I woke up to a BIG surprise this morning, as I opened my web browser to my homepage. Apparently my server was hacked by Tiger-M@te. WTF!?! I couldn’t remember the last time I had backed up my site, and thought I had lost everything.
I immediately opened my ftp client, and replaced the index file at the root and in my admin folder. After a quick refresh…my site was back up. Close one! A quick re-installation of my software and all is good…for now.
I never heard of Tiger-M@te until now. After a quick search on Tiger-M@te, I ran across an interview with him where he or she states their hacking is to only servers, and doesn’t harm individual websites.
WTF?!?
If my server gets hacked along with all the other websites it serves, which by the way is Inmotion Hosting, what does that say about the Internet? How safe is our information, really? Inmotion Hosting is fairly large with thousands of others like me renting space on their servers.
The air waves of the Internet have become the new ocean waters, where pirates hijack unsuspecting people like me and you at will.
How many of you out there are in Facebook, or LinkedIn?
If they were hacked, what would it mean to you? Is our information truly ever safe?
This has opened my eyes in a big way. I have just about every security measure known implemented on my blog…I have to, otherwise my site would end up with spam links in the footer of every post. This has actually happened, and so I was consumed with securing my site. I thought I was safe, which is why I was lulled into a state of false security.
No matter what we do to incorporate security, it ultimately comes down to how secure our hosting provider is.
Here is a screen shot of the page that greeted me this morning. At least my information wasn’t lost…this time.
My Server Was Hacked by Tiger-M@te
Pirates of the Internet…sounds like a movie title
If you find your site has been hacked by Tiger-M@te, you need to first upload a fresh copy of your index files at your domain root, and admin folder. After you have regained access to your site, replace your existing software.
UPDATE: Because of all the requests I am including a clean index.php file (this only pertains to WordPress sites) here. To download: Right-click the link and choose “Save Link As…” to save the document to your computer.
Simply download it, extract the index.php file from the .zip folder, then upload it to your website root folder, replacing the corrupt index.php file.
or you can get the complete
joomla files over here
wordpress files over here
Have you been hacked? If so, was it by Tiger-M@te? Let us know.
Printer Friendly Version
{ 166 comments… read them below or add one }
I was looking at samples and when I clicked on one that same thing came up. Is my PC safe or do I need to do something?
The good news is, your PC is safe, this only affects websites.
Thank You very much!! I was scared.
It happened to me too! I have Inmotion also.
Hey Lou, replace your index files, then re-install wordpress, or whatever software you use.
Thanks Urban Cowboy. I did what you did and fixed my website myself. I’m not sure when Inmotion would have got around to it. I would imagine that they are swamped with calls.
Yea, make sure you go to your admin panel and re-install your blog software…like wordpress, or whatever you use. They have hacked ALL the index files.
Also, look in all your folders for NEW index files that he may have added.
Wait, does it really only affect websites? Because I had this exact thing happen to me JUST NOW, with the swirling window and black page, but I don’t run a website. What does this mean? *honestly afraid*
Hi syd, it just means you went to a website that had been hacked…its not your computer. You are OK.
*sigh* thank you
It happened to me too! I have Inmotion also.
Fuc***g loosers, they make the news, but if I had access to the person that hit the key to give me this sort of problem I WOULD MAKE THE NEWS! BELIEVE IT
If you find him, please let me know. I would love to help you in making the news! I’ll bring a bat!
Well, I’m afraid I too had a rude awakening when I opened up my website. I got the same page you did. When I try to go to my webmaster pages I get the same message. So, I am seriously irritated. I don’t even know how long it has been since we backed up our site.
Sorry to hear it John.
If you have a ftp client, upload your index files at the root and admin folder, then update your software. Also contact your hosting provider about this.
Your information is OK, it was just the index files that were hacked.
Hmmm – interesting. It just happened to my site – which is also hosted at inmotion hosting. I tried calling them and phone is just constantly busy. (I’m not sure if it’s always like that as I’ve never called before.) I can’t get in thru c-panel, but logged in using FrontPage and found a “index.php” file. i renamed the file and everything seemed to be back up and running. Now I find your page so it’s very reassuring to see you found the same thing. Guess I can delete that file now – of course I’m keeping my fingers crossed.
