A long time friend and client contacted me saying that he had received a notice from his web host that his website was exceeding the allowed storage on his hosting plan. The web hosting company said that his website was WAY over the storage limit they had allotted to him.
He provided me with access to his hosting account and Web server. Once I got in there and poked around a bit, I discovered that the web hosting server had been compromised and someone had uploaded a single PHP script and nearly 600,000 images to his web space. The script was in one directory and the images were buried within a hidden directory folder deep in his web hosting account.
I obviously didn’t look at all 600K images, but the ones I did look at appeared to be non-adult oriented. They were mostly clip-art and images of famous celebrities.
Basically how this worked was that the script that was uploaded along with the 600,000 images created tens to hundreds of thousands of pages of search engine spam in a separate directory of his website without affecting the appearance of the website. It was part of a large scale cross-linked spamdexing effort.
His website was on a shared server, so I believe that several websites on the server were compromised, not just his. I think in reality, the web host was the victim of large-scale web spam operation, but that’s not the kind of thing that the web host tells its clients.
I got his website squared away, all the images and the script were removed and the control panel/FTP passwords were changed. I also switched his WordPress theme to a responsive theme, tweaked it a bit and made sure all his WP plugins were up to date.
Google was also flagging is website in the search results as being compromised, so I instructed him on how to get the flag removed.
His website had not been defaced in any way and this could have gone unnoticed, if not for the exceeded storage limit warning and the Google flag.
The bottom line here? Everything was back to normal and his site was mobile device friendly in under two hours.