Mobile app version of vmapp.org
Login or Join
Shelley277

: Unable to locate phishing URL in CPanel file manager I received an email from Google that there may be phishing pages on my website. Below are example URLs on my site which may be part of

@Shelley277

Posted in: #Cpanel #Hostgator #Phishing #Security #SharedHosting

I received an email from Google that there may be phishing pages on my website. Below are example URLs on my site which may be part of a phishing attack: www.uooart.com/~impots/file/cdc61d45beba0a37b108040b9b35d257/redirection.php www.uooart.com/~impots/file/cdc61d45beba0a37b108040b9b35d257/redirection.php?g4d3bdOsiuarHDdBl0bEP6dBVy_wP1WJ6XZDh7nemRp9bv2mHJ0HYZaZV6xWExsS

When opened using Chrome these page show phishing alert and when skipped they get redirected to uooart.com/cgi-sys/suspendedpage.cgi which further have links on this site fwdssp.com

Now I want to solve this problem but I can't delete those files because I can't find any "~impots" (www.uooart.com/~impots/) directory in my Cpanel File Manager. The directory uooart.com/cgi-sys do exist but it doesn't have the "suspendedpage.cgi" file.

I even tried a wildcard redirect of uooart.com/~impots to uooart.com but it doesn't work.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Shelley277

1 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

These files were never on your account, they were hosted on another account on the same (shared) server with username "impots".

On many shared Apache servers you can access your account's files by a URL of the form <server-IP>/~username (a feature known as "per-user web directories" handled by mod_userdir). This allows you to access your website before your domain resolves (although there are much better methods to do this). Unfortunately this also seems to allow you to access accounts from any domain on the shared server (the domain resolves to the server's IP address) - which is what's happening here. Whether this is an outright configuration error on the server I'm not sure, as I have experienced the same "setup" on several shared hosts. It is certainly a potential vulnerability; as you have found! However, the host certainly has it in their power to disable this feature on your account:

UserDir disabled <your-username>



Now I want to solve this problem but I can't delete those files...


The files have already been removed by the host. As you have found, when you bypass the warning in Chrome you get the account-suspension page.


When opened using Chrome these page show phishing alert...


This is a problem as it's Chrome's own "malicious site" protection that is displaying this alert. No external request to your server is even made, so there is no request that can be blocked or redirected.

Unfortunately I think only "time" will heal this error, as your site (or specifically, these URLs) are recrawled. Can you "mark as fixed" these errors in Google Search Console?

To prevent such URLs being crawled (and hopefully indexed) by the search bots, you could add a Disallow: /~ rule to your robots.txt file. However, this obviously won't prevent the content from being served.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme