DomainMonster Hacked: Hundreds of websites defaced

Hundreds of websites have been defaced by hackers who hijacked a web-hosting server run by UK domain registrar DomainMonster.

The index.php pages on the attacked sites were rapidly vandalized by miscreants late on Tuesday, with 612 domains and sub-domains overwritten within seconds of each other. Among the websites hit include DomainMonster’s own blog.

The hacked server is at 109.68.38.20; this IP address belongs to Mesh Digital, which is based in Woking, England, and provides various online services to companies and brands. DomainMonster is the trading name of Mesh Digital, and sells domains and web hosting.

A group called the National Hackers Agency claimed to be behind the mass defacements. You can find a mirror of the graffitied DomainMonster blog and all the other trashed sites here – visit at your own risk as it may have nasty JavaScript on the page. All the defaced pages appear to be the same.

The server or servers behind that IP address have been successfully attacked in the past, too, in 2016 and 2015. This week, it appears hacker gang BD Level 7 and NHA had a power struggle over who owns the machine, with the so-called agency winning. The first sites roughed up by the NHA appear to be porno related, and then it seems the attackers scribbled over the index pages for everything else hosted on the box – including sites belonging to small Brit businesses.

If you have anything sensitive stored on these servers, such as customer information, consider it compromised.