Yea, Debbie…the problem is when I looked I found new index files in all my folders with the hack
Wow, regarding that piracy thing, you’ve echoed my words! http://www.clipartillustration.com/38552/inmotion-hosting-hacked-tiger-mte-users-greeted-lame-hacked-page
My InMotion sites were hacked as well. Was this limited to inMotion or did other hosts get got?
I don’t know! Seems like just InMotion right now.
I have other sites at godaddy and blue host and they are all fine.
Urban Cowboy all I can say is “Tnanks a million & God Bless”.
BDW my site is hosted by ‘Webhostinghub’ which is a sister company to ‘Inmotion’.
I woke up this morning and say this disaster!
Have followed Urban cowboy’s step by step advice and corrected it but I cant reach the company which is quite unusual because their response is always prompt.
Will wait till tomorrow and try again.
Funny thing is that this ‘Tiger-M@te’ has a facebook following and loyalists in bangladesh….?
Pity for some of us just trying to make an honest living online. SMH.
@Vine,
I’m sure InMotion has there hands full right now. There are a lot of people that have their sites with them. I imagine getting through by phone would be quite a task. I would suggest you email them through their customer support section of their site.
Yep, we got hit too, and we’re inmotion hosted.
Woke up this morning and our site got hacked too. Every index.php was changed to exactly what you showed above and fortunately I do have a backed up copy of things to restore.
I also have inMotion Hosting. Do you think our host server that contains the instances of our VPS or hosted solution is comprimised? After reading this I get the feeling that it’s not just my VPS instance that was attacked.
-SWA
It seems to be pretty wide spread right now…unfortunately.
I’ve been hacked as well. But I’m on WebHostingHub, not Inmotion.
Same here I’m afraid, also at webhostinghub
I’m on WebHostingHub too.
Most people do not know it but WebHostingHub & Inmotion are sister companies.
I found out while chatting with the sales staff before purchasing my hosting plan.
Well we just woke up to the SAME thing on our site. We also use InMotion hosting.
FRUSTRATING!!!!!
I have been affected too…
inmotion hosting!
We have inmotion and I just checked…. we were hacked as well. Thanks for the heads up.
Did you ever think it might be a scare tactic. Software companies make alot of money off confused and worried users you know. I don’t recall any “hackers” that have trademarked their names as Tiger-Mate has. Has anyone heard of this before? I think it’s a ploy by software developers.
yes, actually, they do it quite often. This was a huge advertisement for Tiger M@te. They will get many hack job requests from this hack. Many hackers who crack video games, moveis and other things will brand the download of the crack or file with their name and contact info. Very common practice. likely not a scare tactic.
Inmotion is a sister company of webhostinghub. So I think we have determined that the hack came through their system. Mine was hacked as well on webhostinghub
I think I am not the only one. I got the same situation too. inmotion, hacked by Tiger-M@te.
–>People have too much time on their hand if they spend it trying to hack websites. The end.
Well, this website I go on ALLL of the time just got hacked by him and stuff. Like why do they even let him do that? -_-
I checked our company website this morning and found it was hacked. Apparently around 4:20AM ET this morning (09/25/11), inmotion hosting was hacked. They uploaded/copied in bogus index.php files – overriding the main pages for many accounts. All support phone numbers into the site have been busy all morning.
I haven’t received any communications from inmotion. I’d like to know what happened, how large of an exploit was it, and what are they/you doing to restore the websites and protect them in the future. In the meantime, I will be sanitizing my website – removing any proprietary/confidential information. I obviously cannot trust inmotion to protect it.
Here is the text from the index.php file distributed to the web accounts:
HackeD By TiGER-M@TE
Mine was hacked in InMotion hosting. Time stamp is 4:15AM eastern time. This guy did interview as shown in
http://thehackernews.com/2011/01/exclusive-interview-with-tiger-mte.html
Same story. Inmotion hosts our websites on dedicated servers, and they were both hacked. Inmotion’s telephone line is constantly busy. Not sure what to do. I thought that inmotion was supposed to be a good hosting company and we pay extra to have them host our sites.
