Customers of an UK-based web host called Daily Internet Services, had their websites defaced by hackers, who replaced their index pages with an image featuring Tux, the Linux penguin mascot. The company has restored the affected pages from back-ups and is currently investigating the attack.
Daily Internet Services issued a warning regarding this incident, which was marked with "high severity," Thursday at 09:52 am. "We have received reports this morning of a small number of customer websites having their index or start page replaced with an image and in some cases text as well," the company announced.
Subsequent investigations revealed that this was a mass-defacement attack, where all pages with "index" in their name, such as index.html, index.htm or index.php, have been replaced. A restoration process from back-ups was initiated at 10:45 am and completed by 09:00 pm on Thursday evening.
A website defacement implies replacing the original content with text or images produced by the attacker in order to make a statement, send a message, or take credit for the hack. In this case, the affected pages were replaced with an image depicting Tux in three different positions, with his hands over his eyes, ears and mouth respectively.
The images is inspired from the famous "three wise monkeys" pictogram, which signifies "see no evil, hear no evil and speak no evil." It was also accompanied by a message attributing the attack to Heart_Hunter of TH3_H4TTAB hacking crew. According to the Zone-H archive, the TH3_H4TTAB has a long track record of mass defacements.
The hosting company is still investigating how the hack was performed, but in the meantime it has strengthened the security polices on its servers. "We are confident there will be no repeat events as all servers are locked down," it notes.
There is also reason to believe that the PHP distribution played some role, as it has since been upgraded to a newer version. As a result, some features or modules might not be working as expected, the company advises. Additionally, database-driven websites could experience slowdowns, because some of the servers have been removed from the cluster for further investigations.