How to fix Inmotion Hosting hack by Tiger M@te

This morning (Sunday, September 25, 2011) Inmotion Hosting and Webhosting hub, two very good hosting providers were hacked by a Rock-star hacker from Bangladesh. This wasn’t a simple hack of a few servers; it was a mass attack that brought down all servers. The hacker replaced every index file in every major directory of every account including the provider’s official sites. If you are using Inmotion Hosting or Webhosting hub, you have certainly been affected so here’s a quick fix. This is what the front page of the sites looked like after the hack.

For those having html sites, review and replace your index.htm and index.hml files from your backups.

For those running WordPress, you will need to do a little more digging. Follow these steps and don’t skip any:

  1. Download the latest version of WordPress from here.
  2. Access your server by ftp and go inside your root folder.
  3. Delete the old wp-includes and wp-admin directories on your web host (through your FTP or shell access).
  4. Using FTP or your shell access, upload the new wp-includes and wp-admin directories to your web host, overwriting old files.
  5. Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content folder. Do NOT delete any files or folders in your existing wp-content directory (except for the one being overwritten by new files).
  6. Upload all new loose files from the root directory of the new version to your existing WordPress root directory.
  7. Remember that I said that the hacker placed index files in every top directory. You need to open every non-WordPress directory and view your index files to make sure they are not the hacked one. Delete them if the directories shouldn’t have an index.php or replace them with new ones if they suppose to have one.
  8. Update the wp-confi.php if you have been using older version of a WordPress.
  9. Change your database username and password.
  10. Change WordPress Password.
  11. If you are using any caching plugin, make sure to empty all your caches after the fix.
  12. As soon as you get it running, export all your content, database and wp-content directory and wait for the next attack. If Inmotion Hosting decides to backup everything, you will lose your latest posts and modifications so back up yourself before they get to it.

For those running other server technologies, replace your index in every directory of your site.

And stop bitching and moaning. It’s not the Inmotion Hosting fault. So calling them every five minutes won’t fix your issue any faster. They are working their asses off already. Saying that, my hat is off to Tiger M@te. If a guy in Bangladesh with a dialup connection can bring down thousands of sites, he has my respect. I actually liked his index file; he put a lot of work in it to make sure it was cross browser compatible including even the Internet Explorer! 🙂

For those of you who are wondering what the hacked Index.php looks like, here’s one you can download. (Don’t worry, it won’t bite)

Important Update

Strat backing up your sites right now. I just got a heads up from the inside that Inmotion is going to restore your sites to older backups which will not include your recent modifications. That means if their back up is 3 months old, you will lose 3 months worth your content, new themes, codes, blah blah, blah.

Export ALL your content and import them on a local server like WAMP. Once you are importing, make sure to import all the attachments too (These are your pictures and videos.) This way, you are safe from data loss.  If any of you have any trouble with exporting and importing, just make a comment and i’ll walk you through it. Don’t forget to back up your custom CSS for plugins, SEO settings, Cache Setting, and your mailing lists if you have any.

Update from Inmotion Hosting 2:09 pm EST

Hi Chris,
We’re focusing on restoring index.php files first as they are dynamic. After that, our focus will by on static index.htm and index.html files. In a worse case scenario, static index pages can be restored using Google cache in most cases if no other backup can be found:
https://support.inmotionhosting.com/cgi-bin/kb.cgi?do=read&id=103

Thanks,
– Brad

A few words from the man(?) behind the hack:

I hack 700000 websites in one shot, this may be a new world Record. After submitting 200,000 domains,zone-h was going down again and again and became almost unresponsive in the end.so i was unable to submit all websites.so i’ve listed all domains in attachment. It was not just a server hack, actually whole data center got hacked.