If you are able, you can replace your index files, and your site will be back up. I’m sure InMotion will do something to keep customers from leaving in droves.
Replacing the defaced home page is only a short-term fix. It is an .htaccess redirect. The htaccess file needs to be cleaned up.
Hey Sib, I checked my htaccess files, and didn’t find anything out of the ordinary.
My htaccess file had been extensively motified. Quite frankly, I didn’t quite understand the coding (I am not a programmer), but I knew what the htaccess was like before (had previously been hit by a virus and got quite familiar with it at that time – and I kept a back-up copy of the previous htaccess file, as I would recommend ANYONE to do – as the htaccess file is most vulnerable and most often targeted). Anyhow, it looked like a php redirect. I restored the previous htaccess file and hope this is the end of it. Sibylle.
Happened to me as well, InMotion too! Only way to be 100% safe is to unplug the website from the internets…. On the other hand it is refreshing to know it is probably not something personal with my server (that you guys are victims as well), and it is not really on ‘our end’
Yes, but it does show us just how vulnerable we really are.
I got hacked too. However, me not being tech savvy has my website at standstill. I was on hold with my hosting site too long and just hung up. Looks like I might need to educate myself on this web stuff because i dont know how to fix it.
It will probably be quite a while…InMotion hosts thousands of websites.
Fixing the problem: The Urban Cowboy is right. To fix the problem, you need to either need to a) replace index.php file or b) remove the index.php file.
Chris
Also my website whose defaced
Now I’ve replaced index.php and upgraded joomla and chaged password
I hope now all right
But what happened? and now we are safe ?
I think InMotion had a security hole, they will have to determine how they were hacked and fix accordingly.
Ok, don’t laugh…but all I know how to do is point and click for my website. I don’t even know where to find those “index” files. So my question is…do you think if I just leave everything alone that inmotion will fix it?
Yes they will…eventually.
I help out a local company with their online/social media marketing. Their site was hacked early this morning and hosted by inmotion. Problem is, the folks who handle the website/hosting locally cannot be reached on weekends, and online booking is vital to their business. Not good at all.
InMotion Hosting has released this announcement:
Systems Announcement
Web Hosting Hub has released this announcement:
Systems Announcement
Thank you for posting this. I’m unable to access my index files, so I really appreciate your diligent updates about this.
Thank you again,
Alison
Glad to see you are up.
All or most are Apache with linux platform
Inmotion FTL.
I just got done ordering some stuff from a shower door company and after i went through the payment process I got the message hacked by tiger. Do I have to worry about my credit card?
I don’t think so. As far as I know, they only changed the index files to show that the sites were hacked. I would definitely contact the company you placed your order with and let them know what happened, though.
Hi Urban Cowboy,
Thanks to you and Chris (commenter) I followed the directions to getting my website back up and running by replacing the index.php files. I am with InMotion. Before I get so upset and leave, I’m hopeful when they fix the loophole, they will be more secure than before. Otherwise, my customer service experiences with them have always been prompt and pleasant.
It does make you realize how vulnerable we really are. Thanks again, big time!
Glad to hear you are back up. I do recommend for everyone to immediately back up their sites information.
I also use inmotionhosting and my site also has the stupid hacked index file crap in each directory this morning. Will take forever for me to clean everything up and imotionhosting’s chat is down and ph # is busy. Sounds like everyone was affected.
Yes, unfortunately this is WIDESPREAD.
thanks
welcome
Thanks for this well-timed post! This morning I woke up to the same fate. After reloading my index files, I am good to go. It is a 100% eye opener too.
So do you plan on sticking with InMotion? I will. I just hope they start buckling down on security.
Yes, I’m waiting to see what they find. They have always been good, before this I was very pleased with their up time and speed. This really could have happened at any other of the hosting providers, and very well may in the future.
