Cyber 911 For the Average Small Business Person | After the Tiger-Mate Hack -Project Notes

Project Notes

Who do you call when your web sites is hacked – “cyber 911 -may I help you”. The hosting service -no way, no they’re too busy fixing the attack, and what to say at a press release!

We hear a lot of politician talk about helping the small businessman. Well Sunday 9/25/2011 @(4am)  about 500,000 (half a million) small business were hacked. gAtO’s site was hacked too, we are still waiting to hear-  about declaring InMotion and it’s hacked site into a disaster area.  gAtO say – we have not heard a word about some cyber political person flying around InMotion and touring the 500k websites that were hacked by Tiger-M@te and his crew(z).

Tiger Mate has been tied to the Google Bangladesh cyber attack, this is a real hacker not the wanna be like, Anonymous and LulzSec. One shot 500k website, that’s “The Biggest Hack in the World” that we know of. Could this hack be a practice run for something worst. Could it be an intelligence gathering, the raw data of all the sites could be a gold mind for spam. Did the hack page effect anyone with a trojan. This is a great way to deliver a virus. One Hosting service, to many content providers and to their readers. One to Many Distribution Attack- One hack and it could potentially deliver hundred of thousand of zombie computers to a BotMaster. There is some talk the attack also infected the http_Access file. So far it only infected blog’s not static sites. Is there any Politician out there.. HeLLo …

gAtO has not seen it, but were was the cyber Community Emergency Response Teams (CERT). This is the kind of government programs that are needed in the new age in Cyberspace. How can we create a cyber team to help situations like this attack.

After I took care of my own site, I started to look around for others that were infected to see if I could help and was lucky to run into 2 great sites. The  Urban Cowboy and Leo Blanchette’s these two cyber heroes took the fight to the streets and showed leadership. People helping people.

What to do when your site’s been hacked. Some of the lessons learned from the recent Tiger-M@te attack on inMotion are right in front of our face. For the average website/blog content creator, we all have our special thing we do. But as we saw the provider’s blog (InMotion) was down, they had to shut down, save everything for forensics, evaluate and find the hack, then a plan for a sanitize re-boot and disinfect the hacked sites. The attacker Tiger-M@te set his target on “wordpress”. Why?

It’s a favorite amongst bloggers, and it has a wide distribution installation base, to get the most bang from your buck (attack)…Who do we call when our sites are down. I’m not sure. I would like to see our government get in and help us small business with the problems we have in cyberspace. New jobs for the new world – cyber-Police?.


My 2© cents – gatoMalo_at_uscyberlabs_dot_com

 ———lab Notes

InMotion  Forum about the Hack  –>

Timeline -InMotion release -see below
Community Emergency Response Teams (CERT)

Tiger Mate

The bangladeshian hacker “Tiger Mate” has been very active and has hacked some high profile websites in the past such as bangladesh airtel and local american express website.

We are in good company, check out the also-afflicted.


Mass compromise at

Mass compromise at | Sucuri

According to zone-h, they defaced at least 1,000 sites, and a list of the attacked sites can be viewed here:

*It seems that some of the compromised sites were also at (both owned by the same company)
**We are tracking more than 10k sites already defaced.
***Update from their in their Twitter account: “inmotionhosting InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now. “

Comment for Sara @ PoliticalUSA

The largest hack ever made in a single shot !!!!

It was not just a server hack, actually whole data center got hacked.”

700,000 websites hacked in a single shot by TIGER-@MATE

Good Morning, PoliticusUSA; You’ve Been PWNed by TiGER-M@TE!’ve-pwned-tiger-mate

Good morning, PoliticusUSA; you’ve been PWNed by “TiGER-M@TE”! “PWN” This is called a “PWN” hack. Yeah, InMotion got PWNed.

I’m writing to you from a secure, non-disclosed location known as GOP Clown Show. Don’t ask, and I won’t tell.

This morning when I opened PoliticusUSA to share my colleagues’ morning stories, an ominous black page replaced my story from last night on Occupy Wall Street. This can’t be good, I thought. Then the page shrank down and began dancing all over my screen.

I chased it around for a few minutes, too sleepy to be alarmed.

Muttering under my breath (to say I am short tempered when it comes to technology is to put it mildly), I cursed the dancing box. I believe I may have called it the devil, but it’s all a blur now. I clicked and clicked and it ran and played.

Finally, I got it: “Server HackeD by TiGER-M@TE”


Our host tells us, “InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now.”

Tiger mate hacking Immotion

Apple Support

Sep 25, 2011 6:56 PM

En-route to ASC today I suffered a hack attack by tiger-m@ate …I say I suffered the attack, in fact it seems to have been an attack on either or There is some insistence that it can’t be the latter.

New to ASC I started a discussion at:

…advised that it belongs here instead, it not being an attack on ASC (unconfirmed).

It seems that several hundred servers were attacked today and most likely these were XSS-attacks. My initial research leads me to believe that these attacks are based on the exploitation of server-side vulnerabilities rather than malware on the client-side but I’m no expert.

I’ve always assumed that as much as I try to protect my network against hacking and my computers from physical theft, there will always be a risk. For this reason I ensure my data is well protected: I use 1Password for log-in security, Knox for encrypting my documents and data (whilst retaining portability) and Espionage for securing application data. Nevertheless, it concerns me that my system may have been compromised.

Please contribute if you’ve had a similar experience or can offer advice on the extent of the risk involved.


