This article has been updated to give information on how to fix any Directory Listing / Defacement hacks due to the recent TiGER-M@ATE attack. For more details on the issue, please see
Status of September TiGER-M@TE attack
The TiGER-M@TE attack was focused on index files, such as index.php / index.html.
Our System Administration team has attempted to restore all index files from backup for those files compromised. If a suitable backup file was not found, the hacked index file was moved out of the way, and your site may instead simply show a listing of files in the directory.
PLEASE NOTE:
In the solutions below, we reference restoring your index file from a clean backup version. Be sure to replace index files in sub directories as well, as the hack affects more than just the top level index file.
If you do have a backup of your site:
If you have a backup of your files, you can use either cPanel's File Manager to upload the backup or you can use FTP. If you're not familiar with FTP, we recommend using your File Manager as it does not require any additional software to be downloaded to your computer.
Using the File Manager to restore files:
How to restore files from backup if you do have a copy
Using FTP to restore files:
1. Setup your FTP client to connect to your server. For all the details, please see FTP Getting Started Guide
2. Upload the necessary backup files
If you don't have a backup of your site:
If you don't have a backup of your website, we do have several tuoritals to help based on certain applications:
If you need additional help
Our call center is currently experiencing a larger than usual number of contacts, and unfortunately we are unable to address all questions in a timely manner. If you have further questions, please feel free to post a question in our
Question and Answers section.
Did you find this article helpful?
Have to ditto Jenny. I woke up to about a dozen frantic emails and then the scary "hacked" on both of my websites hosted here. Could not access cPanel, could not get through to customer support, sent email, etc. THEN I saw the small message in the corner of the Hub website that lead me to this message. Could have saved lots of time.
Plus, where are the updates? What is happening? More info would be nice. I have gotten one report from a person who thinks they were attacked with a malware after going to one of my websites. This needs to be tracked and announced as well.
Please keep us informed!
Have to agree with both posters. The lack of communication from your team has made this even more difficult to deal with. I waited on the phone for 50 minutes only to find this small system announcement in AMP.
Do you have any updates on the status?
So, as I understand it...my website will be restored and I don't have to do anything to restore it, right?
This just shows the importance of backing up your own files. Had all of my sites back up in about 2 minutes
This is getting ridiculous. I found out very quick this morning when it happened because i was updating a clients page. As we speak I am losing money. ALOT of money. This looks awful for me because i convinced my customers that webhostinghub was a reliable and secure place to host their sites. We understand human garbage gets their rocks off with this stuff, but your response to this has been disappointing to say the least. I never got through to the "24/7" phone support nor the live chat. Only now did i see the tiny announcement. Even if you do fix this what is going to be done to prevent this in the future? How can I rely on you to host my sites? Will anyone be compensated for their losses? We pay for a service and I feel we are not getting very LITTLE information on a very BIG problem.
I am not sure whether you are being sarcastic or not. I back up as well, but how can I, or anyone, get the site back up when I cannot access the cPanel or anything. Not everyone is a tech wiz, which is why we have hosting services that take care of these things.
If you were not being sarcastic and have a viable solution, please share.
Hi,
I had 8 wordpress sites on this hub hosting account with this hack.
I went to another hosting account and copied the index.php file from that and uploaded it to all of my hub hacked WP sites. And that fixed all. Be sure to change the permissions back to 644 the hacked file is changed to 755.
The index.php file in wordpress is generic and should work on any WP installation the normal size is 397 all the hacked index.php files are much larger. I zipped it and uploaded it to here if anyone needs a clean index.php file.
www.rolexon.com/index-php.zip
So use FTP and overwrite the hacked index.php and make sure the permissions are reset to 644 and that will fix your WP instalation. All my data bases were OK
Rod
What was the point of me providing this service with contact information if no one was ever going to contact me when a big problem occurred?
An email stating the nature of the problem would have been nice.
For now, use Filezilla, access your site via ftp. If you don't have a back up, then search for the files called hacked_page. Then delete them, this worked for the one section of my site that i didnt have backed up. Now to go through to find any other damages.....
I was not being sarcastic, you can download a free ftp program and be able to restore your site without the control panel, admittedly this is beyond some peoples technical ability. However it is not really that difficult and may be something anyone with a site that needs to be up should look into.
1. Download free ftp software
2. Delete index.php on server
3. Upload backup of your index file.
Done
Hello Everyone,
Firstly, I just want to apologize to everyone for the bad Sunday morning you are all waking up to. In this situation, we can truly say we know how you feel, and we know there's anger and frustration.
I'm reading everyone's comments, and I just want to let everyone know that the team is here working diligently to resolve the issue at hand. Our Support team is working through phone calls, emails, and chats to keep everyone updated. Our Systems team is working on restoring files from backup as well as other items on their plate related to this.
When we have more information, it will be released.
Thanks,
- Brad
I backed up most of index.php files but I can't restore some of them because they are installed packages such as simplemachine forum and gallery. I really need your quick action to restore my sites asap. I even paid for the backup service. Thanks.
So is it best to wait for HUB to fix our hacked sites if we are not Tech Savey?? All the pages on my site are working except the page with the forum which operates on SMF software. That pages says "Server has been Hacked"..
Hi JLink,
We're currently working on restoring all compromised files. I haven't received word yet that the Systems Team has completed this yet, so if you're not sure what to do, hopefully our Systems Team will be able to fix your site soon.
Do you by chance have a backup of your site?
Thanks,
- Brad
Pretty lame that we didn't get email notification of this problem from webhostinghub.com. I thought it was just my site until I Googled "Tiger M@TE" and saw how much chaos was going on.
Every ones of my sites is up again! Great job!
SAG
2011-09-25 7:21 pm
Seem all of my sites are now working good!
GRATZ! to WHHub team on excellent job!
Well done guys!
After another 2 hour and 47 minutes have passed since your latest announcement at 1 PM but my website is not restored yet. I paid the backup service so you have my files. I would like to hear from you, Brad.
Thanks.
I mostly don't have index.php files but rather index.html files.
Here's how the hack was done with me:
1. My index.html file for the home page was erased and the ugly index.php hack file was uploaded instead.
2. In every first-level folder directory under Public_html, the ugly index.php file was uploaded but if I had an index.html file in that folder, it wasn't erased.
I restored my home page and I've mostly deleted all the bad index.php files now.
I really hope that webhostinghub keeps us updated on any other files we need to erase or restore.
But even more importantly, I wish they'd sent out e-mails and warnings and all sorts of red flags earlier, so that we would know this was a general issue and not get panicky.
Thanks,
Hi grover,
What is your website?
Thanks,
- Brad
Hi grover,
The ewhadcchapter.org site is currently pulling up for me, it no longer appears to be cached. Please clear your browser's cache and test again.
Thanks,
- Brad
Of course, it seems working because I quickly restored the damaged parts. However, the menu is not working properly. Moreover,what I am concerning is the forum and the photo gallery. They are the installed packages so I don't have the backups. That's why I paid the service.
I temporarily changed the index.php but you gotta restored them. http://www.ewhadcchapter.org/forum/
http://www.ewhadcchapter.org/gallery/
Both my websites are up - thank you - and I can access the Wordpress dashboard. And I can get into my Hub account page. However, I cannot get into my cPanel. I have cleared cache, restarted my computer, changed the password several times, but nothing works.
Any further suggestions? I still cannot get through to a tech support person on chat.
Brad,
I would really appreciate if you restore the whole site (ewhadcchapter.org).
Hope it is done till tomorrow morning.
Thanks,
Grover
Don't make a comment that "Currently, you should not see defacement on your site...." when you aren't through - my site still has the hacked page and I have cleared my cache.
I changed to you for my personal websites to evaluate you for a business partner to run their business websites. Suffice it to say it will be difficult to choose you, your support posts are incorrect and infrequent and your security obviously can't be trusted.
Hi SharonL,
I just heard from our Systems Team that cPanel has not yet been re-enabled on all servers yet. It should be available soon.
Thanks,
- Brad
I re uploaded my site, but cannot send emails. Does this have something to do with the hacking? I get this message: Task 'koonz@geoblox.com - Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties. The server responded: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)'
Where are my account properties? All I can find is a place to add a new email address.
I have replaced my index files several times and everything seems to be working correctly other than my main blog, which is the most important to me of all of them. I've replaced the index.php file in the themes folder many times and it NEVER got rid of the "hacked" page. Currently my main page is blank white, because I accidentally uploaded the clean wordpress index.php file into the main public_html folder and it overwrote whatever that index file was supposed to be and I can't seem to locate a copy of it to be able to revert it back to what it should be. I had severaal windows open at the time frantically trying to figure out why reuploading the index.php was working for everyone but me and I mistakenly uploaded into the wrong window. If you could even point me in the right direction of where I can find that main directory index.php I'd appreciate it. I got two emails in response to MY email to you so far and they were both basically the same thing.
I can not believe the users that were affected by the hacking of WebHosting Hub's servers were NOT notified.
Nor has your 'automated fix' done a very good job of bringing websites back online. For mine, it appears no backup in your system was found, a scary thought, as most of the Wordpress installations on my hosting account were simply pointing to a directory of contents. Nor did your 'automated fix' go through other installed programs, even those installed via Fantastico de Luxe, such as PHPList, Piwik, etc.
[u]<strong>Very, very poor service!!!!</strong>[/u]
Mark
2011-09-26 6:33 am
Since the hack my email accounts are not working. I can receive but not send anything from the accounts hosted by WHH. I've tried calling there support and using web chat but get nowhere. Anybody else experieincing this and know when it might get sorted?
Wondering if they have found the fix for this? will this happen again, if not, how to be sure?
Seriously I thought that webhostinghub is secure enough and for that reason I have hosted couple of websites on it, after this tragedy I am thinking moving to more robust and secure sever somewhere else. I tried to contact them, using available services, but no go.
My advice to you:
- Inform you users to change their pwd
- Change your cpanel and phpmyadmin pwd
they might have also stolen your pwd.
Hi Everyone,
This is Christi with the Web Hosting Hub Support Team.