Thanks for posting this info. I use a MAC and using Firefox browsing in google when it came across.
I don’t have a website so I am okay?
Thanks -
Yep, you are okay. It was the website you visited that was hacked, not your computer. There was also no virus attached.
Just checking email and this swirling black window came up…. so I should be ok? I closed it right out.
How do you reload your index files?? I tried going to google and home page, but not successful. Any recommendations?
Right now I believe the only way is to use a ftp client.
hello do you know that my fave website was hacked by them
I have replaced all of the php files in each of the folders and my website now says restricted access. What am I doing wrong?
Did you just replace the index.php files?
yes
I really don’t know. I know that InMotion is working to restore everybody’s account. Do you use wordpress?
No I use Joomla
InMotion Hosting Announcement
Important Systems Announcement – Please Read
September 25, 2011
At around 4am EST, our system administration team identified a website defacement attack affecting a large number of customers. We are still investigating, but it appears that files named index.php have been defaced.
We are evaluating how this has occurred and our security team will have more information shortly.
While we review this issue, cPanel and SSH access has been disabled on various platforms. For additional security, we are rotating passwods on a number of accounts. We will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we’re able. FTP is still operational should you wish to access your files at this time and correct any issues you see yourself. We will be working diligently to make cPanel access available again as soon as possible.
If there is a defacement on your account, please know that our Systems team is working to get your site back online. If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part. At this time, we do not have a definitive timeframe for resolution, but we will update this page as we gather more information.
We do apologize for this issue, let us know as you have further questions, we’ll be glad to answer them as we’re able. Please understand it will take our security team some time to review this issue before we can have a full explanation available.
when you say reinstall do you mean to go into fantastico and take the current version off and just upload it again?
NO!!! Don’t remove your software.
If you are unsure of how to do this, let InMotion take care of it for you.
Okay… Ha! that was close. What else do I do other than replace php files?
The only files that I know have been hacked is the index.php files. If you replace it with one from wordpress, the contents will be:
< ?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>
To get your site up replace the index.php located in the root directory.
I was hacked too! I don’t have a copy of my index.php on my drive so I don’t know what to do! Inmotion has been really not very helpful. I think I’m switching.
I am too. I have only had the account for two months and havn’t even launched my site yet and I have had two times now that I can’t access my website. Last time it took 3 days for them to get the site back up!!
See above for contents of the index.php file
Create a new text file and paste the above code into it. Close it and rename to index.php. Upload it into your root folder, replacing your old one. Your site will be up, but may have other index.php files throughout.
Also on WebHostingHub, nasty surprise. But as already said, just replace your index.php (you can use an old one from your test environment). I didn’t even need to reinstall anything. Fingers crossed.
Any thoughts on how we might protect ourselves in the future?
Thanks and good luck everyone!
Was definitely hacked by this ridiculous character.
Couldn’t be more annoyed at the moment.
Me to. Sites on two different servers. Looks like index.php was dumped indiscriminately into all first level folders beneath www. Easy fix to re-upload.
But I am not happy that innohosting did not have any information on their home or support pages. Support lines busy, the help desk person on chat didn’t know anything. Normally pretty good with support, this was inexcusable. LET US KNOW WHAT IS GOING ON INNO – how long does it take to update your site with information!!!! (Yeah, they did have a notice that their “system administration team is currently actively mitigating a newly released security vulnerability which has impacted parts of our network. As a precautionary measure, cPanel logins have been disabled. ” but this was not very informative.)
All of my websites on WebHostingHub got hacked by the same scum bag today. After replacing the index.php file for each domain and clearing my browser cache , all returned to normal. Clearing the browser cache is important because otherwise the hacked page returns.
When I contacted support, I got the following response:
“Yes we are aware of this issue and are working to restore the index file from backups.
System Administration has identified an issue with the server that houses your account which requires their immediate attention.
A large number of files named index.php have been defaced, apparently through a vulnerability in our support infrastructure. “
I have several websites hosted at InMotion and found them ALL to have been hacked today!! All suffering the same problem as described above. I’ve raised issue with InMotion — will have to see what they plan to do. Hate to have them revert to system backups and then for me to lose several days of blogging, site updates etc! UGH.
