HOSTING FIRM Leaseweb has admitted that it was the recent victim of a DNS hijack, but said that no customer data was touched.
The firm has posted a message about an incident on its website. It said that it discovered something was up, checked it out and dealt with it. It suggested that there is nothing more to see there.
"Last weekend the leaseweb.com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb.com were redirected to another, non-Leaseweb IP address, after the leaseweb.com DNS was changed at the registrar," it said in a post written over the weekend.
"This DNS hijack was quickly detected and rectified by Leaseweb's security department. Although it seems to have had only superficial effects, we seriously regret this event from happening."
The firm said that it has carried out some investigations already and found no evidence of any more domains being changed and said no internal systems look like they have been compromised.
"One of the security measures we have in place is to store customer data separately from any publicly accessible servers," it added. "We have no indication that customer data was compromised as a result of this DNS hijack."
In the attack the title of the spoofed Leaseweb website homepage was changed to "You got pwned". Text was added to the page and goaded the firm.
"Hello Leaseweb. Who Are You ? who is but the form following the function of what. and what are you is a hosting company with no security KDMS Team : Well, We Can See That :P," it said, according to the cached webpage. The KDMS Team is a Palestinian hacking group. It does not seem to have taken credit for the attack elsewhere.
The firm is already disputing some reports about what happened, and has poured cold water on speculation that a vulnerability in WHMCS software might have been to blame. It said that this "cannot be the case".
"LeaseWeb uses its own in-house developed software for its customer panel, which does not seem to have been part of the security issue," it added.
"Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar. We will continue to investigate this incident thoroughly and take decisive action accordingly." µ