It is a fact universally acknowledged that running a WordPress site is a dangerous thing to do. WordPress is often attacked by hackers, because so many sites run it and so many people are not good about installing security updates. The hackers will use the commandeered sites for all sorts of nefarious purposes: installing malware, hosting phony bank pages that they then spamvertise in “Update Your Account Now” spam emails, hosting redirectors that lead people to spam or porn or phish pages.
I get a lot of spam emails, and when they lead to phony bank pages I will often check the top level of the site that the phony bank page is hosted on to see what’s going on. As often as not, the phony bank page is living on a WordPress site whose owner chose a bad password or was negligent about updating, and got pwn3d.
So it was that I found a fake PayPal page and, when I checked the home page of the hijacked site it lived on, I saw something odd: the home page had been deleted and replaced with a message reading “HACKED BY DARKSHADOW-TN AND ANONCODERS”.
I didn’t realize I was about to stumble on a massive (and still ongoing) security breach at two large Web hosting companies, Arvixe and Eleven2.
Curious, I did a Google search for that phrase (hacked by darkshadow-tn and anoncoders) and found thousands of Web sites that had been hacked and defaced with that message. And I do mean thousands–nearly three thousand in all.
I started working through the Google list, visiting each Web site to see if the defacement was still present. I discovered that there were three basic types of defacement, almost all of them done to WordPress sites.
Some sites had their content removed and replaced with a simple text message.
Some had the content left alone, but the page title changed to read “+ADw-/title+AD4-HACKED BY DARKSHADOW-TN AND ANONCODERS+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-“. This appears to be a misconfiguration of the automated tools the hackers used to deface the sites; it seems the hackers were trying to insert this in the page’s body.
Some had a defacement message injected into the body of the Web site, usually at the top.
So, who are Darkshadow and Anoncoders?
Anoncoders is a loosely-organized group of Islamic computer hackers who use automated tools to hack poorly secured Web sites and deface them with anti-Israeli and pro-Muslim messages. They even have a Facebook page and everything.
Darkshadow is a group of pro-ISIS Muslim extremists who, like Anoncoders, often hack sites to deface them with pro-ISIS, anti-Israel, and/or anti-Western messages. They used to have a Facebook page, but it’s gone as of the time of writing this.
So we’ve got a couple of pro-Muslim, anti-Western hacker groups who generally use automated tools to hack low-lying fruit, such as WordPress and Drupal sites that are running old versions or otherwise poorly secured. So far, so ordinary–dare I say, even boring. These kinds of attacks are a dime a dozen.
I started making a list of hacked sites, checking who the Web host was, then sending emails to the Web host abuse address letting them know they were hosting hacked sites.
That was when things got interesting.
As I went through the results of the Google search, cataloging thousands of hacked sites, I started noticing something weird: all the hacked sites were on only two hosting companies. Roughly half of them were hosted by Arvixe, and the other half were hosted by Eleven2, an outfit that’s a subsidiary of a company called IH Networks.
That raised the possibility that this wasn’t merely an automated, script-kiddie attack against a bunch of low-hanging fruit, but a breach of two hosting company’s Web control panel software or some other weak link in the hosting companies’ software infrastructure.
I sent off emails to both Web hosts letting them know they had been the subject of a massive breach.
Unsurprisingly, neither of them responded. I say “unsurprisingly” because I have a long history of discovering massive security breaches at large, popular Web hosting companies that go unrepaired for months or even years.
I sent notifications to both of those Web hosting companies about three weeks ago. Upon re-examining the hacked sites today, I discovered, disappointingly, that the security problems have not been fixed and the sites remain compromised.
So I went back and looked at past abuse reports I have filed with those companies. This is my first contact with Eleven2, but I noticed that hacked sites I had alerted Arvixe to as long ago as last September are still compromised.
It seems there is a lesson here: Both Arvixe and Eleven2 have severe ongoing security problems and are more or less completely indifferent to fixing the problem.
If you use either of these Web hosting companies, I would suggest it might be prudent to examine your site carefully for security breaches, and to move to a different Web host as promptly as possible. It’s never a good sign when a Web host ignores reports that their servers have been breached by ISIS-affiliated hackers.