I’ve just had Google Webmaster tools report phishing attacks on all my sites hosted by HostGator. Initially, I thought my sites had been compromised; but since I always use strong passwords and pay attention to site security, I couldn’t work out how. So I contacted HostGator technical support and learned that the phishing page came from another site hosted on the same shared host, and was accessible via a URL like:

https://www.buildyourblog.net/~baduser/zaz/home/

In fact, it turns out that the website of any other user on the same shared host is accessible via my site’s address using ~user. Ouch! And incredibly, HostGator enables this behavior by default.

If your website is hosted on a shared host that uses CPanel, get on to your hosting company technical support and ask them to disable mod_userdir.


Graham

I'm the creator of BuildYourBlog.net.

1 Comment

Valerie · March 17, 2015 at 11:07 am

Amazing that they’d allow that. But then, maybe not. Seems like they don’t care lately.

I’ve reported to them code injection attempts coming from their servers into an instance of WHMCS I’m running. Never heard back.

Need to cut and run and find a new host.

Thanks for sharing this!

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.