Is bad hosting to blame here? Website is hacked and defaced.

Viruses and worms
1

We would not expect this for a nation which has such brilliant security experts :o
See: http://killmalware.com/topoftheweb.com/#
See: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Ftopoftheweb.com&ref_sel=GSP2&ua_sel=ff&fs=1
And particularly here: https://asafaweb.com/Scan?Url=topoftheweb.com
Fail: Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result
It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.

Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page as follows:

Warning: Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Overview
Cookies not flagged as “HttpOnly” may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the “HttpOnly” flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):

ASPSESSIONIDQABQBTBQ : EGDFJGODMOHFIHEEBLAHNLEE
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Warning: Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

Look here: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Ftopoftheweb.com%2F

And DROWn vulnerable: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Ftopoftheweb.com%2F
Re: http://www.dnsinspect.com/topoftheweb.com/1469568700

Certificate for

Certificate is not installed correctly
comodo.co.il

Please contact the Certificate Authority for further verification.
You have 2 errors
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
The certificate has expired.
The certificate has expired. This server is not secure.
Warnings
RC4
Your server’s encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure. More information.
SSLv2
Your server’s encryption settings are vulnerable. This server uses the SSLv2 protocol, which is not secure. More information.
SSLv3
Your server’s encryption settings are vulnerable. This server uses the SSLv3 protocol, which is not secure. More information.
TLS1.2
This server is vulnerable to a TLS renegotiation attack. More information.
This server is vulnerable to:
DROWN
This server is vulnerable to a DROWN attack. More information.
FREAK and Logjam
This server is vulnerable to FREAK and Logjam attacks. More information.
Poodle (TLS)
This server is vulnerable to a Poodle (TLS) attack. More information.
Secure Renegotiation:
Not Enabled
Downgrade attack prevention:
Unknown
Next Protocol Negotiation:
Not Enabled
Session resumption (caching):
Enabled
Session resumption (tickets):
Not Enabled
Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Not Enabled
RC4:
Enabled
OCSP stapling:
Not Enabled

On the hacker and defacer: https://www.zone-h.org/archive/notifier=anazon

polonus (volunteer website security analyst and website error-hunter)