Inmotionhosting.com, WordPress, and a hack: My Server Was Hacked by Tiger-M@te

I woke up this morning and was ready to start working. I logged into my site to do a quick update and found that it had been hacked and was redirecting to some hacker’s page.
Here’s what I saw when I tried to log in to my WordPress dashboard:

Some time this morning a hacker, TiGER-M@TE, had hacked Inmotion’s servers today and in the process managed to take down hundreds of it’s users’ sites as well; mine included. It’s not the end of the world, but it certainly sucked a bunch of time out of my day that I can’t get back. I contacted Inmotionhosting.com’s tech support immediately but after a few hours with no response, I had to drop everything and try to correct the problem. I found that it had not affected one of my sites which is just an html-based site, but it had affected every one of my WordPress-based sites. In my case, I have a WordPress multisite network of sites and all were redirecting to this hacker’s page. The hack replaced all of my WordPress index.php files with it’s own. If this has happened to you and your site is still down, you just need to replace your index.php file in your WordPress install’s root directory (the root dir of your site unless it’s installed in a subdomain or subdirectory, then you just replace index files there).
Wordpress has a couple other index.php files that need to be replaced as well, and they are in the wp-content folder and wp-admin (if you don’t replace these, your attempts to log in to your WP dashboard will still redirect to the hacker’s page). The hack also installed an index.php page in the wp-includes folder which doesn’t belong at all, so just delete. If you have multiple installations of WordPress, do the same for each.

Here’s an article by TheUrbanCowboy.net who had the same problem today. He goes into more detail about fixing the problem and even includes an index.php file if you need one. I noticed that the content of the index.php files are different from the root directory file to the ones in wp-content and wp-admin however, so the best option is to move copies from the same location on your local backup if you have one.
You can also go get the entire WordPress installation here at WordPress.org/download.

We did a little looking around to find out about the hack and came across this interview with TiGER-M@TE by The Hacker News in case you are interested: Exclusive Interview with TiGER-M@TE (Bangladesh Google website Hacker).

Why? Who the hell knows? I wish I had the free time to sit around finding new ways to sabotage servers and websites for fun. Actually, I would never do that to anyone because it sucks! Hackers suck! If this guy had simply sent us all a message telling us that our servers and sites were not secure, this would have actually been useful. Instead, hundreds of people are wasting hundreds of hours fixing the vandalism done by some guy that doesn’t give a shit about anyone else.

So what makes a guy sit around finding new ways to waste everyone’s time? I just don’t get it. Is he actually having fun making us all angry and wasting our time? To me, this is just as bad as having your car keyed or your mailbox run over. It probably costs as much for some. I would be the first to vote in favor of a new law that would make hackers like this pay the hourly wage for the duration of downtime of everyone who’s site was hacked and had to blow off work to fix their malicious bullshit. I think there would be a lot less of this type of thing happening if it had a direct affect on the hacker’s wallet.

2 comments on “Inmotionhosting.com, WordPress, and a hack: My Server Was Hacked by Tiger-M@te”

  1. Hi holter,

    I’m very sorry to hear that your sites were compromised as well, but am happy that you were able to get things resolved. Unfortunately due to the many requests for help we were receiving, hold times on the phone increased like we’ve never seen before, and many users, it did appear as if we weren’t even in the office.

    I was hoping to post a link for any of our users that find this page. If anyone is still having an issue with their site either showing blank / defaced, we do have a forum setup that has more info + steps to take to fix your site:
    Directory Listing / Defacement Fix due to TiGER-M@TE hack

    If you also have any further or specific questions, feel free to post in those forums, we’re more than happy to help.

    Thanks,
    – Brad

    1. I realized after the first hour when your (IMH) tech guys didn’t respond to my request that it wasn’t just me, and it certainly wasn’t any fault of Inmotionhosting. I’ve always had the best service and support from the folks at IMH and any delay in response time is unusual.
      First, I fixed the problem on my own site, then started searching around to see how this happened and who was responsible. I posted what I found as quickly as I could and went back to work. The downtime due to the hack cost me an entire morning of my workday and put me way behind. I didn’t find out until later that evening how many sites were affected by this malicious attack.

      Thanks for the follow up, Brad!

Comments are closed.