Tiger-M@te Hack Project Notes

gAtOmAlO – My site got hack…Tiger-M@te — ahhhhh …race for the litter box and hide….. – Further investigations follows. Good Job (2 of my cyber heroes) “The Urban Cowboy and clipartillustration.com helped lot of people who were hacked. This is the new “Cyber Militia“ they are helping one another, web owners everywhere got together on these 2 sites. These net-citizens answered comments from people that got there sites hacked and helped many. This was a stupid hack. I hear 700,000 websites, and 200,000 websites. It does not matter how many site it affected, there has to a be a reason why. What was important about this hack. A splash page, “wooppy” some people let the hack page download and heard an MP3 song. Bad choice in my opinion—run antivirus “pronto”. I saved the hackers code and plan to reverse-engineer it and see what the code really did. Could this be an intelligence gathering or someone who only wanted fame? With the fame comes money, offers to hack someone else. This may be only a show off- but “what if”.

Tiger-M@te self portrait -a HakkEr

Why InMotion, they are a hosting service for lots of little guy’s like me. I don’t keep valuable information on my site but other may. The attack seems to only go after dynamic sites.( ..eg WordPress). Lot’s of people with static sites, said no damage. To get to this level I have to assume “root” was compromised. Also a simple “ls -AcFlR > info_inmotion.txt” this would grab every filename and directory in the system- add to that 200,000 other websites. That’s a lot of intelligence. How much would the raw data be worth.

As we settle back to normal and relax, I hope to hear from InMotion about this hack. I said it before, I think they did a good job and dealt with it as best they could. Below are some of my notes some of the comments from the people that got hacked.  They are interesting to me anyway, to compile the information for this ongoing report of the Tiger-M@te-attack Project. I hope to keep you informed as I continue my search about this hack and hacker. We at uscyberlabs think that there’s more than meets the eye about this simple deface hack.. ———gAtO-oUt

lesson learned – do a backup of your site—NOW!!!!!

Reference:

ClipArtIllustration – Inmotion Hosting Hacked by Tiger-M@te. Users Greeted by Lame Looking “Hacked” Page. http://www.clipartillustration.com/38552/inmotion-hosting-hacked-tiger-mte-users-greeted-lame-hacked-page/#comment-14463

The Urban Cowboy – My Server Was Hacked by Tiger-M@te http://theurbancowboy.net/2011/my-server-was-hacked-by-tiger-mte/

On the posting from the attack I see that lot’s of people did backups of their sites. After the attack, so lesson learned.

Notes about – InMotion Hack

That being the case, what if a site like facebook gets hacked? Facebook deals purely in information – your information – so no doubt that would cripple society’s identity as a whole. I guess the internet is only as trustworthy as the hackers that run it.

make sure you go to your admin panel and re-install your blog software…like wordpress, or whatever you use. They have hacked ALL the index files.

Also, look in all your folders for NEW index files that he may have added.

Jenny, once I replaced mine it reverted again. I had to replace it a second time. Maybe the battle is still going or they are just trying to restore properly.

Sib says:

Overwriting the index file is only a temporary fix, as the htaccess file has been modified. New folders were created and under each folder (the new and existing ones) this hacker’s index file was dropped in. For it to be resolved, I had to clean up the htaccess file (if applicable) and delete the folders and files that were dropped into my web directory.

This is the second time InMotion has been hacked in this way. It also happened last year around this time by some Turkish Hacker.

Inmotion Hosting Hacked by Tiger-M@te. Users Greeted by Lame Looking “Hacked” Page.

http://www.clipartillustration.com/38552/inmotion-hosting-hacked-tiger-mte-users-greeted-lame-hacked-page/#comment-14463

This snippet explains a bit about the tiger-m@te inmotion hack which defaced thousands of people’s websites. Leave comments below.

To see how to fix this problem if you were affected, >click here<.

What happened?

Some hacker(s) decided to take on one of the world’s largest hosting companies, inmotion, and replace everyone’s index.php file with a cute little 1990?s style “Server Hacked!” splash page. It plays a rap song (given your dumb enough to stay on the page long enough for it to automatically download…which I was).

