NodsDorf Posted September 25, 2011 Share Posted September 25, 2011 If you use inmotionhosting.com as your web host as one of my sites I manage does. They were hacked today. I noticed that hack at 5:05am EST on 9/25/2011 As of this time I'm not sure how wide spread the hack is, but I can say from my end the only thing I noticed was over-written index.php pages in our public_html directories and in our catalog directory. Just to be clear this isn't a Oscommerce security issue, this likely effects anybody that uses InMotionHosting. Please check your sites if you use InMotionHosting Link to comment Share on other sites More sharing options...
NodsDorf Posted September 25, 2011 Author Share Posted September 25, 2011 Here is the first article I have found about the problem: http://www.ilovefreesoftware.com/25/articles/inmotion-hosting-hacked.html Been on hold with them for an hour 40 minutes at this point. Link to comment Share on other sites More sharing options...
NodsDorf Posted September 25, 2011 Author Share Posted September 25, 2011 Just spoke with Tech support at Inmotion, they confirmed what I noticed. Index.php files were over-written Index.php files were placed in folders To fix the problem just restore you index.php page from backup. Delete the ones in the folders that shouldn't have them. He also confirmed that this happened on several of their servers. Link to comment Share on other sites More sharing options...
PGelsman Posted September 25, 2011 Share Posted September 25, 2011 Last week it was Godaddy. They finally restored me today, but I don't have full functionality. I am REALLY pissed. Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 I have four shops on inmotion, two shops are 2.2rc2a and two are 2.3.1. All were compromised. I have a cron job set up for Jack's Site Monitor and the automated email showed me thes intrusions for a 2.2 shop NEW FILES: Found a new file named store/index.php Found a new file named pub/index.php Found a new file named temp/index.php Found a new file named js/index.php Found a new file named bad_conduct/index.php Found a new file named ext/index.php Found a new file named feeds/index.php Found a new file named images/index.php Found a new file named upload/index.php Found a new file named css/index.php Found a new file named download/index.php Found a new file named includes/index.php Found a new file named javascript/index.php SIZE MISMATCH: New-> googlesitemap/index.php 12500 Original-> 8611 Difference found: New-> "my admin folder"/index.php 12500 Original-> 4316 Difference found: New-> install_old/index.php 12500 Original-> 335 Difference found: New-> index.php 12500 Original-> 24586 Difference found: New-> phpThumb/index.php 12500 Original-> 310 Difference found: New-> cache/index.php 12500 Original-> 350 TIME MISMATCH: Mismatch on googlesitemap/index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT Time Mismatch on "my admin folder"/index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT Time Mismatch on install_old/index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT Time Mismatch on index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT Time Mismatch on phpThumb/index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT Time Mismatch on cache/index.php Last Changed on Sunday, 25 Sep 2011 08:23:59 GMT I will work on deleting/restoring the appropriate index.php files, but have to wonder if that's all that occurred. For now I am going on the Site Monitor report and hope it it was just the index.php issues. Also on my mind is wondering about effects on my passwords, admin folder integrity, database...any input from professionals would be appreciated. I am leaning toward a complete shop file restore from a previous backup (done a couple days to a week ago) that I believe is OK. Thanks I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 After a complete restore on one shop, I get Forbidden You don't have permission to access /index.php on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. I used red for emphasis. I presume inmotion has the system locked down? I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Jack_mcs Posted September 25, 2011 Share Posted September 25, 2011 Just spoke with Tech support at Inmotion, they confirmed what I noticed. Index.php files were over-written Index.php files were placed in folders To fix the problem just restore you index.php page from backup. Delete the ones in the folders that shouldn't have them. He also confirmed that this happened on several of their servers. This sounds like the security hole found in some Linux OS's about a year ago. I would have thought all hosts were patched for it now but maybe not, or maybe it is something different? You may want to send this link to your host just to be safe: http://isc.sans.edu/diary.html?storyid=9574 Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
