Web site with mysterious hack that redirects you to non-existent folder

Posted on 2011-05-02
Last Modified: 2012-05-11
I don't know if all hosting providers are attacked, but mine sure has been.  This is the second major attack in 3 months.

I have at least 6 examples that are all the same.  I will focus on one.

Hosting provider:
I am a reseller and this is a cpanel account I set up in the WHM.

Site: is a non-existent site.  There are no files other than a cgi-bin folder and the usual .htaccess, 404.shtml and robots.txt.  There is an account set up, but this web address now redirects to  So no files and only 1 folder.

Yet there is a phishing scam at

which I have been told to remove by the google search quality team.  I got these google emails before when other sites had been hacked a couple a months ago.  it was a different kind of attack.  That attacked went after wordpress and I could actually find the offending files and remove them.

But these files and folders do not exist.

If you shorten the URL to

You go to some kind of Arabic web site.

If you shorten it further,

you get a similar but different Arabic web site.

I have looked for domain name redirects in the cPanel, checked for hidden files, checked the DNS zone and MX entry.  

The only thing truly weird is in the latest visitors section.

View attached image.

Column 1 is an IP address, the IP address of is
Column 2 is a file or folder or both.  When you click it it shows in the address bar:

But that file/folders do not exist.  You click on it and it says it does not exist.  Yet if that column shows ~alborz2/fr/Processing.htm you go to the PayPal phishing site.

There are 200+ of these entries.  I clicked a bunch.  All but the ~alborz2 show the "the web page cannot be found" error.

Column 3 shows the date and time.  All the dates are today and except for the ones I clicked on, the time ranges from 7:02 to 7:08.  so it is like they were mass uploaded or created.


All I can figure out is there is some kind of URL shortening or redirecting, but I cannot find out how it might be done.

I looked for code embedded in a file or extra files and found none.

The web sites that were affected are your basic HTML sites (except for which has no pages).  They are on the same server.  

If you do a google search for "~alborz2/fr/Processing.htm" the reports about a dozen sites with this phishing scam on it.  Only one reported was mine, the rest are others.  So more than just be is being attacked.

What am I looking for?  Help in understanding how this can be and what can I do to stop it or delete the files.

Thank you.


Question by:Jerry Thompson
    LVL 4

    Expert Comment

    ~alborz2/ and ~alborz/ are usually pointing in the filesystem to


    It seems like someone just created personal website which got hacked. check those directories if they have any files.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    A recent similar problem ended up being an 'index.php' that was doing the redirecting.

    The IP address of '' is .  Where did you get
    LVL 17

    Expert Comment

    Check the 404.shtml fle to make sure it hasn't been tampered with. If they hijacked that one file alone they could put any invalid path and have the user dynamically redirected.
    LVL 82

    Expert Comment

    by:Dave Baldwin is a server at '', is that where you are hosting?

    Author Comment

    by:Jerry Thompson
    Thanks for the replies.

    A1J:  That makes sense.  If that is the case, then it seems like vexxhost should be able to take care of it quickly.  although there is still the question as to how they got into the server itself.

    DaveBaldwin:  My bad, the ip address was not the server, but the "last logged in from" and that is my Time warner IP.  the is the correct IP.

    Orinetworks:  I had aloready checked the shtml file and rechecked after your comment.  It has not been altered.

    Thanks again.

    LVL 11

    Accepted Solution

    You're using cPanel hosting, and cPanel allows you to visit http://server/~username to see an account's website.  There's nothing to delete from your account.

    Your server's IP address is so you can visit to see the website that is stored in the alborz2 hosting account, and you can visit to see the website that is stored in your mjmlaw hosting account.

    It doesn't mean that the malicious files are stored in your mjmlaw account.

    The webhost should disable the feature of cPanel which allows this.  If it is your server you can do it, otherwise only the server administrator can do it.  Whoever is to do it needs to log into WHM and click on "Apache mod_userdir Tweak" in the Security Centre at

    As the page describes:
    Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example will bring up the user fred's domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case mod_userdir protection prevents this from happening. You may however want to disable it on specific virtual hosts (generally shared ssl hosts.)

    I'd suggest ticking "Enable mod_userdir Protection" which will immediately mean that no-one can visit and see the alborz2 account.  If the server administrator wants people to be able to preview their sites before their domains point to the server they can "exclude" a nominated hostname from the mod_userdir protection... ie they can say that the ~username feature can work on one hostname, but keep it disabled for all the others.

    Author Comment

    by:Jerry Thompson

    Thanks for the comment and information.  That is exactly what is happening.

    I am going to send your post to the hosting provider.  I'd think they'd know that, but you never know.

    Generally speaking Vexxhost has been a good company to work with but they are not always real prompt getting back to you about your support tickets.



    Author Closing Comment

    by:Jerry Thompson
    I want to thank you all for responding to my question.  Redlondons response was dead on with what tech support finally replied with.  Thank you redlondon.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now