0

I seem to have found loads of hacked websites on a shared hosting server, or at least something really strange must have happened. The server company refuses to admit there is anything wrong, so I would like someone's expert opinion about it.

My site is hosted on a shared hosting server (WebHostingUK). By pure chance I found in google's results a page which seems was hosted on my site but which I never had uploaded to the server.

By searching Google ianl_new, for one of the keys, I actually got to discover that several over websites (hosted on the same server 109.75.168.108) seem to have the same page ranked in google.

Just google for ianl_new and you will see what I mean.

In all cases the content seems to have been deleted.

The hosting company is denying any involvement and giving evasive answers to my questions about who has uploaded the content, who has deleted it, etc. Also they are not answering on the question wherever they have been hacked. They are simply saying that the content does not exist (using the present tense).

So my question is: how can that content have been picked up by google if it does not exist?

Update:

WebHostingUK came back to me with the following reply:

When there is no ssl certificate on the server hostname and when it is not assigned as primary certificate on the server any site which does not have SSL will show contents of other site which is kept as primary when access using https://

This is a default behaviour on a cpanel server. This is well documented on cpanel forums and discussions

So, sounds like they are half admitting that there was an issue of their server not being configured correctly.

However still they have not apologised for the issue. Should a hosting company not inform their clients of issues such as this one?

Martin
  • 121
  • 1
  • 5
  • If google seen it then it existed at some point in the past. The hosting does not lie if they use present stance, but that is an indication that they got a problem in the past. If you are not one of their customer, they have no obligation with you, thus its not a bad sign that they took some time to answer you. – yagmoth555 Jun 08 '16 at 02:28
  • My site is hosted on that same server, that's how I found out in the first place. So they do have an obligation to inform me? Is there anything I can do to get more insight (e.g. raise the matter to some other body or organization of Hosting providers) as they are not admitting their security breach? – Martin Jun 08 '16 at 02:31
  • 1
    You can break your contract to go somewhere else. accusing them can be lost energy and can backfire – yagmoth555 Jun 08 '16 at 02:45
  • Updated the question, seems like it was cpanel not being setup properly. I still don't understand why they are not informing us customers – Martin Jun 08 '16 at 05:51

1 Answers1

1

I will agree that the situation is not ideal, but there is no threat here to your account, and informing you wouldn't be the best option.

cPanel uses Apache's VirtualHost sections to determine which content is served for which request. In most cases, the IP address, port, and hostname should all match a single VirtualHost entry. However, if there is no entry that matches all three, then Apache will look for one which matches the IP and port, and will serve content from that VirtualHost, which includes the SSL (if there is one), and the document root. Since you do not have an SSL, there is no entry for your domain on the IP with port 443. Therefore, it looks for some entry with that port and IP combination, and serves that content. So, if somebody happens to go to your site with HTTPS://, they will see that content, as well as get a warning that the SSL is not for that site.

Ideally, on a shared environment, the host should account for this behaviour in some way, such as requiring a dedicated IP address for the SSL, or adding in an entry for a default page. However, they may not view this as necessary, or somebody may have slipped up. I wouldn't think that a host would be required to notify you. There's no danger to your actual account, and there is no harm to any content that anybody should be visiting. They may not have even known about the issue. Once they were, sending out a ton of emails to the large number of customers on that server would really only make them think there was an actual threat when there was none, which wouldn't change the situation, but would only result in you not being able to contact them for a day or so while they tried to calm everybody down and assuring them that their account isn't compromised. It would be much easier to handle the situation by making the change to the configuration.

If you don't have an SSL, nobody should be going to your site with https://. When they get there, they should probably listen to the SSL warning, and realise they should try without SSL or go away. However, that's in the ideal world. In reality, there are many plugins which redirect everything to https:// as the first attempt, and if somebody types in the wrong address, you probably don't want them to think the page is your fault. If the host won't do anything about adjusting the VirtualHost entry somehow, then another option for you would be to request a dedicated IP address yourself. If you do this, there would be no entry with your IP and port 443, so it would just give an error, and wouldn't have another page to go to. But once again, remember that this in no way means that you have somebody else's content in your actual account on the server, and there is no reason to believe your own account is compromised.

DKing
  • 826
  • 5
  • 13