multimixer Posted September 25, 2011 Share Posted September 25, 2011 From what I can see only index.php files in each domains root are affected. Any installations in subfolders etc, should be ok mydomain.com/index.php is affected mydomain.com/index.html is not affected mydomain.com/catalog/index.php is not affected All index.php in admin folders should be ok, except if replaced by the root index This is just an estimation The problem is now that inmotionhosting cut off any cpanel/ftp access, they say As a precautionary measure, cPanel logins have been disabled. Could anyone access his cPanel? My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 The problem is now that inmotionhosting cut off any cpanel/ftp access, they say Could anyone access his cPanel? I could about 4 hours ago and I still am able to access cPanel. I contacted inMotion support, got an auto response where they are basically taking responsibility and said once the issue is resolved, will restore all sites. Nice to see tech support actually admit the problem IS on their end. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
multimixer Posted September 25, 2011 Share Posted September 25, 2011 I could restore the sites my self IF I could access cPanel or via ftp, but no way My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 I could restore the sites my self IF I could access cPanel or via ftp, but no way George, in addition to being able to access my cPanel, I can FTP as well (I am on the Business "power" Plan, but apparently that's pointless as per what inMotions site says as follows: Important Systems Announcement - Please Read September 25, 2011 At around 4am EST, our system administration team identified a website defacement attack affecting a large number of customers. We are still investigating, but it appears that files named index.php have been defaced. We are evaluating how this has occurred and our security team will have more information shortly. While we review this issue, cPanel and SSH access has been disabled on various platforms. For additional security, we are rotating passwods on a number of accounts. We will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we're able. FTP is still operational should you wish to access your files at this time and correct any issues you see yourself. We will be working diligently to make cPanel access available again as soon as possible. If there is a defacement on your account, please know that our Systems team is working to get your site back online. If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part. At this time, we do not have a definitive timeframe for resolution, but we will update this page as we gather more information. We do apologize for this issue, let us know as you have further questions, we'll be glad to answer them as we're able. Please understand it will take our security team some time to review this issue before we can have a full explanation available. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
multimixer Posted September 25, 2011 Share Posted September 25, 2011 Steve, still no ftp/cPanel for me on my dedicated, but I could access and fix (at least for what is known for now) some other peoples sites that have a regular hosting Thanks for the info My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Guest Posted September 25, 2011 Share Posted September 25, 2011 I have several clients who contacted me about their sites being hacked. The over-written index.php files were in sub domains and sub-directories on shared hosting servers. Inmotion hosting has promised to restore ALL sites from their server back-ups but could not give a time frame for completion. Chris Link to comment Share on other sites More sharing options...
multimixer Posted September 25, 2011 Share Posted September 25, 2011 Good news for my self : I got access, so I can start restoring, starting from replacing index.php as a first step and completely replace the sites and DB as a second My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 I have one client, ..... me. :) And with my 4 inMotion shops down, I suddenly am looking at my eBay site with a whole new perspective!! I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
multimixer Posted September 25, 2011 Share Posted September 25, 2011 Steve, first thing to do is, to replace your index.php file with anything, really anything but the hackers file that is now My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
bradmarkle Posted September 25, 2011 Share Posted September 25, 2011 Hello Everyone, This is Brad with InMotion Hosting. I’d like to first apologize for the issues at hand. We can honestly say we know how you feel in this situation, and we’re doing everything we can to resolve the issue. Because of the nature of the hack, it appears only index files were targeted, so if you have a backup of your own site, only the index file should need to be updated. No sensitive customer information has been compromised. If you haven’t read it yet, official updates on the issue can be found here: http://www.inmotionhosting.com/status Thanks, - Brad Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 Steve, first thing to do is, to replace your index.php file with anything, really anything but the hackers file that is now Stay tuned on this...I checked and with a hard refresh my sites are coming back up correctly. 3 of the 4 so far..... I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Guest Posted September 25, 2011 Share Posted September 25, 2011 Stay tuned on this...I checked and with a hard refresh my sites are coming back up correctly. 3 of the 4 so far..... Because In Motion has begun restoring sites from their server backups Chris Link to comment Share on other sites More sharing options...