Your system was not compromised. This hackers seems like like to hack DNS servers and poorly secured web hosting providers. It is extremely rare for individual users to be hacked by an individual hacker. It has never happened to a Mac user. Nothing to worry about.

@etresoft  thanks for your response — it seemed to me when I revisted it, that the redirected page had no apparent functionality and appeared to be more of a calling-card …seemingly aimed at increasing the noteriety of tiger-m@te, than to launch any kind of malicious attack on the end-user.

Seeing a browser window shrink, dance around the screen like a sprite and then expand to reveal “hacked” across the screen was a little disconcerting ….and naturally ones immediate reaction is to quit, trash and cut the connection.

Thanks for your input, hopefully it will reassure others.

InMotion Hosting apologizes, says it “understands” method used by TiGER-M@TE

InMotion, in an email to users, said Sunday that the homepage defacement attack launched by the southeast Asian hacker TiGER-M@TE was not meant to do permanent or catestrophic damage to the hundreds of thousands of websites that were hit.

“We understand the method the attacker used to accomplished this and the main exploit path was through an internal management server that can control Cpanel on other servers. The management server was used to change passwords on the Cpanel servers then login with those passwords,” said Todd Robinson, president of the hosting company.

The defacement attacked worked by replacing index files in all public_html directories with the attacker’s own branded index.php. InMotion does not believe that any data was stolen or that any passwords were compromised.

“It does not appear that gaining passwords was a goal or was accomplished, just password changes were used. Access to the management server was gained from an exploited customer’s server that was within our network,” Robinson said. “Though our team moved quickly to disable the internal management server and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker had intended to do more harm.”

This does fit the modus operandi of TiGER-M@TE, who often claims to hack for fun or just to prove that “it can be done.”

Blast Magazine’s network of websites were defaced during the attack on InMotion, as was the offical City of Providence website.

InMotion took responsibility for failing to prevent the damage. Some estimates have the attack hitting more than 500,000 websites, making it historic in its proportions if not in its level of damage.

“Please accept our apologies as we go through this process,” Robinson said. “We are very aware of our failure in this situation and we will provide more details when we have completed the work of recovery.”

Timeline -InMotion release 

At around 4am EST, our system administration team identified a website defacement attack affecting a large number of customers.  We are still investigating, but it appears that files named index.php have been defaced.

We are evaluating how this has occurred and our security team will have more information shortly.

While we review this issue, cPanel and SSH access has been disabled on various platforms.  For additional security, we are rotating passwods on a number of accounts.  We will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we’re able.  FTP is still operational should you wish to access your files at this time and correct any issues you see yourself.  We will be working diligently to make cPanel access available again as soon as possible.

If there is a defacement on your account, please know that our Systems team is working to get your site back online.  If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part.  At this time, we do not have a definitive timeframe for resolution, but we will update this page as we gather more information.

We do apologize for this issue, let us know as you have further questions, we’ll be glad to answer them as we’re able.  Please understand it will take our security team some time to review this issue before we can have a full explanation available.

11:45 AM EST Update

If you have a backup of your site, you may upload your index.php files to correct this. You may need to do this for each directory. If your site uses an index.html or index.htm, you will need to upload those files, then delete the index.php. You can find more help at How to restore a backup file.

It is possible our automated restore system will also be working on correcting the issue while you are. If you see this happen, just upload again.

If you do not have a backup of your site, it is best to wait until our automated system has completed its attempt at restoring. At this point, we feel that should solve a majority of the defaced sites.

We will be updating this page every hour, please check back here versus calling or chatting. Our team is currently working very hard and we are bringing in additional people, but the volume is greater than our Sunday staff is able to handle quickly at this time.

1 PM EST Update

Systems has been successful in restoring a portion of the affect sites. They are refining their repair method now and should be able to begin deploying the update to additional sites shortly. Please bear with us for another 1 hour when we feel we will have more information to share.

4:00pm EST Update
Our system’s team is still working on the automated repairing. We have restored over 65% of the affected sites at this time and are continuing to do so via an automated process and with our technical support team.

For people who are fixing their sites themselves, we have a few additional suggestions. First, be sure to check all directories, the hacker targeted all directories within the public_html.

If you are not sure how to do this, once our system’s team has completed their automated restores of home pages and general review of the changes we have made, they will be running an additional cleanup process that will look in directories for the hacked files. If the hacked files are found, they will be saved to hacked_page in the same directory.

Second, we have additional advice if you do not have a backup on your computer of your index.html and you are now seeing a directory listing instead of your site when you visit your URL. This means our automated restore system could not find a suitable file to restore to your account. Please go here, Site Backup Restore Options, for a few options to deal with this.

Most users should not see defacement on their site. If you do, it may be cached in your browser. Please refresh your browser by restarting it or by pushing CTRL-F5 (usually works, restart is best though). If you still see defacement, please do contact us via immediately for priority handling.

If you are seeing an empty directory, our system has not been able to locate your index files yet. If you have a backup of your index files, please upload them via ftp now (index.php, index.html, index.htm, etc.)

For those who do not have the files or who are unable to upload, our team is working on an automated solution now. Please see this link, Site Backup Restore Options, for a solution that may work for you.

Currently, Cpanel is disabled on all platforms as we evaluate the situation and apply patches to the security problems that allowed this to occur.  We should be able to enable access later today after running our final checks.   FTP access is still available though.

Best Regards,
The Web Hosting Hub Team


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: