While remediating an appliance distributor's (who shall remain nameless) websites from the SoakSoak exploit, the site owner complained about malware "coming back" after being cleaned over-and-over by the former service provider. I logged into their InMotion Hosting control panel where I was greeted with a warning that there was a potential man-in-the-middle attack due to an expired certificate! Then I got another warning that their version of MySQL was obsolete and needed to be upgraded. Digging deeper, I found a variety of user accounts in both the application and the database that had the signature of a hacker - not totally random, but cryptic and/or occasionally named to sound official, like "system account" and such. I'm not sure how InMotion Hosting's certificates were invalid, but once I saw warnings about the host themselves and the back-door, system-wide user accounts I figured it was time to get the hell out of there.