♥altoid Posted September 25, 2011 Share Posted September 25, 2011 Still just three of the four are restored. The 4th, before I was aware the issue was an inMotion problem, I did a restore to my shop from a secure backup. The tech guy at inMotion said that my restore probably caused some kind of site corruption when they ran the mass script to clean the sites. Apparently they have to fix this one site uniquely. Seeing your site taken over like this sure wakes you up first thing in the morning. Coffee not needed. Don't know if this is tied in, but all my Outlook emails configured with my shop addresses quite allowing email to be sent, all of them generating the same error, so I put a ticket in on that issue as well. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
TTR01 Posted September 25, 2011 Share Posted September 25, 2011 My site was also defaced on Inmotion's server. What really bothers me about this breach is that 1) they didn't alert me. 2) they are MIA when I called with concern about the online portion of my business. 3) they tell you to reload your own data... That is Inmotion (the web host's) responsibility! Any company that manages business websites should have emergency support and that support should have informed all affected parties. This is not as if we have a webpage on a chat site. We are business people. Why don't they have mirror site that could have been brought online by now? I am still waiting for a formal notification from Inmotion Support... Link to comment Share on other sites More sharing options...
PGelsman Posted September 27, 2011 Share Posted September 27, 2011 At least inMotion acknowledges there is a problem.Godaddy does not, nor is there anything on their site with status messages. My site went down last Tuesday night, it was restored last night but now since I rebooted my PC I can't access my control panel and phpadmin. The sales I had today went through, but my customer's didn't get their download links. I've got multiple support tickets in. You call them and they act like it's only me. I'm currently looking for a new host. Anybody have any thoughts on Hostgator? PGelsman Link to comment Share on other sites More sharing options...
imh-bradm Posted October 3, 2011 Share Posted October 3, 2011 Hi PGelsman, This is Brad with InMotion Hosting. At least inMotion acknowledges there is a problem.Godaddy does not, nor is there anything on their site with status messages. My site went down last Tuesday night, it was restored last night but now since I rebooted my PC I can't access my control panel and phpadmin. The sales I had today went through, but my customer's didn't get their download links. I've got multiple support tickets in. You call them and they act like it's only me. I'm currently looking for a new host. Anybody have any thoughts on Hostgator? PGelsman It sounds like you were with InMotion Hosting when this incident occurred. Is that correct? If you are still experiencing this issue with oscommerce, I'd be more than happy to help troubleshoot it further with you. If you can post in our forum (http://forum.inmotionhosting.com/viewforum.php?f=57) I'll be more than happy to assist further. Thanks, - Brad Link to comment Share on other sites More sharing options...
Guest Posted October 3, 2011 Share Posted October 3, 2011 Brad, PGelsman was with Godaddy when his current problems became present. However, I have MANY clients that were with Inmotionhosting when it was hacked, needless to say many of them left Inmotionhosting that day. Chris Link to comment Share on other sites More sharing options...
imh-bradm Posted October 3, 2011 Share Posted October 3, 2011 Hi Michael, This is Brad with InMotion Hosting. My site was also defaced on Inmotion's server. What really bothers me about this breach is that 1) they didn't alert me. 2) they are MIA when I called with concern about the online portion of my business. 3) they tell you to reload your own data... That is Inmotion (the web host's) responsibility! Any company that manages business websites should have emergency support and that support should have informed all affected parties. This is not as if we have a webpage on a chat site. We are business people. Why don't they have mirror site that could have been brought online by now? I am still waiting for a formal notification from Inmotion Support... I'm very sorry that you and many of our other customers did not receive an email message about this hack much sooner. Our initial focus was on stopping the hack from continuing and beginning to restore affected files from backup, but that is still not an excuse for a lack of notification to our users sooner than we did. Our team took a big hit from this incident, and we are learning a lot from it. Because so many sites were affected, we were handling a ton of phone calls, live chats, and email. This surge in contacts from our users resulted in very long hold times / responses. I am sorry that you were not able to get a hold of our tech support team. If you are still having any issues with your website, please let me know, I'll be more than happy to troubleshoot any blank / defaced pages you're seeing. Thanks, - Brad Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.