Our Team has posted a few times already in the comments here, and I just wanted to touch base again.
First off, we are very sorry for the hacks that have occurred. As you know, our own sites were targeted and affected as well, so we do understand your frustration and anger. We have everyone on the team working to resolve the current issues at hand, and we do appreciate your patience. If you haven't already, be sure to check out
http://status.webhostinghub.com for any updates as they will be posted there.
Our Support team is very busy and has been working around the clock accepting phone calls, responding in chats, and answering emails. Because of the large volume of incoming contacts, there are excessive wait times, and again we do apologize.
Our Customer Community Team is currently working on contacting everyone who has posted a comment here to ensure issues have been resolved. It is recommended however that if you need assistance, please email our Technical Support Department - support@webhostinghub.com
Thank you.
- Christi
Rip
2011-09-26 1:21 pm
Since yesterday I have been unable to send email. When I try it is rejected with the message:
550-"JunkMail rejected - (my host name)
([192.168.1.19])
Just to be clear, I replaced my computer's host name with "(my host name)" since it includes my IP address.
I find it suspicious that the IP address that follows my host name is a local IP address and presumably it's rejecting my mail because my host name's IP address doesn't match it.
I thought it might be a problem with my email authentication so I went into cPanel and disabled both DomainKeys and SPF but that didn't make any difference. It continued rejecting my email so I reenabled them.
Is cPanel access still down? If so is there an updated ETA on return to normal service?
Thanks and Cheers.
I still can't get it. I have sent emails and been told they are working on it and will reset my password. I just have no clue if that will be today or a month from now or never. And still no ability to chat with a tech online.
cpanel still isn't working nor can I get into webmail. Passwords to cpanel seem to have been reset. At least ftp is still working. Anyone else experiencing the same thing?
I have been reading blogs and some have indicated that more than just the index.php was hacked. it would be great if WebHostingHub would let us know the extent of damage and what we need to do now.
See support ticket #36633
I have reset about a hundred times - and I am NOT exaggerating. Sent so many emails, have a support ticket open and unanswered, can't chat on line, etc.
I know you all are working hard on this, and I do appreciate the efforts and I do understand. But please do not be what, to me, sounds condescending by simply telling me to "reset the password." I am admittedly not a techie but I do know at least that much!
Sorry, just a bit frustrated as well.
Is anyone else having problems with outgoing email?
I have reset password I'm able to find server, but an error message tells me I'm getting no response from server.
Thanks for any help.
This morning I received this error message from Outlook when trying to send out emails.
Task 'steve@coralreefecosystems.com - Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties. The server responded: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)'
I haven't changed anything and I am able to receive my emails via Outlook. I see other complaining about this same issue since the attack. I need to get this fixed ASAP. It's costing me money.
Hey everyone, I don't know if you have found the fix for this on your own yet, but the same thing happened to two of my users here at work yesterday. I found that for some unknown reason, under outgoing mail settings, the "My Outgoing Server (SMTP) Requires Authentication" check box had become UNchecked. This did NOT happen to me, I might add. To fix this in Outlook, go to: TOOLS > ACCOUNT SETTINGS > EMAIL ACCOUNT NAME, double-click on the account in question, click on "MORE SETTINGS" in the lower-left corner. Then click the "OUTGOING SERVER" tab at the top of the Internet Email Settings page. Re-check the "My Outgoing Server (SMTP) Requires Authentication" check box, and click OK. Restart Outlook, and you should be good to go. Hope this Helps
checking (SMTP) Requires Authentication" check box and re starting Outlook worked for me.
Thanks as no one from HUB has gotten back to me about it.
I'm still having serious email problems. The error message from Outlook says "unable to logon to outgoing mail server (SMTP)"
I have the box checked for outgoing server (STMP)requires authentication.
I'm using the correct password, I'm using the correct port.
Any ideas are welcome.
This is bazarre... I had another user with the same problem, but this has not yet happened to me. Carmen, am I correct in assuming that you have not touched any of your settings prior to this issue?
That's right, Upperme@wildblue. Yesterday, I reset passwords to cPanel and mail account. After making the password changes, I struggled to figure out which password belonged in the Outlook account setup. It's the mail account password - I'm assuming. Today, in addition to not being able to send, Outlook is not receiving either.
In the meantime, I'm using Horde(webmail)it's letting me read but not send. So now I now need to figure out how to setup Horde....
Hi SharonL,
I see from your account notes that our Support Team was able to help with the cPanel password issue.
If you are having any further issues, please do let us know. I apologize for the delay in response, but we are more than happy to help.
For others that are having similar issues logging into their cPanel, please let me know so that I can contact you individually for further assistance, as unfortunately the password reset option within AMP has been temporarily disabled for security reasons.
Thanks,
- Brad
Hello All,
For those users that are still having an issue with sending email:
Please be sure that you have SMTP authentication checked in your email client. If you do and you haven't net, please restart your email program and then test again.
The following article should provide more information for troubleshooting this:
http://www.webhostinghub.com/support/email/email-troubleshooting/email-invalid-helo-name
If that does not help, please let me know so that I can contact you individually.
Thank you.
- Brad
Login to comment.
