In the spirit of transparency which I believe is the foundation of trust in government, I wanted to report to you about a hacking incident affecting my websites (among many others at my web hosting company, InMotion Hosting). The hacker defaced the sites that he accessed by replacing their home pages with a page announcing that the sites had been hacked.
Essentially, the hacker gained access to a number of websites by hacking a server control system at the hosting company early on Sunday morning, September 25. We learned of the hack at around noon and our sites were down Sunday afternoon while we assessed the situation and then made the necessary repair.
My websites do not retain any credit card numbers or security codes. So, no past donor credit card numbers or codes could be discovered by an attack on our sites. Our campaign website (mywillbrownsberger.com) does retain donor names and addresses, but these are disclosed publicly as required by law anyway and there is no indication that the hacker was actually accessing site data — he just splashed his page across a large number of sites. However, the fact that the hacker could access the sites and replace the front page indicates indicates a serious security gap — had the hacker intended to, he could have done more damage, accessed data or inserted code to covertly intercept financial information.
A hack that would covertly intercept financial information would require a more particular corruption of our site — as opposed to simply replacing the front page. This would most likely require a more lengthy study of our custom configuration. I have personally made a campaign donation through the online campaign site after the breach and do not feel at risk.
We will monitor communications from hosting company about the security measures that they take to prevent recurrence of this incident. Below is the message transmitted last night from the President of InMotion.
Dear Will Brownsberger,
As you may be aware, our network, and potentially your server, was the
target of a large scale website defacing attack this morning, Sunday,
the 25th. The defacement worked by replacing index files in all
public_html directories with the attacker”s index.php. At this time, it
does not appear to be any more malicious than taking over the web site”s
home page, but we are still reviewing servers at this time.
We understand the method the attacker used to accomplished this and the
main exploit path was through an internal management server that can
control Cpanel on other servers. The management server was used to
change passwords on the Cpanel servers then login with those passwords.
It does not appear that gaining passwords was a goal or was
accomplished, just password changes were used. Access to the management
server was gained from an exploited customer”s server that was within
Though our team moved quickly to disable the internal management server
and limit the exposure of the servers to this attack when it began, it
was a very serious breach and could have been much worse if the hacker
had intended to do more harm.
At this time, we want to be sure you are aware of the attack and your
server”s potential exposure. Our systems team has moved to repair the
index files, but the automated system is still running and may take a
few hours to finish all sites.
Please you review your sites if you have not already done so. If you
have a backup of your site, you may upload your index.php files to
correct this. You will most likely need to do this for each directory.
If your site uses an index.html or index.htm, you will need to upload
those files, then delete the index.php.
If you were affected and you need assistance recovering the home page or
other directory indexes, please contact us.
Further, if you feel your server has been targeted more in-depth than
the index.php defacement, please contact us immediately and we will do
an additional scan on your server.
Though it does not appear gaining passwords was an intent of this
attack, it is recommended that you update all of your passwords related
to your server.
Please note, our billing, domain management, and customer tracking
system (AMP) was not targeted, nor was available to the Cpanel
management server. It is on a separate network and firewall.
Please accept our apologies as we go through this process. We are very
aware of our failure in this situation and we will provide more details
when we have completed the work of recovery.
Again, please review your server and sites if you have not done so
already. Reach out to us immediately if you suspect a more in-depth
attack on your server.