I don't know if all hosting providers are attacked, but mine sure has been. This is the second major attack in 3 months.
I have at least 6 examples that are all the same. I will focus on one.
Hosting provider: Vexxhost.com
I am a reseller and this is a cpanel account I set up in the WHM.
is a non-existent site. There are no files other than a cgi-bin folder and the usual .htaccess, 404.shtml and robots.txt. There is an account set up, but this web address now redirects to http://mjmlaw.la
. So no files and only 1 folder.
Yet there is a phishing scam at
which I have been told to remove by the google search quality team. I got these google emails before when other sites had been hacked a couple a months ago. it was a different kind of attack. That attacked went after wordpress and I could actually find the offending files and remove them.
But these files and folders do not exist.
If you shorten the URL to http://www.mjmlaw.org/~alborz2/
You go to some kind of Arabic web site.
If you shorten it further, http://www.mjmlaw.org/~alborz
you get a similar but different Arabic web site.
I have looked for domain name redirects in the cPanel, checked for hidden files, checked the DNS zone and MX entry.
The only thing truly weird is in the latest visitors section.
View attached image.
Column 1 is an IP address, the IP address of mjmlaw.org is 220.127.116.11
Column 2 is a file or folder or both. When you click it it shows in the address bar:
But that file/folders do not exist. You click on it and it says it does not exist. Yet if that column shows ~alborz2/fr/Processing.htm
you go to the PayPal phishing site.
There are 200+ of these entries. I clicked a bunch. All but the ~alborz2 show the "the web page cannot be found" error.
Column 3 shows the date and time. All the dates are today and except for the ones I clicked on, the time ranges from 7:02 to 7:08. so it is like they were mass uploaded or created.
BUT THEY DON"T EXIST!
All I can figure out is there is some kind of URL shortening or redirecting, but I cannot find out how it might be done.
I looked for code embedded in a file or extra files and found none.
The web sites that were affected are your basic HTML sites (except for mjmlaw.org which has no pages). They are on the same server.
If you do a google search for "~alborz2/fr/Processing.ht
m" the phishtank.com reports about a dozen sites with this phishing scam on it. Only one reported was mine, the rest are others. So more than just be is being attacked.
What am I looking for? Help in understanding how this can be and what can I do to stop it or delete the files.