If inmotion gets hacked and 700,000 websites with it (including this humble one I make a living on) , that should say plenty about the internet, no? Its not easy to hack someone like inmotion. I love inmotion by the way. It just shows nobody is immune to getting hijacked in the pirate-infested waters we call the internet.

That being the case, what if a site like facebook gets hacked? Facebook deals purely in information – your information – so no doubt that would cripple society’s identity as a whole. I guess the internet is only as trustworthy as the hackers that run it.

The fix:

Its an easy fix. Just replace your index.php file with your back-up version. Multiple directories were affected, so if you use wordpress, check out folders wp-admin, wp-content, and wp-includes. Replace them with their respective index files from the default install. Also, inmotion hosting is running an automated repair on websites that have done backups in the past, so you may never have to touch it.

I’ve been hacked as well. But I’m on WebHostingHub, not Inmotion.

Mine was hacked in InMotion hosting. Time stamp is 4:15AM eastern time. This guy did interview as shown in
http://thehackernews.com/2011/01/exclusive-interview-with-tiger-mte.html

Sib

September 27, 2011 at 2:03 am

Replacing the defaced home page is only a short-term fix. It is an .htaccess redirect. The htaccess file needs to be cleaned up.

The Urban Cowboy

September 27, 2011 at 5:22 am

Hey Sib, I checked my htaccess files, and didn’t find anything out of the ordinary.

Sib

September 27, 2011 at 10:06 am

My htaccess file had been extensively motified. Quite frankly, I didn’t quite understand the coding (I am not a programmer), but I knew what the htaccess was like before (had previously been hit by a virus and got quite familiar with it at that time – and I kept a back-up copy of the previous htaccess file, as I would recommend ANYONE to do – as the htaccess file is most vulnerable and most often targeted). Anyhow, it looked like a php redirect. I restored the previous htaccess file and hope this is the end of it. Sibylle.

But what happened? and now we are safe ?

The Urban Cowboy

September 25, 2011 at 9:59 am

I think InMotion had a security hole, they will have to determine how they were hacked and fix accordingly.

The Urban Cowboy

September 25, 2011 at 10:07 am

InMotion Hosting has released this announcement:

Systems Announcement

Alison Charm

September 25, 2011 at 12:27 pm

Thank you for posting this. I’m unable to access my index files, so I really appreciate your diligent updates about this.

Thank you again,
Alison

The Urban Cowboy

September 25, 2011 at 12:37 pm

Glad to see you are up.

merl

September 25, 2011 at 10:12 am

All or most are Apache with linux platform

Jacquie

September 25, 2011 at 10:40 am

Thanks for posting this info. I use a MAC and using Firefox browsing in google when it came across.

I don’t have a website so I am okay?
Thanks –

The Urban Cowboy

September 25, 2011 at 10:42 am

Yep, you are okay. It was the website you visited that was hacked, not your computer. There was also no virus attached.

Brenda

September 25, 2011 at 10:54 am

Just checking email and this swirling black window came up…. so I should be ok? I closed it right out.

Greg

September 25, 2011 at 11:55 am

Yes, I had three sites hacked last night. Two were WordPress sites and the third was a phpBB site Strangely, none of my static sites were touched. I too host at InMotion hosting. They have some explaining to do.

All my sites are back up. The only reason I even knew how to fix the issue was because of your post. I have received no communication from inmotion.

The Urban Cowboy

September 25, 2011 at 12:01 pm

Glad to hear you are back up, Greg!

OneMom

September 25, 2011 at 12:24 pm

Shoot. Deleting the file called “hacked page” brought my websites back up, but when I try to get into my wordpress-admin, I am still getting the hacked page. Suggestions?

The Urban Cowboy

September 25, 2011 at 12:30 pm

That is because he corrupted all our folders with his hack. You have another hacked file in your admin folder. Go there the same way you fixed your site, you should find another file to delete or replace.

db

September 25, 2011 at 12:47 pm

He got my zen cart site as well. Hub/InMotion chat responded immediately even though it said offline. They say the will send a report out. http://www.inmotionhosting.com/20110925-systems-announcement.html should also have another update within the hour.

