Technicians Work to Restore Websites After Exploit
For Immediate Release (Photo attached if required)
Technicians Work Overtime to Restore Websites After Weekend Exploit
Technicians at IT infrastructure hosting and management firm iSERVE worked overtime at the weekend to restore the content of hundreds of websites defaced by a hacker exploiting a security vulnerability on one website.
iSERVE technicians and support staff have been inundated with hundreds of phone calls and emails regarding this exploit over the weekend.
The exploit was launched at around 8:45am on Saturday (August 5) when a PHP-Nuke/phpBB vulnerability on a site hosted on the iSERVE virtual hosting environment was used to install a malicious script and overwrite a large number of existing files in the folders of many iSERVE hosted websites.
The vulnerability was created when one client ran an insecure version of the software within their website.
Due to the large number of iSERVE clients that were affected by this hack and the severity of the exploit, iSERVE was forced to shut down all FTP servers.
“We acted quickly to prevent further defacements and to allow technicians to survey the extent of the damage caused,” iSERVE General Manager Joy Cottle said.
“When it soon became apparent that a large number of iSERVE clients were affected by this exploit, a decision was made to restore content from an iSERVE system backup that was fully tested and known to be clean of any exploitable data.”
The most recent backup that iSERVE technicians were able to verify as being clean was from Wednesday morning (August 2). At 3.45pm on Saturday, technicians commenced restoring this data system wide, a process that took 22 hours to complete.
As a result, some iSERVE clients may notice that any changes made to their website content after Wednesday will be lost from the servers. “This was unfortunately unavoidable,” she said.
Just recently iSERVE had reviewed its security policies and introduced many changes to PHP configuration and various firewall and system rules to ensure client content is protected as well as it can be in a virtual environment.
“We are now reviewing those policies again and may make a decision to no longer support the hosting of products like PHPNuke and phpBB, which seem to be at the top of the list when it comes to exploitable scripts, and the vehicle by which hackers prefer to launch their attacks.”
The company deals with multiple hack attempts on a daily basis and this had led it to impose those earlier stricter restrictions on its clients. “We have a number of systems in place that detect intrusions and check for exploitable data. When an attempt occurs we contact the client directly to fix the problem.
“It is highly unusual for these attempts to amount to anything as we have usually intercepted them before any real access is made.
“However, this weekend’s events happened too quickly and show no matter how vigilant you are these attacks can happen, and they can happen to anyone. It is like living in an apartment block, when someone leaves a window open it can affect the security of all tenants.
She said the company has learnt that the hacker responsible for this weekend’s attack is based in Turkey and is considered to be on the world’s top 50 hackers list. He replaces user content on affected sites with the text: "Thehacker iz birakanlar unutulmaz". Roughly translated this means: "Those leaving a sign won't be forgotten".
From information the company has obtained, this particular hacker is responsible for a further 1000 defacements worldwide since the attack on iSERVE.
“He is known to target very busy political websites so it would seem that this latest attack could have been politically motivated,” she said.
The websites of ACT Leader Rodney Hide and other political-related sites were among those affected by the weekend exploit.
Joy Cottle is extremely disappointed that the client at the centre of this exploit did not keep their version of PHP-Nuke up-to-date. “We have recently placed a huge emphasis on advising clients that they must ensure that, if they are keeping scripts like this, that they are using up-to-date and fully patched versions.
“Had the client not run this particular script on their site, literally tens of thousands of dollars of billable time would not have been incurred and hundreds of clients would not have been affected."
A full investigation into the exploit will be undertaken next week and iSERVE will make a decision whether any further action needs to be taken to reasonably prevent further attacks.
“We are confident that our security has been and is of an acceptable level. This is an extremely unfortunate event, however, and it could have been any New Zealand ISP in the same position this weekend.
“Our staff has done an amazing job in containing and minimising the effects of this hacker’s work,” Joy Cottle added.
--
About iSERVE
The iSERVE group is an IT infrastructure hosting and management firm, providing a range of hosting plans and services to suit small, medium and large sized private and public organisations in a variety of industries. Founded in 1999, iSERVE has more than 40,000 customers, hosts more than 150,000 web sites, online applications, databases, domain names and email accounts and has been ranked as ‘New Zealand's Number One Hosting and Domain Name Company’ by Hitwise EVERY quarter since October 2002. The company was ranked the tenth fastest growing New Zealand firm in the 2005 Deloitte/Unlimited Fast 50 awards and the fastest growing web hosting service in the Asia/Pacific region in the 2005 Deloitte Fast 500 Asia Pacific awards.
ENDS