The Internet Group has admitted the loss of 4500 sites from its homepages server was the result of a malicious attack. The company is soon to send an email to customers explaining that the attack was made via a security hole in a CGI script on one user's site.
There are many known attacks exploiting such scripts, and some ISPs either forbid their use or allow customers to use only supplied scripts. Others, like Ihug, vet all customer scripts before allowing them to be uploaded - but this one appears to have slipped through the net.
The company has apparently spent the last two days tracing exactly what the attacker did. According to the email from Ihug director Bart Kindt the intruder attacked the master boot drive also the main 17 Gigabyte RAID system, which contained all the Website files for Ihug's US based homepage machine, crash.ihug.co.nz.
The server's pre-configured emergency boot drive was also badly damaged. Ihug has been criticised for not backing up the 12,000 customer Websites hosted free on the server, but Kindt says that "in a case like this, where a hacker gains access to the system, even a backup drive would not protect the data."
Ihug staff member Matthew Oram has been at the US site repairing the drives.
As a result of the calamity, the company has put an interim ban on all CGI scripts on the server and, says Kindt, "we have to decide if we will be accepting customers CGI scripts on our server in future."
Kindt says the company is "looking at ways to protect all virtual hosted pages for our corporate customers" but emphasises that this is "a courtesy only" and that customers are responsible for backing up their own data.
"We will try to devise a structure so that in the unlikely case of a future security breach, the backup drive cannot be accessed at all."
Kindt says the company's network operations team is "constantly following the known 'hacks' which are posted worldwide on various Web sites, newsgroups and IRC servers. In some cases we have only minutes to fix security holes in the programs running on our Unix machines, before somebody exploits such a security hole.
"In the last 4 years we have been mostly successful in keeping our servers secure. Many overseas ISP's have not been so lucky."