My site was affect as well. I’m with Inmotion hosting and haven’t been able to get in contact with them yet.
The only files affect on my site were the index.php. I was able to quickly get my site going again once I restored those files from backup.
I check all of the other files as well and it looks like the others were not affected.
Hopefully this will be resolved for everyone soon.
i blogged about press75.com being hacked. it turns out,it is not the only site that’s been h acked.
Can you give more direction about how to replace index files? I’m with webhostinghub and have also been hacked. I can access my control panel, but not understanding how to complete your directions. thanks.
You have to have a third party ftp client to access your files right now. If you are unsure of how to do this, I recommend you wait for the hosing provider to fix.
I know its not what you want to hear, but you don’t want to end up doing more harm. As of right now it will be an easy fix, it’s just that this has affected so many people it is going to take time.
Dude, I also have InMotion Dedicated Server and all my sites were hacked today!!
I called InMotion and busy signal for hours now (I guess all of you people are blocking me!!) …
QUESTION FOR ALL: why are you guys with inMotion? I actually LOST ALL MY DATA with them once last year when my other dedicated server crashed and all they said was: “sorry” …and stupid me didn’t have a backup. But seriously, they didn’t care at all! I’ve been meaning to move…but don’t know where to? Any ideas?
I don’t know. I have personally moved a couple other sites to blue host and godaddy, just to compare. Not happy with godaddy hosting, but blue host seems to be fine so far.
I had shared hosting with GoDaddy and moved because of outages and slow load times with WordPress sites. I signed up and tested sites on InMotion and BlueHost. Both were significantly better than GoDaddy with similar performance and features. I settled on InMotion because of a better coupon code at the time. Really could have gone either way. BlueHost is cheaper now I think. InMotion support has always been helpful, even proactively calling me once when they found something on my site. We’ll see how this one works out…
hey guys, thanks for the replies… I will check out the specs and pricing on BLUE HOST…
What do you guys think of MediaTemple?
I can’t use and don’t like to use “shared hosting” … I have a dedicated server with inMotion and looking for the same with anyone else.
Please let me know or get to me at miltonrodas[at]gmail[dot]com
I too had 6 sites hacked and all are on InMotion. 5 are WordPRess sites. Thank you so much for your remedy. I was able to restore all of them myself.
I have been with this host for many years, and it is my perception that something has changed in management. They used to have superb tech support and very good reliability. I can’t say that lately. The tech support people seem to want to end the call fast and some are indifferent bordering on rude. Just this weekend, I tried to move a site from an EVEN WORSE host (websitesource) but I couldn’t get the pages to show up properly in the transfer. The tech person insisted it was a problem with my code (code that has now worked for 7 years) and that I needed to go through it and change all my urls from absolute to relative. Well, problem is, they are already relative. So I couldn’t make the transfer, and the site is now still on the old awful host. So I think something has changed behind the scenes at InMotion.
I have been in touch with InMotion by email, and just received the following email from them:
——————
System Administration has identified an issue with the server that houses your account which requires their immediate attention. A large number of files named index.php have been defaced, apparently through a vulnerability in our support infrastructure. Security team members have traced this vulnerability to an authentication system and are working to patch this now. While we review this issue, cPanel and SSH access has been disabled on various platforms. For additional security, we are rotating passwords on a number of accounts, we will honor requests for password resets as they are needed but are attempting to limit the inconvenience to our customers as we’re able. FTP is still operational should you wish to access your files at this time and correct any issues you see yourself.
Rest assured that customer contact information, including personal contact info and credit cards are unaffected.
If there is a defacement on your account, please know Systems is working to get your site back online. If your index.php was modified, they will be restoring it from the most recent backup and no further action is necessary on your part. At this time, we do not have a definitive time frame for resolution, we will be updating support.inmotionhosting.com with further information as we have it.
We do apologize for this issue, let us know as you have further questions, we’ll be glad to answer them as we’re able. Do understand it will take our security team some time to review this issue, so a full post-mortem may not be immediately available.
