InMotion Hosting Hacked

Editor Ratings:
User Ratings:
[Total: 0    Average: 0/5]

Servers of InMotion Hosting have been hacked. The home page of InMotion Hosting is showing hacked, though some of the internal website pages are working fine.

Update 25-Sept, 4.45 AM CST: I was able to get in touch with the support team of Inmotion Hosting, and got this info:

there appears to be a mass server hack that has replaced the index file in the public_html of several accounts, we are working to do a full server restore on all servers to get that back up and running, unfortunately as there is an investigation going on now my details given to me are limited


Update 25-Sept, 5.02 AM CST: Many customers of InMotion Hosting have mentioned in comments below that it is easy to get your hacked website back up. If you have some old Index.php file, just copy that to the existing Index.php, and your website will probably be back up. This is because hackers seem to have replaced Index.php files on many accounts (InMotion support team also confirmed that above). I am trying this right now.

Update 25-Sept, 5.15 AM CST: Home Page of InMotion Hosting has been restored. Still no word from management on when will they restored the affected websites of customers, and how did this large scale hack happened.

Update 25-Sept, 12:30 PM CST: 1. In case your site did not have Index.php, but had Index.htm or Index.html, then you’ll need to restore those files, and delete Index.php

2. InMotion has confirmed that no customer information was compromised.

Here is the screenshot of the hacked page:

Inmotion Hacked
Sponsored Links

I have a couple of websites with InMotion Hosting, and they are also showing the same “Hacked” page.

There is no official word yet from InMotion Hosting on the extent of hack, and time it will take for websites to get back up.

What worries me most is that hackers might steal the credit card info that InMotion hosting would have stored. Also, I am really hoping that InMotion Hosting is able to get my websites back up, with all the data, and I don’t end up losing everything.

If you have more info about this, do post in comments. I will update this post when I hear something.

Editor Ratings:
User Ratings:
[Total: 0    Average: 0/5]
  • James

    Unbelievable. The servers will be back online within an hour I was told.

  • Chris

    It looks like just the index.php files have been written over in my accounts. It’s a pretty easy fix if you have a backup of the index.php files, just re-upload that file and your good to go. As for what they got to, I guess well find out when inmotion gets up and running again.

  • Ktastic

    Just had the same happen to my site, thanks for the quick post, was concerned it was a targetted attack on my site. Replacing the index.phps with a backed up version for those that were overwritten fixed it, i suggest you do the same ASAP. Also delete any index.phps that were’nt there before.

    The Cpanel is working now, if you don’t already have a backup, quickly log in and download the last gzipped backup of your public html and you should find the pre-hacked files intact. Just do it qukckly before they do another backup and overwrite the current (hopefully still clean) one for your site. I also suggest making occasional raw copies using an FTP client. This allowed me to revert the changes within moments.

  • Hi Ishan,
    I was actually coding my site when this happened. I managed to speak with their tech support and was told their CMS servers were hacked and themes changed. When I asked how long it would take to resolve the guy left chat! I would imagine they are getting flooded with people contacting them.

    I will post back if I get any further info


  • Nods-Dorf

    I can not comment on the server side of the hack, but as a customer of I can say that only a few index.php pages were placed or re-written in some of my directories. I’m still checking everything to verify the extent of the issues from my side (user).

  • Alex Nail

    Yes the couple of sites we have with Inmotion show the same things.

    Every directory has an index.php in it with the hacked info, we havent found anything on top of this yet and deleting these files does work. I will be interested to see inmotions response to this.

  • Chern

    I’m running a dedicated server with them and all the sites have been compromised as well via root. It would appear that root passwords for all servers that are with inmotion have been stolen.

  • AuzzieBloke

    Umm…. I’d say they got access to their internal list of passwords, so I would assume that cc info would have been compromised as well..

    I have several dedicated servers with them… I logged the hack. They logged in with the root password, and then changed the root password. Only myself and inmotion hosting knows the passwords.

    so secure information FAIL by inmotion hosting, big time.

    Time to move.

