I posted this on different site many years ago so I have pretty good reference, I wish my memory was this good.. This was a major host.

This story starts with me offering my services for free to update a local non profits website, how long could it take? LOL No good deed goes unpunished! Firstly they were using a proprietary CMS from the web host with no direct FTP access to the full sized uploaded images which of course the client had no copies of. So instead of a couple clicks in FTP I spent an eternity opening each one in a browser to save original file using some goofy backend file management system that required each file be opened in different page, there wasn't even a list you could right click and save as. . If only this was the end of my problems.<sigh>

This is where it gets interesting. I built the site locally using Drupal and have no more need for anything on server. I go to delete the contents of public_html and find a bunch of folders/files owned by root which of course I cannot delete. Red flags are going up at this point. I contact their support over the phone and support tells me I should be able to delete them even if they are owned by root, huh? The tech was very unconcerned about this but finds out they can't delete them either. What a surprise! They need to escalate the ticket. I FTP in the next day, the files and folders are still there but now they are owned by the user account and I delete them. I don't recall what they were but they didn't belong there. Not happy about this but what am I supposed to do?

I upload my newly minted Drupal website and populate the database. Everything seems fines. At the time you didn't have all these great developer tools to test different browsers/devices so I try using browsershot which should produce a bunch of screenshots in different browsers/devices. I get an error "The server did not send a content type header". What the hell is this now?

Over to web-sniffer and I get this:

Status: HTTP/1.0 200 OK
Expires: Sat, 6 May 1995 12:00:00 GMT
P3P: CP=NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 144
Connection: Close
Content (0.14 KiB)

<html><body><script>document.cookie='yyyyyyy=c2dc5 27cyyyyyyy_c2dc527c; path=/';window.location.href=window.location.href;</script></body></html> 

It was sporadic with browser but was very consistent on third party sites. I delete everything in public_html and have just one file, test.html that only contains 4 characters "test". Same result with web-sniffer for test.html. Now the red flags are up and the alarm bells are going off. So it's off to support again and I try the email version. I explain the issue with test.html in as great as detail as I can and get this response:

I am sorry if there is some confusion regarding hosting and how websites
work. HTML is client-side code that may render differently in different
web browsers, or differently in a web browser than a WYSIWYG editing
program. HTML is always sent to web browsers by a web host in the same
fashion, so there is nothing server-side that could cause rendering
issues.

Temperature rising but my head hasn't exploded yet. They suggest in the email I use the chat to get support for this, we're moving into the big leagues now. Ladies and Gentleman let me introduce you to the "specialist" and self proclaimed level 2 tech named Korey. Names and credentials have been removed to protect the not so innocent. Note some very not nice words from me have been removed from end of chat, Webmasterworld is a family friendly website. :)

Chat InformationPlease wait for a specialist.

You are '1' in queue with an average wait of '0' minutes and '30' seconds.

Chat InformationYou are now chatting with 'Korey N' in Florida.
Korey N: Thank you for contacting Mega Host service chat. Just a minute while I review your service request so that I can answer your questions.
Richard: This is still unresolved, see also ticket 1-XXXXXX2
Korey N: Ok how can I help?
Richard: Korey go to web-sniffer.net and type in the domain.
Richard: The content is
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That is being injected from somewhere.
Korey N: Is this a custom coded site?
Richard: Korey, any page on the domain returns that string.
Korey N: Im not understanding your issue. Can you please provide more details on the issues you are having?
Richard: Korey view this page:
Richard: example.com/test.html
Korey N: Can you please explain your issue so that I can assist
Richard: Korey go that url, it says:
Richard: test
Richard: correct?
Korey N: Yes I see that
Richard: It's just a text document
Richard: Now try it in web-sniffer.net
Richard: See the content output at the bottom?
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That's being injected somewhere.
Korey N: I apologize however this is not a Mega Host website. I am not able to replicate this issue
Richard: Korey, give me higher level tech since you obviously don't understand what is going on here.
Korey N: If you feel as though your site has been compromised please review all of your content for any malicious files or scripts and update all your applications and credentials
Korey N: I am sorry however we cannot troubleshoot results from a third party site
Richard: Give me higher level tech please.
Korey N: I am level 2 support. We do not support troubleshooting custom code under our standard scope of support. And at this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Richard: Korey, that code is being injected somewhere.
Korey N: At this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Korey N: At this time there are no indications that the server itself is causing this issue. Again please have your developer research further to ensure there are no malicious scripts
Richard: You have to go to third party site like web-sniffer.net to see it.
Korey N: I
Korey N: I'm sorry however other than the third party site I am unable to replicate the issue
Richard: You can replicate this on numerous third party sites
Richard: browsershots.org
Korey N: I apologize however I am unable to replicate this issue. Please have your developer review the site to ensure there are no malicious contents and update all applications and passwords to ensure security. Did you have any other questions for me today?
Richard: See ticket 1-XXXXXX2
Richard: Give me a higher level tech Korey.
Korey N: This ticket was resolved. Are you still having an issue with an htdocs file above /htdocs?
Richard: Give me a higher level tech
Korey N: Was there anything else that I can assist you with?
Richard: Yes, give me a higher level tech
Korey N: If there is nothing more that I can assist you with I will go ahead and end this chat.
Richard: Korey I want a higher level tech.
Korey N: Thank you for contacting Network Solutions. Take care!
Chat InformationChat session has been terminated by the site operator.

I do a little more investigating and pull up some unrelated web sites in web-sniffer on same IP. Same result. At this point I give up. I upload the site to my own server and change the nameservers. The "Client" had significant amount of time left on their plan from Mega Host and after all this hassle why not some free web hosting from me too!

Now for the cherry on top of this fiasco, you always need a cherry on top. A few days after moving the site to my own server I get an email from Korey informing me the injection issue has been fixed and he's closing the ticket. No chit it's been fixed Sherlock.

15 years later:

Korey went into promising career in politics after honing his skills to blaming someone else for his own inadequacies.
Mega Host is still hiring incompetent boobs who are given one canned message, contact your developer. .
thecoalman under no circumstances has ever offered free services since and insists any new client moves hosting service to his preferred host.