What is /~bitsofev/apple.de added url? Hacked, hacker hacking.
I wrote all the code for the site myself and I connect & interact with the database (mysql) using PDO (php data objects).
I discovered a strange url (I didn’t create it) at the above referenced site less than a month ago. After the forward slash following my domain name (or the main index file) the following segments are found in the path: /~bitsofev/apple.de
I only discovered the url because I use a web analytics called Clicky and saw that there was some traffic (not very much, maybe one or twice a day) arriving, directly, at this url.
At first I thought that one of the registered users at my site may have:
a. uploaded a malicious file to the database
b. or found an error in the code and subsequently exploited it
I even thought that I may have pinpointed a user who’s registration date was perhaps suspiciously close (1.5 days) to the first recorded traffic (according to Clicky) to /~bitsofev/apple.de
I abandoned this theory regarding the referenced user after I learned the following:
a. I was using the free version of Clicky which provided history for only the last 30 days. I really and truly couldn’t know the first recorded date of traffic to the url
b. I hadn’t been checking my site’s (the site with the strange added url) admin inbox and when I finally did I discovered an email from Google, which was dated August 4, 2015, warning me that they to had discovered the url. The 30 day traffic history that I was viewing on Clicky didn’t go back that far (i.e., August 4, 2015) so I don’t know if the url was tracked in Clicky prior to that date.
c. The possibly suspicious user registration date occurred sometime after the date of Google’s email (i.e., August 4, 2015).
The following is a reproduction of Google’s email:
Dear site owner or webmaster of XXXXXXXXX.com,
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.
Below are one or more example URLs on your site which may be part of a phishing attack:
Here is a link to a sample warning page:
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
If your site was compromised, it’s important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you’ve secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
and reporting an “incorrect forgery alert.” We will review this request and take the appropriate actions.
Google Search Quality Team
The site that we’ve been discussing doesn’t yet have many registered users (less than 10), and while it may be possible that one of them is responsible for the url, I have no objective evidence of this.
Typically a phishing site is a forgery of the original site. A few questions that I have been asking myself, and searching for the answer to, regarding /~bitsofev/apple.de are as follows:
Scenario 1. If this is url belongs to a forgery of my site then why does it show up in my real site’s web analytics?
Scenario 2. If this url is not part of a forgery site then how did someone add this url to my real site?
Scenario 3. If there is a link somewhere on a tracked page within my real site (which probably would show up in web analytics) which leads to a forgery site (if there is a forgery site) then how did this link become a part of my site?
Other observations that I have made regarding this url include the following:
a. Someone using the following IP 18.104.22.168 visits /~bitsofev/apple.de every single day.
b. The only visitor to the url who did not access the url directly was someone who got in through http://10.100.1.1:8085/redirect.php and the IP that was recorded was 22.214.171.124 (Melbourne, Australia).
c. The above b seems to indicated that someone got access using port 8085.
d. Most of the other traffic arriving at /~bitsofev/apple.de seems to come from Russia, The Netherlands and China (at least according to IP).
e. I cannot find any sort of reference to this url in any of the files and code that the site consists of.
f. I cannot find any sort of reference to this url in the mysql database that the site connects and interacts with.
The only advice that I can find at Stack Overflow is the following question (posted on August 27, 2015 by user somuch72) from an individual who is experiencing a similar problem:
If anyone reading has encountered similar problems regarding a url being added to your site, or anything at all regarding ~bitsofev/apple.de, please leave a comment here with your thoughts.
UPDATE: MUCH CLOSER TO BEING SOLVED – November 7, 2015 – Read the comments