While testing out some SEO stuffs on a seldom-used work staging server hosted by a cheap, popular and notoriously insecure Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts, I noticed an odd url was flagged in Google search console. The html file "Caught-son-nfuck-dbvv.html" it pointed to does not exist (or no longer exists) on the site root. Anyway I checked out the htaccess file:

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ compromising-eyes.php?$1 [L]

Which was completely unfamiliar to me, the last I had any htaccess truck was to enable php in html files quite a few years ago. So I deleted it (now the site has no htaccess, and no php in html which is ok because haven't using doing it anyway).

Also, there's no "compromising-eyes.php" file currently on the site root

Then I had a look at the access logs and noticed a good deal of strange activity perhaps related to the hacked htaccess, here's an example entry:
---
157.55.39.237 - - [04/Feb/2017:00:22:59 -0700] "GET [workdomain].com/~[workdomain]/Porn-rubs-her-body-cock-dbvv.html HTTP/1.1" 404 2865 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0 "redirect-handler" "/var/chroot/home/content/26/6769926/html/.errordocs/404.html" 31777 6769926
---
[domain name changed to protect the innocent].

One thing many (perhaps all) of these entries include is "-dbvv" appended to the filenames.

So it would appear the staging server was being used as a porn search redirect engine of some sort.

I live in constant fear that they are going to take over my raspberry pi owncloud server :(

More seriously, will you be staying with Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts? And are you able to give its real name? 

 

Godaddy

We're not using it much for anything except last resort transfer of really large files since we have a no cap plan. Also for a backup staging server in case our main server (our hardware, our premises) goes down. In this case I was just being lazy since I'd already pointed google analytics at it. Which I suppose is a good thing else I'd have never discovered the problem.

Still, doesn't fill one with confidence as a customer.

Back when I was gainfully employed, our public service customers all used exclusively in-house or third-party but un-shared servers in un-shared data centres. A good part of the job of the more IT literate management was to resist the incessant and increasing calls from politicians to 'stick everything' on Amazon or Godaddy or IaaS etc. Frightening really.

Anyone wilfully using GoDaddy for any purpose deserves what they get.

Yeah probably. Yo mama.