    • @AuzzieBloke: That’s interesting that hackers got access to all the root passwords. More importantly, is InMotion not storing passwords in some encrypted manner! Will wait to hear more details from Inmotion hosting on this hack.

    • Chern

      I have to agree with you there, definitely a password list attack and script. The incredibly annoying thing is that my servers still do not have a new password issued, I had to ftp into each hosted account and 403 it because the hack script is still running.

      • AuzzieBloke

        Arg they are logging in again under their new root pass…
        lol they must be hopping in through them…ouchies

  • jay

    the same thing happened last november. not sure why they can’t lock the servers down properly. i rarely hear of other mainstream providers suffering this way.

    thankfully, only index files are affected… however, they’re overwritten in *every* directory which is probably a real pain for most people to fix by hand.

    maybe someone could make a special backup/restore option just for this! LOL!

  • Nods-Dorf

    Just spoke with Tech Support @InMotion he stated that the only thing they noticed was index.php pages were replaced or added to folders. Simply restoring from a backup should fix the problem. If you don’t have a backup and if you have un-modified index.php from wordpress or oscommerce you can just overwrite download that version of software you’re running and overwrite the index.php they put in.

    On my server this is exactly what I noticed. I simply removed the folders that shouldn’t have had index.php pages, and restored from a recent backup the folders that should have.

    Good Luck,

    • AuzzieBloke

      Don’t beleive them Nods – At the root level, the server has been comprimised, so its toast.
      Basically the hackers could just overwrite whatever they want to on your site, whenever they like again. Its MUCH larger than they are making out..

  • Even my website has been hacked (hosted on inmotion)
    In many of the inmotion hosting’s forums they have said it has go to do with us and that hacker might have got access to our password but then inmotion hosting must answer how their own website has got hacked.

    They must do a complete restore of all the websites hosted on their server

  • Nods-Dorf


    As far as I can see there were no other file modifications made. I know having a root password they could do pretty much whatever they wanted but from our end, about the only things we can do is restore and change our passwords.

  • jay

    @AuzzieBloke: do you really have dedicated *servers* or do you just have dedicated IPs? it makes a big difference with this…

    • AuzzieBloke

      jay, I have 3 DEDICATED servers.

      • @AuzzieBloke: Ouch! I hope you get everything backup soon. I am able to restore my websites from old index.php files.

  • jay

    here are some sites hosted on one of IMH’s servers…

    they’re all affected, of course. most of these will only be fixed when IMH restores them from backup.

  • At first I thought only my sites were affected, then checked up inmotionhosting homepage and it was hacked too, then I realized the scale of this hack. I just can’t believe that “no.1 rated hosting company” would allow such a security flaw. This is just sad.
    I just hope cc info were not stolen too.

    As some said b4, time to move!

    Btw, the guy from support said that I should delete the folder .smileys in every root folder of my sites. Can’t imagine that someone used bunch of smileys to r00t the whole fckn server!


  • AuzzieBloke

    First of all, some advice to everyone…
    Restoring backups isn’t going to solve this problem. – they will just get in again :(

    At the moment I am locked out of 3 of my dedicated servers at the root level. What does this mean?

    The servers would need to be completely WIPED, reinstalled, to allow access to the server again.
    I would then need to apply a backup, previous to when the attack occured to ensure that there are no hidden nasties.

    However, this doesnt address the fact of how they got in originally (99.9% sure they got the root password list from inmotion, that you contractually have to give them when you sign up for dedicated servers), and I am not going to bet on inmotion that the hackers dont do it again. I’m sorry but there is no solution to this apart from moving. I’m changing my dns’s as we speak to at least get it up on some separate hosting with a different provider for the meantime, until I find a new company

    • AuzzieBloke

      actually what i said there is not entirely correct, they have public key authentication, so should be able to go in and change the root password to something else. But, you will still need to reformat and start again, once you have the files you need from backup. I’m sighing now that I keep remote rsnapshot backups of my sites. It would have a shocker if I hadn’t.

      • @AuzzieBloke: Rsnapshot sounds like a great idea. Till now I have been relying on regular backups by my hosting company + occasional manual backups that I do. Once you are out of this mess, you might want to throw more light on rsnapshot (the user manual on website of rsnapshot is for the version that was released in 2005!).

