. Hopefully they'll at least email us soon about what they're doing.

I got mine fixed. It really seemed to be only the index.php files in every directory up to one level deep. Let's see what we learned from this ;)

You guys are just being melodramatic. You sound like a bunch of soccer mom for gods sake. stop blaming Inmotion for something that wasn't their fault, the hacker was good at his work and he got the job done. My hat is off too him. I'm in a same boat as you and i'm backing up my sites + clients as we speak but calling the company and moaning won't fix anything. Let these guys work and stop calling and taking their time. Your sites will up.

For those of you running WordPress, Do a manual re-install of your core files, export all your contents and database, and change your passwords. Then wait for the official explanation from Inmotion to see how screwed we are. Don't forget to wear your tinfoil hat either. :P

You can call their toll-free through Skype (for free) if you are outside of North America
The line is busy most of the time. Once you're through, you'll end up waiting forever..

If you have a wordpress website running under inmotion hosting, a fix for the tiger m@te hack can be found here: http://iamweare.nl/webhostinghub-inmotionhosting-hacked/

Can people confirm that they can get through to support on the phone? I have to dial international and am getting constant busy tone:
+1 757-416-6575

Yeah I know jay, this happens to me every couple of years... my last hosting company kept shorting out their whole electricy grid to the datacentre, and their "generators" failed as well... heh

Anyone got any feedback about other hosting providers around? US preferably..

Cpanels are currently off-line for me. Managed to get in before and back up the DB on my sites. Checked the files before logging off and as has been said, all index.phps were over-written. Definitely moving hosts. This is the second time InMotion have let script-kiddies get the better of them.

First of all, some advice to everyone...
Restoring backups isn't going to solve this problem. - they will just get in again :(

At the moment I am locked out of 3 of my dedicated servers at the root level. What does this mean?

The servers would need to be completely WIPED, reinstalled, to allow access to the server again.
I would then need to apply a backup, previous to when the attack occured to ensure that there are no hidden nasties.

However, this doesnt address the fact of how they got in originally (99.9% sure they got the root password list from inmotion, that you contractually have to give them when you sign up for dedicated servers), and I am not going to bet on inmotion that the hackers dont do it again. I'm sorry but there is no solution to this apart from moving. I'm changing my dns's as we speak to at least get it up on some separate hosting with a different provider for the meantime, until I find a new company