The article below has more information concerning that hack that affected InMotion Hosting on September 25, 2011.
At around 4am EST, our system administration team identified a website defacement attack affecting a large number of customers. We are still investigating, but it appears that files named index.php have been defaced.
We are evaluating how this has occurred and our security team will have more information shortly.
While we review this issue, cPanel and SSH access has been disabled on various platforms. For additional security, we are rotating passwords on a number of accounts. We will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we’re able. FTP is still operational should you wish to access your files at this time and correct any issues you see yourself. We will be working diligently to make cPanel access available again as soon as possible.
If there is a defacement on your account, please know that our Systems team is working to get your site back online. If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part. At this time, we do not have a definitive timeframe for resolution, but we will update this page as we gather more information.
We do apologize for this issue, let us know as you have further questions, we’ll be glad to answer them as we’re able. Please understand it will take our security team some time to review this issue before we can have a full explanation available.
11:30am EST Update
If you have a backup of your site, you may upload your index.php files to correct this. You may need to do this for each directory. If your site uses an index.html or index.htm, you will need to upload those files, then delete the index.php. For more help, please see How to Restore a File from your own Backup.
It is possible our automated restore system will also be working on correcting the issue while you are. If you see this happen, just upload again.
If you do not have a backup of your site, it is best to wait until our automated system has completed its attempt at restoring. At this point, we feel that should solve a majority of the defaced sites.
We will be updating this page every hour, please check back here versus calling or chatting. Our team is currently working very hard and we are bringing in additional people, but the volume is greater than our Sunday staff is able to handle quickly at this time.
1pm EST Update
Systems has been successful in restoring a portion of the affect sites. They are refining their repair method now and should be able to begin deploying the update to additional sites shortly. Please bear with us for another 1 hour when we feel we will have more information to share.
3:30pm EST Update
Our system’s team is still working on the automated repairing. We have restored over 65% of the affected sites at this time and are continuing to do so via an automated process and with our technical support team.
For people who are fixing their sites themselves, we have a few additional suggestions. First, be sure to check all directories, the hacker targeted all directories within the public_html.
If you are not sure how to do this, once our system’s team has completed their automated restores of home pages and general review of the changes we have made, they will be running an additional cleanup process that will look in directories for the hacked files. If the hacked files are found, they will be saved to hacked_page in the same directory.
Second, we have additional advice if you do not have a backup on your computer of your index.html and you are now seeing a directory listing instead of your site when you visit your URL. This means our automated restore system could not find a suitable file to restore to your account.
Most users should not see defacement on their site. If you do, it may be cached in your browser. Please refresh your browser by restarting it or by pushing CTRL-F5 (usually works, restart is best though). If you are on shared server and you are still seeing a defacement, please send an email to [email protected]. For vps and dedicated customers who are still seeing a defacement, we are currently working on a second fix system to more accurately target cleanup on your platform. We will have an update for you in about 45 minutes.
If you are seeing an empty directory, our system has not been able to locate your index files yet. If you have a backup of your index files, please upload them via ftp now (index.php, index.html, index.htm, etc.)
For those who do not have the files or who are unable to upload, our team is working on an automated solution now. Please see Different Types of Backups for a solution that may work for you.
6:00pm EST Update
Our systems team continues to work on the vps and dedicated clients and repairing the defaced index files. The system to counteract the hack has been built and is in its final testing. We really apologize for the delay, the system for working with vps and dedicated platforms are more complicated.
We also have brought in just about everyone on our T2S team. Once the vps and dedicated automated repair is complete, they will immediately begin work on servers that need additional help.
Currently, Cpanel is disabled on all platforms as we evaluate the situation and apply patches to the security problems that allowed this to occur. We should be able to enable access later today after running our final checks. FTP access is still available though.
We are currently working on the automated repairs on the vps platform. Some are completed already and we expect most to finish in the next couple hours. It may run a bit longer for secondary scans.
The dedicated customers that were affected have been addressed to a great extend, but if you are a dedicated customer and have a defacement, please contact us now.
The majority of the automated repairs for shared have taken place at this time. We will continue to do repairs as possible tonight and tomorrow. If your site is showing a directory listing instead of your site, you will need to upload a replacement. Please see above for advice on correcting this.
We will continue updating as new developments occur.
The InMotion Hosting Team