    • jay

      your situation is far more dire than for those of us on shared platforms that don’t have to worry about server access on top of our files/etc.

      lol! i came to inmotion a couple years ago after my previous host failed to pay their own bills and walked away, leaving everyone hanging without access to anything. a big reason, btw, that no one should ever let their host also be their registrar.

  • Andy

    Cpanels are currently off-line for me. Managed to get in before and back up the DB on my sites. Checked the files before logging off and as has been said, all index.phps were over-written. Definitely moving hosts. This is the second time InMotion have let script-kiddies get the better of them.

  • AuzzieBloke

    Yeah I know jay, this happens to me every couple of years… my last hosting company kept shorting out their whole electricy grid to the datacentre, and their “generators” failed as well… heh

    Anyone got any feedback about other hosting providers around? US preferably..

  • AuzzieBloke

    Can people confirm that they can get through to support on the phone? I have to dial international and am getting constant busy tone:
    +1 757-416-6575

  • If you have a wordpress website running under inmotion hosting, a fix for the tiger m@te hack can be found here:

  • AKN

    You can call their toll-free through Skype (for free) if you are outside of North America
    The line is busy most of the time. Once you’re through, you’ll end up waiting forever..

  • You guys are just being melodramatic. You sound like a bunch of soccer mom for gods sake. stop blaming Inmotion for something that wasn’t their fault, the hacker was good at his work and he got the job done. My hat is off too him. I’m in a same boat as you and i’m backing up my sites + clients as we speak but calling the company and moaning won’t fix anything. Let these guys work and stop calling and taking their time. Your sites will up.

    For those of you running WordPress, Do a manual re-install of your core files, export all your contents and database, and change your passwords. Then wait for the official explanation from Inmotion to see how screwed we are. Don’t forget to wear your tinfoil hat either. :P

    • AuzzieBloke

      haha Chris that’s one of the worst comments I’ve seen so far. it is 100% inmotion hosting’s fault. You don’t seem to understand the implications of what has happened. I’ll leave you to get H4X0r3d again :)

      • Brandon

        I agree 100% with Chris. This guy hacked google. GOOGLE.

        Give inmotion a break. They acknowledged the problem and are fixing it. This exact same thing happened when I was with Bluehost. It just happens.

        For the people who are complaining about the lack of support response, do you really think they just happened to have the manpower on site to suddenly be able to respond to hundreds or thousands of angry customers? Leave them alone and let them fix the problem.

        Hacking happens. If you think moving to a “better” host will guarantee your safety then you are naive.

        • AuzzieBloke

          Um, no not niave, and I couldn’t care less about support. – I guess you don’t really understand my situation. I install my own firewalls, and have my own security in place to protect my own dedicated servers, i do the os updates etc. , because I don’t trust other people to do it right. I’m not trying to sound like I am a super admin or anything like that, I would just rather know that if something goes wrong, it was my fault, and learn from it.

          I haven’t been hacked up until now. This hacker walked right through the front door by using the root password on the dedicated server. Other ISP’s I have used do not store your root password for dedicated servers. Inmotion hostings requirement is that they must have your root password. They also enable public key authentication, which basically bypasses the need to use the root password. So, due to their own systems being hacked, my dedicated servers are now compromised. You see what I’m getting at here? Its a fundamental flaw in the way they operate. The hacker dude so much potential with to wreak havoc, but all he did was change some index files, consider everyone lucky. I’m just trying to show that there is much greater security risk that was exposed by him, which is usually the reason they do it…..

          PS the guy DID NOT hack google.
          He hacked via a dns poison attack on a bangladesh isp that looks after the domain. This made it look like it “hacked” google, but did nothing of the sorts.

          • AuzzieBloke

            crap, double post to chern , please delete my comment to chern above

          • Brandon

            Looks like I stuck my foot in my mouth. Thanks for the explanation. I just got the email from Inmotion about what happened (I’m surprised at how much information they gave out! That’s cool though). So this hack wasn’t as unavoidable as I thought it was… I will be keeping an eye on the password policy, especially since I was about to go from a VPS to a dedicated in the near future.

