One user opened a support ticket and has posted the very comprehensive debrief response as part of that thread. What basically happened is that someone gained privileged access to the servers (note multiple instances compromised) via the cPanel interface. This then injected malicious HTML code into every .html and .php file it could find. This was then used as part of a large, sophisticated attack as documented by the Symantec virus team here.
At the time of writing, no official explanation or apology has been forthcoming – I guess anyone who complains will get the same script as the user posted in the forums. One of the big plus points is that a script has been run by the hosting team over my website and removed all traces of the malicious HTML code, seemingly without damaging any of my data. This has all happened pretty quickly too. Plus points to Siteground for cleaning up so efficiently. Lose marks for not telling customers.
So can we learn anything from this experience? Not a great deal I think. I had my apps patched to the latest versions, but that was irrelevant as the compromise happened at a much lower level than the PHP apps. From the Siteground ticket response, we see that the cPanel bug was previously undiscovered and can therefore imply that Siteground were running the latest version of their cPanel hosting tool.
After this I would still recommend Siteground as a hosting provider, firstly because it’s cheap (500GB storage / 5000GB/mo for just $5.95/mo), and secondly because the support (while silent in this case) does seem to have fixed the problem.
Googling around the subject showed that in 2006 another one of the big hosting sites suffered a mass attack using another cPanel exploit, which just proves it can happen to anyone. Always worth having a backup of your site, just in case…