7/19/17 - 7/21/17 - "Hacked By S4H4Ni" Message - RESOLVED


7/24/17 9:00AM Our teams have met and reviewed the issues from last week's security breach.  We have audited all sites and code and have found no other vulnerabilities.  We are finishing up a review of our processes and will be implementing multiple changes not only to code review, but also in our communication and support procedures.  While this event was disruptive, we are doing our best to make sure we learn everything we can to mitigate future issues.

Our entire team, including our management, support and engineering teams, extend our sincere apologies for any inconvenience this has caused your company.  We certainly understand the importance of your web presence on your business, and please know that our team worked around the clock from the minute we learned about the breach on Wednesday until it was resolved on Friday.  

In looking back on the incident, we realize that we could have done a better job communicating with our clients during this event. We specifically did not take calls because all of our technical and support team members were 100% focused on resolving the issues.  In the event of any future emergency, we are putting a new communication plan into place that will help us to communicate updates more effectively.


7/21/17 3:00PM The security hole has been found and repaired.  We are continuing to audit our systems to ensure there are no other security holes that can be exploited in the same manner. Work also continues in auditing all WordPress sites and other code for any additional places where we may have related or unrelated vulnerabilities. 


7/21/17 We have contacted the FBI, Rackspace, and several cyber security consultants for assistance. Since this seems to be a persistent attack, we felt we needed outside help in finding the vulnerabilities in our systems. Additional information will be provided as we know more.


7/21/17 4:30AM We have become aware of a third wave of attacks against our servers. All files have been restored. Unrelated server restart required at this time causing a short outage.


7/20/17 9:40PM We have become aware of another wave of attacks against our servers. All files have been restored and logs have been pulled to gain additional knowledge of potential access points.


7/20/17 2:00PM We have verified that the intrusion was limited to the web file server, meaning that there has not been, and cannot be, any access to database, backups, application code, etc. We continue to audit all systems for vulnerabilities.  Additionally, we are auditing all WordPress sites to ensure that that are running the most current version of WordPress and all plug-ins.


7/20/17 10:00AM If your Job Board, HaleyMail site, or Talent Showcase still happens to display with the hack message, the remote branding template just needs to be reloaded.  To reload the template, please add ?reload=1 to the end of the URL (e.g., http://jobs.yourdomainhere.com/?reload=1). If you need help with this, please open a ticket and we will take care of it for you.


7/20/17 8:00AM All sites are now displaying as expected.  Our team continues to research the problem to determine its cause so that we can mitigate further issues.  More details will be provided in this post as they become available. Thank you for your patience.


7/20/17 6:30AM We have become aware of a second wave of attacks against our servers. Our first priority is to restore those sites that were affected. Concurrently, our team is scanning our servers for any other issues and will continue to work to mitigate further issues. We will update this post as we have more information.

Please understand that our entire team is actively working on this issue and cannot be available for phone calls at this time. The best way to get information is to follow this post. Again, thank you for your patience.


7/19/17 8:00PM All servers have been extensively reviewed for known vulnerabilities. The one PHP5 server that had been on the network has been removed impacting several clients running older technology.  While this did cause those sites to stop functioning, our team determined this was necessary to improve security. We also identified an issue in several older sites still running Flash and we have mitigated that issue as well.

We do sincerely appreciate your patience as we work through this issue, and your understanding in our policy changes regarding serving older technology which we are forced to put in place for the security of our servers and our clients.


7/19/17 1:30PM All flat HTML sites are now displaying as expected. Thank you for your patience with us as we worked through this problem.


7/19/17 11:00AM All WordPress sites are displaying as expected. Many of the non-WordPress sites have been updated as well.  We continue to restore these files manually and appreciate your patience. 


7/19/17 As of 10:00AM, we have confirmed that all WordPress sites are now displaying as expected.  Older flat HTML sites will need to have the root index file restored from backup.  Unfortunately, due to the age of these sites, this is a manual procedure and will take additional time to update. Thank you for your patience.


7/19/17 9:15AM Our engineering team has begun implementing updates that are removing the message from each site.  While most of these are being made programmatically, please be patient while we manually test each site to ensure the update was successful. We will be making updates our priority, so we apologize for any delayed communication while our entire team focusses on this issue.


7/19/17 At approximately 8:00AM EDT, we became aware that several of the sites hosted by Haley Marketing Group are displaying a message "Hacked By S4H4Ni".  Our engineering team is aware of the situation and is working to resolve the issue. 


We are very sorry for this inconvenience and we will update this article as we know more. 

Have more questions? Submit a request


Powered by Zendesk