  • I got mine fixed. It really seemed to be only the index.php files in every directory up to one level deep. Let’s see what we learned from this ;)

  • My site was hacked and manually switching all the index.php files seems to have worked. I run WordPress, so I reinstalled wordpress as well. It seems to have caught everything. Now I’m backing up everything again to make sure I have a fresh copy in case something else comes up.

    As for InMotion, you’ll be waiting forever because this attack has them all scrambling. The lines are busy, and you can’t even “chat live” anymore. Hopefully they’ll at least email us soon about what they’re doing.

  • Dan

    check them out on!/InMotionHosting they have some more news on there.
    it seems our cc info and shits are safe …

  • JC

    I was hacked too… I replaced the index.php (There are five of them, some can be deleted, while the others need to be replaced), reinstalled wordpress, and am doing a full DB backup, backing up images.

  • CC

    I tried to change the password of the WHM through AMP and though it allows me to change it, it doesn’t let me in.

    At first I was worried that just one of my websites got hacked and then I looked at all the websites that I host and manage and they were all hacked. Good thing I found this site and this discussion so I feel much better.

  • TH

    I tried to call them for several times but I couldn’t.
    A engineer of my friend showed me that I’d better to take NO action until they would take SOME actions to resolve fundamentally and for guarantee.

  • we were on hold for a long time and then disconnected. UGH.

  • I run my WordPress site ( on the Genesis Network.

    My WordPress phps were changed, but my Genesis phps were uneffected, thanks to the rock solid security of Genesis.

    If you are interested in Genesis for added security follow this link (it is an affiliate link, and I advertise my affiliation at the end of every blog post, I’m that happy with Genesis):

  • Yes constant busy tone and not able to reach anyone with chat. This is disgraceful. I have been with inmotion for 6 years.

    Anyone know a better hosting provider…? Also I have been dependent on Inmotion’s daily backup which has never been a problem but I”m sure it will take them a while to be able to implement that. :( any ideas?

  • Tim

    Have a dedicated server with InMotion, replaced index.php’s in all folders which worked for now. Luckily we are still a few weeks away from launching this new site with our customers.

    If the server was hacked at the root level and I change the password, how does the hacker gain access to the new password?

  • Bret

    Any help for a web novice? I’m getting married next Saturday and have the wedding website on InMotion. I am not savvy enough to replace my index.php file (and do not know if there is a backed-up copy anywhere). The person who set the website up for me (as a favor) is away for a few days. Any thoughts are appreciated.

  • Roy

    Here are some quick fixes if your site was hacked:

  • Dana

    you can EASILY fix this via FTP. In WordPress, you will need to replace 3 index.php files since it looks like they got them all. The one in the mail public_html folder, the one in the wp-content folder, and the one in the wp-admin folder. If you don’t have these files saved on your computer, head on over to and download the latest version. Then just copy those index.php files over to your site via FTP. i just had my 30 sites hosted at InMotion fixed within 5 minutes. I’m sure InMotion is swamped with calls right now so take it into your own hands and stop bothering them… they are working on it obviously.

  • Hello Everyone,

    This is Brad with InMotion Hosting. I’d like to first apologize for the issues at hand. We can honestly say we know how you feel in this situation, and we’re doing everything we can to resolve the issue. Because of the nature of the hack, it appears only index files were targeted, so if you have a backup of your own site, only the index file should need to be updated. No sensitive customer information has been compromised.

    If you haven’t read it yet, official updates on the issue can be found here:

    – Brad

    • @Brad: Thanks for dropping by. I really hope all the sites are back up soon, and this is the last of the hacking we have seen at InMotion (my sites have been hacked earlier also with you).

    • jay

      Not posted on the website but in email is “Security team members have traced this vulnerability to an authentication system and are working to patch this now. While we review this issue, cPanel and SSH access has been disabled on various platforms”.

