Your conclusion that bluehost was hacked smells of confirmation bias.
Suppose I wrote a password-guessing bot to spread my malware on PHP-based websites. To increase the effectiveness of my bot, I want to target websites where I'm more likely to be able to guess passwords, and where I'll need only a few methods of inserting my code, optimally just one. If I can figure out the username generating scheme of a large host, that helps make my bot more effective. If that host hosts only or primarily PHP sites (and not asp.net or cf or whatever), then that makes my code insertion easier.
Your evidence so far afaict:
1) you found a number of blue host sites newly affected
2) you did not find comparable numbers of sites on other hosts affected around the same time
3) the affected sites all had similar code inserted in a similar way
4) there was no single application being run on all the compromised sites
Your evidence supports the hypothesis that bluehost was hacked reasonably well, but it supports my supposition just as well. What kind of tests would actually give you reasons for preferring the bluehost hacked hypothesis? Well, if we found that a large percentage of domains hosted on a single physical server were affected, or a large percentage of consecutive customer ids, then it would look a lot more like bluehost data or systems having been compromised. But if there are no bluehost boxes with a large percentage of hacked sites (we probably can't check on customer ids), then it looks more like bluehost customers were targeted one by one by a password guessing bot. I wouldn't call that bluehost being hacked (if you do, I can see why bluehost disagree), and from what I see you don't have enough evidence to claim that bluehost has been hacked.
I admit this has been nagging me for a while (especially as it is with some regularity they find hosts whose sites have been widely hacked); I keep meaning to do some digging and find out one way or the other but never had the time.
Seriously? Anyone have a counter argument to go with those downvotes? I'll even take a "rtfa where they mentioned important evidence you ignored, jerk"
You're not wrong, but I would like to point out that I've had some communication with Sucuri in the past, back when a number of Wordpress sites got eaten. (I should probably narrow that down a bit more!)
They seem quite capable. Bluehost provides reasonable access logs by default for their sites (I've had clients with sites hosted there), and if there was password guessing going on through a web interface, I would expect that Sucuri had noticed that.
It's possible that some sites were brute-forced via FTP or SFTP, but if Bluehost isn't already monitoring for that and preemptively dealing with it, I'd be very surprised.
So I think there's something else going on, and I'd really love to find out what it is. Unfortunately, none of the hosts seem to be 'fessing up to what compromised their sites. They keep pointing to WordPress, which is bullshit in at least one recent case. (I was involved in that one, and it was a fully-up-to-date-at-the-time 2.9.2 installation, and there was no evidence of a compromise in the access logs, which I spent hours examining very, very carefully.)
Suppose I wrote a password-guessing bot to spread my malware on PHP-based websites. To increase the effectiveness of my bot, I want to target websites where I'm more likely to be able to guess passwords, and where I'll need only a few methods of inserting my code, optimally just one. If I can figure out the username generating scheme of a large host, that helps make my bot more effective. If that host hosts only or primarily PHP sites (and not asp.net or cf or whatever), then that makes my code insertion easier.
Your evidence so far afaict: 1) you found a number of blue host sites newly affected 2) you did not find comparable numbers of sites on other hosts affected around the same time 3) the affected sites all had similar code inserted in a similar way 4) there was no single application being run on all the compromised sites
Your evidence supports the hypothesis that bluehost was hacked reasonably well, but it supports my supposition just as well. What kind of tests would actually give you reasons for preferring the bluehost hacked hypothesis? Well, if we found that a large percentage of domains hosted on a single physical server were affected, or a large percentage of consecutive customer ids, then it would look a lot more like bluehost data or systems having been compromised. But if there are no bluehost boxes with a large percentage of hacked sites (we probably can't check on customer ids), then it looks more like bluehost customers were targeted one by one by a password guessing bot. I wouldn't call that bluehost being hacked (if you do, I can see why bluehost disagree), and from what I see you don't have enough evidence to claim that bluehost has been hacked.