Hundreds of websites have been defaced by hackers who hijacked a web-hosting server run by UK domain registrar DomainMonster.
The index.php pages on the attacked sites were rapidly vandalized by miscreants late on Tuesday, with 612 domains and sub-domains overwritten within seconds of each other. Among the websites hit include DomainMonster’s own blog.
The hacked server is at 126.96.36.199; this IP address belongs to Mesh Digital, which is based in Woking, England, and provides various online services to companies and brands. DomainMonster is the trading name of Mesh Digital, and sells domains and web hosting.
The page that greeted pwned webmasters after Tuesday night hack attack
The server or servers behind that IP address have been successfully attacked in the past, too, in 2016 and 2015. This week, it appears hacker gang BD Level 7 and NHA had a power struggle over who owns the machine, with the so-called agency winning. The first sites roughed up by the NHA appear to be porno related, and then it seems the attackers scribbled over the index pages for everything else hosted on the box – including sites belonging to small Brit businesses.
If you have anything sensitive stored on that server, such as customer information, consider it compromised. DomainMonster did not respond with comment when poked by El Reg last night. ®
Thanks to Reg reader Mike for the tip-off.
Source: SANS ISC SecNewsFeed @ February 21, 2017 at 11:45PM