      Also, I replaced a couple index files so my site runs normally but I didn’t go into subdirs. IMH has not yet touched my account with their own repair and there is still defaced index present. Perhaps my account won’t be repaired? I have local backups but was hoping to see IMH take care of things…

      • Hi Jay,

        The last I heard, our Systems team was at about 65% complete, and that was ~1.5 hours ago. Hopefully we’ll be at 100% very soon. Be sure to clear your browser’s cache when testing your site, as I have already seen that help someone. Also, stay in touch with the page, as that has been updated several times throughout the day already.

        – Brad

  • Curt

    I overwrote the index.php file as a knee jerk reaction and never looked at the hacked index. Were there any clues in the code?

  • Here’s the infected Index.php if you like to see it. don’t worry, it won’t ite anymore :)

  • jay

    I didn’t realize IMH was the same outfit as webhostinghub…

  • Jake

    I found one site that said to delete your wp-includes and wp-admin directories and replace those with the fresh WP ones…

    So I got the wp-includes deleted and replaced via FTP but it won’t let me upload the wp-admin folder?…

    I get critical error when trying to upload it…

    Can I just re-install WP thru cPanel without it affecting anything?…

    Any ideas?…

  • I am really impressed with the way InMotion has been handling this whole mess. Tweeting updates, sending out emails, and even having someone comment on this thread! Impressive.

    I’m not leaving because of a hacker, though I do hope they can find some way to assure us this won’t happen again.

  • Chern

    @Alex, glad someone is impressed. Coming on 15 hours now, and dedicated server customers still do not have access to their servers (both of mine included). For enterprise level service, this is completely unacceptable; Inmotion has basically told me to go elsewhere with my business by prioritizing $5.95 accounts over $315 servers.

    • AuzzieBloke

      Chern, This is my main beef also :) Still locked out of 3 dedicated servers. I spend 750 dollars a month with them ;) I’m in the process of moving… read my post up further up in response to chris for some more info on why I’m moving for the dedicated peeps that are interested….

    • jay

      Just want to point out… it’s not one $5.95 customer vs your $315. There are potentially 1000’s of customers on a single shared server, making that machine quite valuable indeed.

  • Chern

    I have to agree there, almost all my support issues with Inmotion over the years has been the hamfisted way they handle root passwords. I’ve had them changed / reset without notice (and not to the one I specified either). Where are you going? I’m giving steadfast a look.

  • Pingback: Yes, I was hacked. And yes, I survived. — The Coupon Project()

  • AuzzieBloke

    there you go, not to say i told you so…..

    official word from inmotion for dedicated server peeps

    “As you may be aware, our network, and potentially your server, was the
    target of a large scale website defacing attack this morning, Sunday,
    the 25th. The defacement worked by replacing index files in all
    public_html directories with the attacker”s index.php. At this time, it
    does not appear to be any more malicious than taking over the web site”s
    home page, but we are still reviewing servers at this time.

    We understand the method the attacker used to accomplished this and the
    main exploit path was through an internal management server that can
    control Cpanel on other servers. The management server was used to
    change passwords on the Cpanel servers then login with those passwords.

    It does not appear that gaining passwords was a goal or was
    accomplished, just password changes were used. Access to the management
    server was gained from an exploited customer”s server that was within
    our network.

    Though our team moved quickly to disable the internal management server
    and limit the exposure of the servers to this attack when it began, it
    was a very serious breach and could have been much worse if the hacker
    had intended to do more harm.

    At this time, we want to be sure you are aware of the attack and your
    server”s potential exposure. Please you review your sites if you have
    not already done so. If you were affected and you need assistance
    recovering the home page or other directory indexes, please contact us.

    Further, if you feel your server has been targeted more in-depth than
    the index.php defacement, please contact us immediately and we will do
    an additional scan on your server.

    Though it does not appear gaining passwords was an intent of this
    attack, it is recommended that you update all of your passwords related
    to your server.

    Please note, our billing, domain management, and customer tracking
    system (AMP) was not targeted, nor was available to the Cpanel
    management server. It is on a separate network and firewall.

    Please accept our apologies as we go through this process. We are very
    aware of our failure in this situation and we will provide more details
    when we have completed the work of recovery.