——————–
I do
I’m looking around my files (not changing anything), but I noticed one called “hacked page”. When I click “show file”, it has a lot of code in it and identifies Tiger M@te. It ends with some mp3 code and a note to feel free to copy and paste. What happens if I delete this file?
DELETE IT
That is strange though, my files were not renamed to “hacked page” the code was just inserted into my index.php
That fixed it! Thanks for the guidance! I’m on webhostinghub. Anyone who can get into their control panel (I went in through my AMP – account management panel – page), then I clicked on “legacy files” and opened the root directory for my domain. There I scrolled down the list of files and saw “hacked page”. Following the Urban Cowboy’s suggestion, I deleted the file and my website is back and appears to be ok.
Awesome!
Yes, I had three sites hacked last night. Two were WordPress sites and the third was a phpBB site Strangely, none of my static sites were touched. I too host at InMotion hosting. They have some explaining to do.
All my sites are back up. The only reason I even knew how to fix the issue was because of your post. I have received no communication from inmotion.
Glad to hear you are back up, Greg!
The same thing happened to me today when I was browsing the web. Is there a certain amount of time I have to wait until the website I was looking at comes back up again?
You can check it as often as you like. It wont affect your computer. It will only be up when it gets fixed though…either by the InMotion or the owner.
Both my sites were hacked as well. I think tiger-m@te needs to get himself a real job or a girlfriend. Or boyfriend. I don’t judge.
Add me to the long list of people who’ve gotten this hack. I also have Inmotion and the hack occurred in a wordpress site I installed last night. I’ll take your advice and get the site up and running again thanks to your advice. Good luck to all others who have been hacked.
I know how to use the ftp, but i dont have backups, is there a generic index.php file i can use to replace the hacked one? I use joomla.
I only know how this affected WordPress sites, not sure about joomla, sorry.
You could download the joomla files here and extract the index.php file from the zip archive.
Shoot. Deleting the file called “hacked page” brought my websites back up, but when I try to get into my wordpress-admin, I am still getting the hacked page. Suggestions?
That is because he corrupted all our folders with his hack. You have another hacked file in your admin folder. Go there the same way you fixed your site, you should find another file to delete or replace.
One of my clients got hacked too. We have backups and they have been restored. I have always felt uncomfortable with all of the backdoors and rules that inmotionhosting has in place. They require us to inform them when we change the root password, and they have shown to us time and time again that they can’t be trusted with the passwords.
I recommend to everyone who will listen to find a small one or two person hosting company. You will likely pay more, but when things break you will be able to talk to the person who is going to fix your problem rather than getting a busy signal.
If you want to talk, I can be reached at sales at 2sa.ca. Do your own research though, find someone responsible and talk to them.
He got my zen cart site as well. Hub/InMotion chat responded immediately even though it said offline. They say the will send a report out. http://www.inmotionhosting.com/20110925-systems-announcement.html should also have another update within the hour.
i was on google and all of a sudden i got a swirl and a black page appeared for like 15 seconds that said your server has been hacked,tigerm@te banglesh… what does this mean?
If you are talking about a website of yours, it has been hacked like the rest of us. If you were just visiting another site, their site was hacked. It has nothing to do with your computer.
Here he is;
Imdadul Al Imraan aka tiger-m@te
http://www.facebook.com/people/Imdadul-Al-Imraan/1461516137
actually now that i think about it i was on google and clicked off that page then i was on my reg. screen then that dark page came up that said my server was hacked,im not that hip on all the terms so your saying that my pc is safe?b.t.w. i have anti virus protection and all that and it says everything is secure so i dunno
website looks ok, how do u know if had been hacked?
It sounds like you were at a website that had been hacked.
My main domain for my Webhostinghub account had been hacked as well. When I logged into my FTP account I noticed the “Hacked Page” file and deleted it. This didn’t do anything. I then followed your instructions about the index.php and this didn’t work either. Finally, I took your advice and just uploaded all the latest files from Wordpress and this fixed the issue. For those that are on Wordpress, just upload all the latest files from the download link above. Thank you for helping me out.
