Over the weekend a site of mine hosted on HostSave and other sites (on HostSave's shared hosting servers) were hijacked using a PHP script which showed up as-

[domain.tld...]

I checked several sites and all had the same script running...

Anyone seen it in action?

Rather than people seeing the actual home page, they are presented with a generic page of affiliate links related to the content of the site.

The strange thing was, the file was not on the webserver (at least not in the "web directory" for the domain).

Is it possible that someone compromised the server, (or the HostSave network) and redirected all traffic using PHP?

HostSave does not seem to want to discuss this. They knew it happened, fixed it, but now deny it ever happened. Seems like "ostrich style" security.

My question: Can PHP be tied to APACHE via HTTPD.CONF or other file and do something like this to all sites on the server, (in effect overriding my .htacess attempts to disable PHP)?

HostSave can't assure me an .HTACCESS solution will prevent this from happening again. Anyone familiar with the "dark side" know how to prevent this?

I beleive this is a good reason to specifically configure PHP to not be processed UNLESS you specifically want it on your site, (this is the second "PHP attack" I've seen, the first time through a "file upload" that didn't check the file type --- instead of uploading text, the hacker uploaded a PHP script and when the server displayed it, it parsed it and gave the hacker access to deface the site).