    Again, please review your server and sites if you have not done so
    already. Reach out to us immediately if you suspect a more in-depth
    attack on your server. “

    • @AuzzieBloke: That’s a major security hole right there. If they had such a server in place that could target all other servers, it should have been super secure. I hope InMotion learns a lot from this. Personally, after reading this comment, I am seriously thinking about moving elsewhere.

  • AuzzieBloke

    lol word on the street is that he compromised 700,000 sites, yay im so happy to be part of this :P NOT

    “I hack 700000 websites in one shot, this may be a new world Record. After submitting 200,000 domains,zone-h was going down again and again and became almost unresponsive in the i was unable to submit all i’ve listed all domains in attachment. It was not just a server hack, actually whole data center got hacked.”

    Again we are all very lucky the hacker was naive really, and didn’t use it for nefarious purposes. But, saying that how do you know? I am restoring backups previous to the hack, and lose a days worth of data changes instead. You can’t be 100% sure other things were planted in there, if you don’t do this.

  • All my inmotion hosted websites are hacked… I am eager to know the attack and how it was possible….

  • I’ve got mixed feelings about this hack. On the one hand, I like InMotion’s support & responsiveness. On the other hand, this is the third hack that’s affected my website and the 2nd in a row that I’ve had to fix myself.

    IMH has been pushing me a bit to upgrade to VPS but this issue and the long impact to dedicated and vps customers there has me totally reconsidering their service and looking at competitors. :(

    • Hi 1WineDude,

      I can totally see your point of view, as well as many other people.

      By no means am I trying to make any excuses, this recent TiGER-M@TE hack hit us hard and was our fault.

      Other users have been hacked in the past, and seem to think this is the same issue happening again and again, which it is not. This is the first time that this is an attack directly at our entire company, and actually got our own website as well. Many other hacks we’ve seen are targeted at individuals with security holes in their software on their account or out dated software running on their local computer.

      For example, we’ve seen issues in the past with users who were hacked via FTP. We can see it in the ftp logs where a hacker simply logged in and upload new files to the user’s account. From much research, it appears that vulnerabilities in software on your computer can help hackers gain your credentials. For example, if you’ve ever connected to your account via FTP and clicked the option to save your password so you don’t have to type it in again, that username and password is stored somewhere on your computer. Vulnerabilities in programs made by companies such as Adobe can be exploited to get access to those usernames and passwords. If you use Firefox, I’m sure you’ve noticed that when you upgrade it tells you that your version of Adobe Reader is out of date. Why would Firefox make it such a big deal to tell you only about your out of date Adobe Software? Security Reasons.

      Again, I’m not trying to make excuses, I hope that users understand that this hack is the first of its nature within our servers. This has hit us hard, but we are learning immensely from it and it will only help to make our company better.

      I’m more than happy to help if anyone has any questions or further issues with defacements on their site. You can get in touch with me at the inmotion hosting forums –

      – Brad

  • Kernel-Exploit

    Non-technical savvy users are easily fooled by web hosting companies who falsely explain how far a total compromise could go. Security-minded guys will give you the following conclusions.

    1 – InMotion said the goal of this mass hack is just to do defacement.
    These hosting guys never know hackers have installed rootkits and backdoors for future access. They think that it’s safe and simple as restoring clients’ web sites from backups.
    Once a box is hacked at the root level, it can’t be trusted any more.

    2 – Hackers could have compromised the inMotion several weeks/months before. Finally, they’ve been aware that the exploit they use have been discovered/known by other same-minded hackers. They do mass defacement to notify inMotion guys to patch this hole.

    We’ve seen mass hacking these days are not just for fun and fame. They have been used for generating revenue in black markets. Now, some clients are ready to move to other hostings. Others are just staying at inMotion and hoping for this mass hack not to happen again. Rest assured, this hack will not come back as hackers may now have future access at their will using backdoors that ultilize steathy covert channels to remotely do malicious stuffs.

    Stay Secure.

  • My site was show hacked picture too. But now it was automatically restored and worked fine.

  • How to restore cached picture “site hucked” from Google tools and google site privew?

Advertisment ad adsense adlogger