Glad to hear you are back up!
i was doing a search on googlethen right after i left the google page i got that hacked message
The Inmotion server was hacked by Tiger-M@te, so any website you visited may have been hosted there. Your computer is working now on other sites so I think you are okay
Looks like webhosting hub got me back up. Now who’s gonna fix the headache I have?
Cold beer always did that for me!
thanks U.C.
Hey, thanks for posting this, The Urban Cowboy. I’m on WebHostingHub too and was completely taken aback by what had just happened, but seeing this topic saying it happened to everyone using their services makes things much clearer. From their announcement, it looks like they’ll be fixing sites automatically given enough time, so I’ll probably wait a couple of hours before trying to see if my WordPress still needs fixed… Thanks!
I was hacked by this guy TiGER-M@TE too, and my sites are on Inmotionhosting’s servers.
I couldn’t wait for support so I located and fixed the problem myself too. I found that there were multiple instances of the index.php file installed however. I have a Wordpress install and the index.php in the root directory was the first one I found, but then there was another in wp-content and wp-admin that need to be updated. There was another one in wp-includes which doesn’t belong there at all, so just delete.
I have a multisite network and an additional install of WP in a subdomain which was also affected the same way.
Thanks for posting the information. I did the same.
Me too, this morning. My security picked it up right away.
Help! I don’t have a website, I’m just a plain old Mac OSX user. I visited some website last night and all of the sudden my browser window shrunk down, bounced around, and the ‘Tiger M@te’ site popped up. How do I get rid of this? Again, I don’t run a website or anything. This is happening just when I go to a standard website like google or facebook…
I really don’t know…you actually may have a virus. Do you have a virus scanner?
Same, with IMH. Site root file was ok, just every */administration/index.php file was modified or inserted on the HTML sites I have. Can’t blame IMH, they’ve been the best hosting for me to date, but stuff happens.
My sincerest thanks to The Urban Cowboy for coming up high on Google for this problem! You rock dude!!!!!!!
Glad to hear your site is back among the living.
This type of thing really is horrible. I’ve come across other sites where they are basically kissing his a@@, exclaiming how HE ‘rocks’ for corrupting our servers.
But what about US…the people who rely on our sites for so much? If you ask me, this cat is nothing more than a little kid looking for attention. It’s too bad, with his knowledge he could actually be doing good by helping people instead of hurting them.
I have multiple sites hosted on inMotion, on the same account, on the same server… but only one of them was harmed. Strange. It was also only the ‘admin’ portion of the site.
Either way, found the hacked file, deleted it, and re-uploaded my index.php.
I’m also downloading a full backup of the site, and doing a full search for any more of that tiger bullcrap. I’ll let you know if there are any other files affected..
Good to hear you are doing a back up. As far as I know, only the index.php files have been infected, but there could be more than one. I found numerous index.php files that either were infected or did not belong.
You were right. There were multiple instances of index.php’s added, regardless if there was a pre-existing one. It looks like it target was public_html/, and it opened every folder within that, and either added hacked_page, or added/replaced index.php (12,500b file size), or both.
Unlucky for him, I’m a web developer and create backups like I have OCD. The purpose of today’s backup was 1. to do a mass search for “hacked”, and 2. if inmotionhosting blows up my crap, I will have a recent file set.
Good thing you backed up your site. That was the first thing I did after getting back online. You never know what our hosting provider will do now.
Has anyone determined how they got on the servers?
Not that I’m aware of…yet.
Hi. I just got the swirling image and black box that says HACKED by Tiger M@te….. I have a MacBook Pro. I am VERY computer ignorant. I was just looking at a webpage when it happened. I have since figured out how to set up my firewall and set up “FileVault” to encrypt my “home” folder…. Is there anything else I need to do? Is anything on my computer in danger or messed up? I do not own or run a website. I’m very worried!
You are just fine, as long as you have virus protection.