Rachel

September 25, 2011 at 4:10 pm

Help! I don’t have a website, I’m just a plain old Mac OSX user. I visited some website last night and all of the sudden my browser window shrunk down, bounced around, and the ‘Tiger M@te’ site popped up. How do I get rid of this? Again, I don’t run a website or anything. This is happening just when I go to a standard website like google or facebook…

The Urban Cowboy

September 25, 2011 at 4:34 pm

I really don’t know…you actually may have a virus. Do you have a virus scanner?

tom

September 25, 2011 at 4:28 pm

Same, with IMH. Site root file was ok, just every */administration/index.php file was modified or inserted on the HTML sites I have. Can’t blame IMH, they’ve been the best hosting for me to date, but stuff happens.

My sincerest thanks to The Urban Cowboy for coming up high on Google for this problem! You rock dude!!!!!!!

The Urban Cowboy

September 25, 2011 at 4:41 pm

Glad to hear your site is back among the living.

This type of thing really is horrible. I’ve come across other sites where they are basically kissing his a@@, exclaiming how HE ‘rocks’ for corrupting our servers.

But what about US…the people who rely on our sites for so much? If you ask me, this cat is nothing more than a little kid looking for attention. It’s too bad, with his knowledge he could actually be doing good by helping people instead of hurting them.

Tommy Callaway

September 25, 2011 at 5:02 pm

I have multiple sites hosted on inMotion, on the same account, on the same server… but only one of them was harmed. Strange. It was also only the ‘admin’ portion of the site.

Either way, found the hacked file, deleted it, and re-uploaded my index.php.

I’m also downloading a full backup of the site, and doing a full search for any more of that tiger bullcrap. I’ll let you know if there are any other files affected..

The Urban Cowboy

September 25, 2011 at 5:09 pm

Good to hear you are doing a back up. As far as I know, only the index.php files have been infected, but there could be more than one. I found numerous index.php files that either were infected or did not belong.

Tommy Callaway

September 25, 2011 at 5:22 pm

You were right. There were multiple instances of index.php’s added, regardless if there was a pre-existing one. It looks like it target was public_html/, and it opened every folder within that, and either added hacked_page, or added/replaced index.php (12,500b file size), or both.

Unlucky for him, I’m a web developer and create backups like I have OCD. The purpose of today’s backup was 1. to do a mass search for “hacked”, and 2. if inmotionhosting blows up my crap, I will have a recent file set.

The Urban Cowboy

September 25, 2011 at 5:31 pm

Good thing you backed up your site. That was the first thing I did after getting back online. You never know what our hosting provider will do now.

TiGER-M@TE is the same hacker who successfully deface Google Bangladesh website. We interviewed TiGER-M@TE, who claimed to be hacking since 2007, working alone, and only using private exploits and zero-day attacks.

The hack saw the homepage replaced by the words “Server HackeD by TIGER-M@TE” alongside the hash tag “#Bangladeshi HackeR” and the text “Greetz: aBu.HaLiL501; w7sh.Syria; Sy-Hacker; NmR.Hacker; Wa7sh Hacker; h311 c0d3”. This was accompanied by an email address along with a banner reading “Underground Hackers 2007-2011”.

 

Emai 221 2 days ago

respect Bangladesh FTW! w0ot! 1&1 is next. Rest of you ned to stfu, no one come ur lame sites anyways…

Some hacker(s) decided to take on one of the world’s largest hosting companies, inmotion, and replace everyone’s index.php file with a cute little 1990?s style “Server Hacked!” splash page. It plays a rap song (given your dumb enough to stay on the page long enough for it to automatically download…which I was).

If inmotion gets hacked and 700,000 websites with it (including this humble one I make a living on) , that should say plenty about the internet, no? Its not easy to hack someone like inmotion. I love inmotion by the way. It just shows nobody is immune to getting hijacked in the pirate-infested waters we call the internet.

 

Advertisements

One response

  1. our site was hacked, inmotion sent us the notification, restored the site, then Google dropped out site. when you search for our company name even, our home page won’t show, under webmaster tools, google shows the black and red “hacked” thumbnail still.

    we immediately submitted to google for reconsideration back on the 27th and again recently.

    Anyone have any ideas on how to get main page back listed any faster? (sent support email question about this to inmotion, no response)

    we were number one for many search phrases, now we have customers calling that are typing our name in directly and finding sub pages, asking why, looks pretty unprofessional and loosing business, TIA, help please!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: