LeaseWeb, one of the World's largest hosting provider has been defaced by Palestinian hackers, named as KDMS Team. LeaseWeb was also hosting provider for one of the biggest file-sharing website Megaupload in the past. Later Megaupload Founder, Kim Dotcom claimed that Leaseweb had deleted all Megaupload user data from 690 servers without warning.
The hacker group replaced the Homepage of the website for just a few hours with an Anonymous Palestine, homepage titled "You Got Pwned" and the defacement message says:
Hello Lease
Web Who Are You ?
Who is but the form following the function of what
and what are you is a hosting company with no security
KDMS Team : Well ,, We Can See That :P
We noticed that Attacker has just changed the DNS server to point the Domain to another server at 67.23.254.6, owned by the attacker. At the time of writing, Leaseweb team resolved the issue and get their Domain back to the original server.
But because the hack was done just a few hours back, Google DNS cache still pointing to domain to the attacker's server. Change your their DNS server to 8.8.8.8 and access LeaseWeb site again, you will be able to see the defaced page, as shown above.
The hacker also posted on the homepage,"Do You Know What That Means ? We Owned All Of Your Hosted Sites Index On Your Site Is The Prove ;)".
It seems a DNS hijacking only, But Hackers told The Hacker News, "We owned Leaseweb Servers and kept some of their servers for us. But we only changed the DNS Server for now, because we faced some problems with the company website. Here, all what we need .. is to add our signature on their homepage to prove that there is not Completely Secure. If we can pwn them, we can hack other big providers too.,"
The hackers didn't claim that they get hold on customers' information or Credit card numbers. Stay tuned with us for further updates on this hack Story.
Update (9:35 PM Saturday, October 5, 2013 GMT): We contacted and ask LeaseWeb to provide an official statement over the Hack and claims by Hacker.
Update (5:51 AM Sunday, October 6, 2013 GMT): LeaseWeb confirmed the hack and tweeted, "Website should be back to normal in a few hours. No customer data compromised. We continue to investigate."
Update (2:17 PM Monday, October 7, 2013 GMT):
LeaseWeb replied The Hacker News and posted updates on their blog, "This DNS hijack was quickly detected and rectified by LeaseWeb's security department."
"The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST."
"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised."
"Details of how exactly the hijack could have happened are not yet 100% clear at the moment of writing."
LeaseWeb also explained The Hacker News that They don't use WHMCS-software (which is currently vulnerable to a zero day SQL Injection flaw) and they have their own in-house developed software for the Client Billing system.
"Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar."
It seems a DNS hijacking only, But Hackers told The Hacker News, "We owned Leaseweb Servers and kept some of their servers for us. But we only changed the DNS Server for now, because we faced some problems with the company website. Here, all what we need .. is to add our signature on their homepage to prove that there is not Completely Secure. If we can pwn them, we can hack other big providers too.,"
The hackers didn't claim that they get hold on customers' information or Credit card numbers. Stay tuned with us for further updates on this hack Story.
Update (9:35 PM Saturday, October 5, 2013 GMT): We contacted and ask LeaseWeb to provide an official statement over the Hack and claims by Hacker.
Update (5:51 AM Sunday, October 6, 2013 GMT): LeaseWeb confirmed the hack and tweeted, "Website should be back to normal in a few hours. No customer data compromised. We continue to investigate."
Update (2:17 PM Monday, October 7, 2013 GMT):
LeaseWeb replied The Hacker News and posted updates on their blog, "This DNS hijack was quickly detected and rectified by LeaseWeb's security department."
"The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST."
"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised."
"Details of how exactly the hijack could have happened are not yet 100% clear at the moment of writing."
LeaseWeb also explained The Hacker News that They don't use WHMCS-software (which is currently vulnerable to a zero day SQL Injection flaw) and they have their own in-house developed software for the Client Billing system.
"Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar."