Site hacked; somewhat disappointing response from HG

[cmcl]

I'm a little disappointed in HG today. My site was hacked a couple of weeks ago, but I only just discovered it this morning (my sites are just personal little playgrounds for myself and I don't visit them that frequently). There was a graphic and a message "Hacked by GHoST61" with some text in Turkish replacing the homepage. I called HG and the phone support guy immediately put in a ticket for me and gave me the number (ticket EIK-13353810) and advised me to change my account and FTP passwords, since it looked like an FTP hack. So far, so good. I told the support guy, whose name I didn't catch, that all my addon domains were affected in addition to my primary domain.

Specific complaints:

• I did tell the guy on the phone that all my domains were affected, but in the ticket only my primary domain was mentioned.
• Even after I clarified this, only the hacked homepage page on my primary domain was removed, and the "you have been hacked" notice remains on all my other domains.
• When I asked if they could figure out who did it or where it was done from, I was told no, which shocked me. I asked if there were not FTP logs showing IP addresses (even I can see IP addresses using my own basic Web stats!), and the response was that they looked but didn't see anything, which is weird "but sometimes happens when the logs rotate."

I also did some checking using my own FTP client and found two suspicious files on one of my addon domains -- this was AFTER I had been told that all the malicious code had been removed "from the entire account," and some Googling showed that many similar sites have been similarly compromised with those files. I mentioned this, and they removed one of the files, but the other one was still left up and all the "you've been hacked" pages still remain. After some more pestering, they removed the other file and I was told I'd have to replace the homepages myself; they seem to consider the matter closed.

I guess in the end, just to be completely sure, I'm going to have to delete every file on all of my sites myself and start completely over. Probably reinstall the MySQL databases just in case.

Fortunately, I have local backups of my files (as everybody should). But I'm very concerned about this possibly happening again and/or happening to others; the fact that I was told all the bad code was removed even when it clearly wasn't (and that I had to find the additional suspect files myself); and the fact that I was told you couldn't tell who did it when there have GOT to be logs of the IP addresses, especially when it's pretty obvious when it happened (April 9, based on the date of the two suspicious files that I found and a VERY uncharacteristic traffic spike on that day). My sites get next to no traffic, even from me, so how hard could it really be to see where this stuff came from and block the offending IP address(es)? (For example, the "you've been hacked" message was in Turkish, and there's a clear Turkish IP address showing in the Awstats logs for that day...I pointed this out a couple of times in the ticket but it was never addressed.)

I've never been hacked before, so hopefully it's understandable that I'm really rattled by the whole thing. If you check my ticket, you'll see a lot of frantic updates from me with various pieces of information as I tried to figure out how this had happened. I'm just surprised at the seeming lack of much concern...All the staff responses to my ticket have been very polite, for which I'm grateful, but, I mean, if an amateur like me can see the IP address of the probable culprit?

[GatorJoshL]

cml,

Thank you for taking my call, I do appreciate your time to discuss this issue. It is very unfortunate that you were targeted on this attack and all your sites index pages were removed.

I apologize that information was not relayed to our security administrators from the phone technician initially and the content was not removed from all of your index pages.

As we discussed this ticket is being assigned to myself and if you need anything please respond to it, I will personally take care of it for you.

[cmcl]

Thank you very much for your personal attention, I appreciate it very much.