Web site with mysterious hack that redirects you to non-existent folder

I don't know if all hosting providers are attacked, but mine sure has been.  This is the second major attack in 3 months.

I have at least 6 examples that are all the same.  I will focus on one.

Hosting provider:  Vexxhost.com
I am a reseller and this is a cpanel account I set up in the WHM.

Site:  http://mjmlaw.org is a non-existent site.  There are no files other than a cgi-bin folder and the usual .htaccess, 404.shtml and robots.txt.  There is an account set up, but this web address now redirects to http://mjmlaw.la.  So no files and only 1 folder.

Yet there is a phishing scam at

http://www.mjmlaw.org/~alborz2/fr/Processing.htm 

which I have been told to remove by the google search quality team.  I got these google emails before when other sites had been hacked a couple a months ago.  it was a different kind of attack.  That attacked went after wordpress and I could actually find the offending files and remove them.

But these files and folders do not exist.

If you shorten the URL to http://www.mjmlaw.org/~alborz2/

You go to some kind of Arabic web site.

If you shorten it further, http://www.mjmlaw.org/~alborz

you get a similar but different Arabic web site.

I have looked for domain name redirects in the cPanel, checked for hidden files, checked the DNS zone and MX entry.  

The only thing truly weird is in the latest visitors section.

View attached image.

Column 1 is an IP address, the IP address of mjmlaw.org is 66.66.159.80
Column 2 is a file or folder or both.  When you click it it shows in the address bar:  

http://mjmlaw.org/troop8.php

But that file/folders do not exist.  You click on it and it says it does not exist.  Yet if that column shows ~alborz2/fr/Processing.htm you go to the PayPal phishing site.

There are 200+ of these entries.  I clicked a bunch.  All but the ~alborz2 show the "the web page cannot be found" error.

Column 3 shows the date and time.  All the dates are today and except for the ones I clicked on, the time ranges from 7:02 to 7:08.  so it is like they were mass uploaded or created.

BUT THEY DON"T EXIST!

All I can figure out is there is some kind of URL shortening or redirecting, but I cannot find out how it might be done.

I looked for code embedded in a file or extra files and found none.

The web sites that were affected are your basic HTML sites (except for mjmlaw.org which has no pages).  They are on the same server.  

If you do a google search for "~alborz2/fr/Processing.htm" the phishtank.com reports about a dozen sites with this phishing scam on it.  Only one reported was mine, the rest are others.  So more than just be is being attacked.

What am I looking for?  Help in understanding how this can be and what can I do to stop it or delete the files.

Thank you.

Jerlo




hackfolders.jpg
Jerry ThompsonAsked:
Who is Participating?
 
RedLondonConnect With a Mentor Commented:
You're using cPanel hosting, and cPanel allows you to visit http://server/~username to see an account's website.  There's nothing to delete from your account.

Your server's IP address is 199.204.44.130 so you can visit http://199.204.44.130/~alborz2 to see the website that is stored in the alborz2 hosting account, and you can visit http://199.204.44.130/~mjmlaw/ to see the website that is stored in your mjmlaw hosting account.

It doesn't mean that the malicious files are stored in your mjmlaw account.

The webhost should disable the feature of cPanel which allows this.  If it is your server you can do it, otherwise only the server administrator can do it.  Whoever is to do it needs to log into WHM and click on "Apache mod_userdir Tweak" in the Security Centre at http://199.204.44.130/whm

As the page describes:
Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example http://test.cpanel.net/~fred/ will bring up the user fred's domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). mod_userdir protection prevents this from happening. You may however want to disable it on specific virtual hosts (generally shared ssl hosts.)

I'd suggest ticking "Enable mod_userdir Protection" which will immediately mean that no-one can visit http://www.mjmlaw.org/~alborz2 and see the alborz2 account.  If the server administrator wants people to be able to preview their sites before their domains point to the server they can "exclude" a nominated hostname from the mod_userdir protection... ie they can say that the ~username feature can work on one hostname, but keep it disabled for all the others.
0
 
a1jCommented:
~alborz2/ and ~alborz/ are usually pointing in the filesystem to

/home/alborz2/public_html/
and
/home/alborz/public_html/


It seems like someone just created personal website which got hacked. check those directories if they have any files.
0
 
Dave BaldwinFixer of ProblemsCommented:
A recent similar problem ended up being an 'index.php' that was doing the redirecting.

The IP address of 'mjmlaw.org' is 199.204.44.130 .  Where did you get 66.66.159.80?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
OriNetworksCommented:
Check the 404.shtml fle to make sure it hasn't been tampered with. If they hijacked that one file alone they could put any invalid path and have the user dynamically redirected.
0
 
Dave BaldwinFixer of ProblemsCommented:
66.66.159.80 is a server at 'rr.com', is that where you are hosting?
0
 
Jerry ThompsonAuthor Commented:
Thanks for the replies.

A1J:  That makes sense.  If that is the case, then it seems like vexxhost should be able to take care of it quickly.  although there is still the question as to how they got into the server itself.

DaveBaldwin:  My bad, the ip address was not the server, but the "last logged in from" and that is my Time warner IP.  the 199.204.44.130 is the correct IP.

Orinetworks:  I had aloready checked the shtml file and rechecked after your comment.  It has not been altered.

Thanks again.

jerlo
0
 
Jerry ThompsonAuthor Commented:
RedLondon:

Thanks for the comment and information.  That is exactly what is happening.

I am going to send your post to the hosting provider.  I'd think they'd know that, but you never know.

Generally speaking Vexxhost has been a good company to work with but they are not always real prompt getting back to you about your support tickets.

Thanks.

Jerlo
0
 
Jerry ThompsonAuthor Commented:
I want to thank you all for responding to my question.  Redlondons response was dead on with what tech support finally replied with.  Thank you redlondon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.