I don’t think i have any virus protection. When I bought the mac, the sales people and mac people that I talked to said I didn’t need virus protection because “mac’s don’t get viruses”. And thank you!
This is a dumb question…. but i have my mac at home… it’s main use is searching the internet and watching videos, facebook and some email. Do I have a “server”?
No, you are okay. You would have a server if you had a website of your own.
I went to order some snowboard gear online this morning, and the website had been hacked by Tiger-M@te. I can’t enter the website directly, but if I go through google I’m able to access it without any problems. I want to order something, but I’m nervous to enter my credit card info. Does anyone know if the hacker is able to get that info, or what that means?
I wouldn’t order anything from the site until it has been fixed.
InMotion, of course, it seems to be the flavor of the day… I replaced my index.html file in the root directory and all is well (index.html files were hacked as well), my other index.php files were not harmed – these were located in separate WordPress subdirectories. Would there be any reason I would need to reinstall WordPress?
I reinstalled WordPress, and think it a good idea.
Hi The Urban Cowboy,
I was looking for information on Google yesterday and when I opened a website, I faced the problem that everyone here has faced, i.e. the message ‘Server hacked by tiger m@te’. Does this mean my computer has been hacked? I scanned my computer after this and found a virus that i deleted of course. Now my question is: is my computer protected or do I need to reformat it?
Waiting for your reply!
Thanks!
Your computer should be fine. I think the virus you found is related to something else. This hack only affected websites.
Please check your images folder. I just restored a client website that was hacked yesterday. Tigerm@te left some sort of surprise in the /images folder too; I am judging by the date on the file on the servers. I just deleted the whole images directory. Not fooling with it.
As far as determining about accessing the servers, TigerM@te picked on inMotion because of the apache servers, which are noted for their security problems, and then PHP, which is also a problem, security wise.
If you delete what is on the server, and restore, that would be the best route to go. I also deleted some extraneous PHP files inserted by inMotion. they may put them back, but if they do, and the site gets hacked, will suggest the client move to another hosting company.
You are correct, everyone of my wp-content folders had an index.php file inserted with the hack.
Long after the fact, I know, but I need to correct an earlier posting. Innhohosting was NOT affected. I am happy with them (and with inmotionhosting – who was affected and was also aggressively taking care of the hack.)
I’ve never been hacked… I don’t think. Sounds scary.
Hi,
If the word “security” is not proudly displayed in the first paragraph of a web hosts home page then you can bet security is far down the list of their priorities.
Search for this in Google if you are truly looking for a secure web host:
free daily malware scanning
Hello, YES this Tiger M@te “a hole” has another one + one, to chalk up to his lengthy victims list….
what kind of warped mind gets off on doing this kind of thing? Yes, I am sure it was this jerk, hacked and addressed by HIM. “It went to check on my site today and “saw White” … just found out from my Computer Guru Hubby that he has now taken care of it for me, and for himself, (no extra charge in MY case… lucky ME! If you would care to be entertained by my “2 cents on the subject,” you can read what I wrote to My personal FB Friends about being FURIOUS, email me privately and I’ll send you a private copy. Several of the bodily terms describing the UNATTRACTIVE AND VERY InCOMVENIENT anti “MATING” Afflictions I ASK GOD TO VISIT UPON HIS LOWER REGIONS should come with a disclaimer! We WILL change Web Providers, as we believe this Tiger M@te is an idiot and possibly a disgruntled employee!
Wow…they got me too…It feels like they stole the stereo out of my car
but was kind enough to use a key to open it up. I’m sure there’s a
special place in hell for geeks like that. May they live a thousand years…
on the run } –
i got hacked by them too
and i thought that i knew how to code,but when i say all the code by the hacker i was stunned lol
example of the hacker code:
function det(){window[_0x8ae2[1]](_0x8ae2[0]);window[_0x8ae2[1]](_0x8ae2[2]);window[_0x8ae2[1]]
var _0x8ae2=[“\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68
Interesting, I am not on inmotion, I am on web hosting hub. A few pages like these were added, but not replaced like above.
Also, I should mention I am not using Wordpress.