[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Web site with mysterious hack that redirects you to non-existent folder

Posted on 2011-05-02
Medium Priority
Last Modified: 2012-05-11
I don't know if all hosting providers are attacked, but mine sure has been.  This is the second major attack in 3 months.

I have at least 6 examples that are all the same.  I will focus on one.

Hosting provider:  Vexxhost.com
I am a reseller and this is a cpanel account I set up in the WHM.

Site:  http://mjmlaw.org is a non-existent site.  There are no files other than a cgi-bin folder and the usual .htaccess, 404.shtml and robots.txt.  There is an account set up, but this web address now redirects to http://mjmlaw.la.  So no files and only 1 folder.

Yet there is a phishing scam at


which I have been told to remove by the google search quality team.  I got these google emails before when other sites had been hacked a couple a months ago.  it was a different kind of attack.  That attacked went after wordpress and I could actually find the offending files and remove them.

But these files and folders do not exist.

If you shorten the URL to http://www.mjmlaw.org/~alborz2/

You go to some kind of Arabic web site.

If you shorten it further, http://www.mjmlaw.org/~alborz

you get a similar but different Arabic web site.

I have looked for domain name redirects in the cPanel, checked for hidden files, checked the DNS zone and MX entry.  

The only thing truly weird is in the latest visitors section.

View attached image.

Column 1 is an IP address, the IP address of mjmlaw.org is
Column 2 is a file or folder or both.  When you click it it shows in the address bar:  


But that file/folders do not exist.  You click on it and it says it does not exist.  Yet if that column shows ~alborz2/fr/Processing.htm you go to the PayPal phishing site.

There are 200+ of these entries.  I clicked a bunch.  All but the ~alborz2 show the "the web page cannot be found" error.

Column 3 shows the date and time.  All the dates are today and except for the ones I clicked on, the time ranges from 7:02 to 7:08.  so it is like they were mass uploaded or created.


All I can figure out is there is some kind of URL shortening or redirecting, but I cannot find out how it might be done.

I looked for code embedded in a file or extra files and found none.

The web sites that were affected are your basic HTML sites (except for mjmlaw.org which has no pages).  They are on the same server.  

If you do a google search for "~alborz2/fr/Processing.htm" the phishtank.com reports about a dozen sites with this phishing scam on it.  Only one reported was mine, the rest are others.  So more than just be is being attacked.

What am I looking for?  Help in understanding how this can be and what can I do to stop it or delete the files.

Thank you.


Question by:Jerry Thompson

Expert Comment

ID: 35509438
~alborz2/ and ~alborz/ are usually pointing in the filesystem to


It seems like someone just created personal website which got hacked. check those directories if they have any files.
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35509531
A recent similar problem ended up being an 'index.php' that was doing the redirecting.

The IP address of 'mjmlaw.org' is .  Where did you get
LVL 17

Expert Comment

ID: 35509558
Check the 404.shtml fle to make sure it hasn't been tampered with. If they hijacked that one file alone they could put any invalid path and have the user dynamically redirected.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 84

Expert Comment

by:Dave Baldwin
ID: 35509567 is a server at 'rr.com', is that where you are hosting?

Author Comment

by:Jerry Thompson
ID: 35509675
Thanks for the replies.

A1J:  That makes sense.  If that is the case, then it seems like vexxhost should be able to take care of it quickly.  although there is still the question as to how they got into the server itself.

DaveBaldwin:  My bad, the ip address was not the server, but the "last logged in from" and that is my Time warner IP.  the is the correct IP.

Orinetworks:  I had aloready checked the shtml file and rechecked after your comment.  It has not been altered.

Thanks again.

LVL 11

Accepted Solution

RedLondon earned 2000 total points
ID: 35510533
You're using cPanel hosting, and cPanel allows you to visit http://server/~username to see an account's website.  There's nothing to delete from your account.

Your server's IP address is so you can visit to see the website that is stored in the alborz2 hosting account, and you can visit to see the website that is stored in your mjmlaw hosting account.

It doesn't mean that the malicious files are stored in your mjmlaw account.

The webhost should disable the feature of cPanel which allows this.  If it is your server you can do it, otherwise only the server administrator can do it.  Whoever is to do it needs to log into WHM and click on "Apache mod_userdir Tweak" in the Security Centre at

As the page describes:
Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example http://test.cpanel.net/~fred/ will bring up the user fred's domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). mod_userdir protection prevents this from happening. You may however want to disable it on specific virtual hosts (generally shared ssl hosts.)

I'd suggest ticking "Enable mod_userdir Protection" which will immediately mean that no-one can visit http://www.mjmlaw.org/~alborz2 and see the alborz2 account.  If the server administrator wants people to be able to preview their sites before their domains point to the server they can "exclude" a nominated hostname from the mod_userdir protection... ie they can say that the ~username feature can work on one hostname, but keep it disabled for all the others.

Author Comment

by:Jerry Thompson
ID: 35511658

Thanks for the comment and information.  That is exactly what is happening.

I am going to send your post to the hosting provider.  I'd think they'd know that, but you never know.

Generally speaking Vexxhost has been a good company to work with but they are not always real prompt getting back to you about your support tickets.



Author Closing Comment

by:Jerry Thompson
ID: 35711947
I want to thank you all for responding to my question.  Redlondons response was dead on with what tech support finally replied with.  Thank you redlondon.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question