It's called parasite hosting - and it's not just spam, it's criminal behavior in my view, and it has become an epidemic.

These criminals (Danny sullivan called them "crap hats") will exploit any security hole that they can in order to get into a server. That can mean any application that is not up to date with the latest patches. It might be cpanel or vdeck, it might be database or scripting software, there are loads of possibilities for "how" and there's a network of these shady folks that spreads the latest discoveries.

What the the web host needs to do is stay up-to-date on patches and upgrades to any app they are running. The more commonly used an application is that runs on the server, the more it is a target for parasite hosting.

[edited by: tedster at 7:42 am (utc) on Mar. 3, 2009]

I recently had a #1 ranking site for all it's major keywords get cracked along with 2 others I manage on the same server. It was done thru the ftp. That is what my host claimed anyway. They claimed I introduced it but this site had done so well I hadn't touched it in 6 months.
In my case, they did a little trick in my .htaccess file but it seems some hosts have some ftp problems..so make sure you change that password not just your cpanel.
BTW..Google has evidently creamed my #1 site now. So I decided to take this oppurtunity to revamp the site. Make lemonade from the lemons.
It's interesting google gave a heads up on his. Big G obviously thought it wasn't an intentional by the webmaster and must have recognized the pattern. Very interesting.

Same thing happened to me and the host found out it happened through cpanel. The crap hat also got my hosting account credit card info and charged up some serious cash.
So it has to be an inside job but the host has not admitted
this yet but I'm having this investigated.
Hacking or I should say cracking seems to be on the rise big time and I think it is from such a bad economy going on everywhere.

You may like to refer to these 2 articles

[googlewebmastercentral.blogspot.com...]

and

[googlewebmastercentral.blogspot.com...]

Thanks for the replies guys, well, I helped him setup a webmaster tools account yesterday and within an hour there was a warning in there, the email did say to check your webmaster account if you have one, to verify the email. We got his password changed and uploaded the original pages then submitted the reinclusion request which stated it may take several weeks, I have just asked him how it was going and he says the warning has gone? does this mean the 'pending' removal has been reversed because he acted quickly?

It's interesting google gave a heads up

The email states (in different words) it looks like a 3rd party has modified your pages, so they seem to know it's not the site owner to blame, further down it also says google would like to keep his site in the index.

He has spoken to his host and of course they say they had no issues and their systems are up to date.

The email states (in different words) it looks like a 3rd party has modified your pages, so they seem to know it's not the site owner to blame, further down it also says google would like to keep his site in the index.

Last week when we were at Google, Adam spoke about this in detail. He explained how applications like wordpress get hacked now and then. They see this more often that we think. May be this frequent hacks have forced them to believe (and program) that it is a 3rd party.

Maybe it's the CMS?

It's not a CMS driven site, flat html pages only.

He just popped in and says he out of the index, so I guess he's out for the 30 days they stated, he did submit a reinclusion request yesterday should he just wait now?

Isn't parasite hosting where you use a user editable page on someones else sites to rank in the serps off the back of their trust. Like a forum page or a squidoo page. This is link injection.

If it's a flat html site it is probably from a Hosting issue/Shared server compromise or a weak ftp username and password or I suppose he might have been phished out of the ftp info. You or the host will pretty much need to search the log files to find out what actually happened, the host should have the knowledge to do it fairly quickly if they care to find out. If they don't care or if it happens again I would definitely switch hosts.

Just got an email from him, he says some pages are already showing the crap again when viewing source so he checked his ftp client to see when they were last accessed, yesterday it said, so it started straight after he replaced the files!

He has emailed his customer support desk, he also said he forgot to mention he has one mysql database, he doesn't edit it through the browser though, he works in phpmyadmin so he's only pulling data to display not pushing it, he has checked the structure and says all looks normal, is there any way it can't be the host?

For Apache: How can I block blind SQL injection attack? [webmasterworld.com]

More: WebmasterWorld site search [google.com]

Jim

So you think it's an sql injection Jim?

So adding

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F]

to his htaccess file (using proper pipes) will prevent it?

If that's the problem, it might help.

You fix what you *can* fix, then pound on the host to fix the rest... :)

If the site has been subject to SQL injection, you will find requests with some or all of those keywords in the query strings of requested URLs in the raw server access log file. Since you state that you know the time that the files were cracked/modified, it should be relatively easy to find these particular requests (if they exist).

However, note that blocking these queryies unconditionally may 'break' the CMS/database functions. Again, look at the raw log files to see if legitimate requests can be discerned from illegitimate ones... by REMOTE_ADDRess, by HTTP_USER_AGENT, etc. If so, add RewriteConds to the rule so that only legitimate requests are allowed. (Note that I didn't say, "so that illegitimate requests are blocked... It's a mind-set thing, and an important one, to approach security from the standpoint of what you want to allow, not what you want to block; The ramifications are quite different for errors of omission in these two approaches.)

Jim

One of my servers was infiltrated a couple of years ago. No site damage but a handful of backdoors dumped on the server.

I never did find exactly how it happened: I know it wasn't SQLI, there was no cpanel and it's not commercial CMS. Infection did recur a couple of times until I did some serious server-cleaning - taking off a lot of very dodgy stuff that LOOKED like genuine DLLs (MS/IIS server) plus a few that were probably genuine.

I THINK the original backdoor was uploaded by FTP - there was an exploit in the server I used at that time that may have let someone in without a password (all accounts were login, not anonymous).

I changed FTP server and now force almost all my clients to use SSL access, giving them 12+ character passwords. Whether FTP is an exploit vector or not I strongly recommend this if possible.