What is /~bitsofev/apple.de added url? Hacked, hacker hacking.

/~bitsofev/apple.deI’ve been developing another of my sites for several months now.

I wrote all the code for the site myself and I connect & interact with the database (mysql) using PDO (php data objects).

I discovered a strange url (I didn’t create it) at the above referenced site less than a month ago. After the forward slash following my domain name (or the main index file) the following segments are found in the path: /~bitsofev/apple.de

I only discovered the url because I use a web analytics called Clicky and saw that there was some traffic (not very much, maybe one or twice a day) arriving, directly, at this url.

At first I thought that one of the registered users at my site may have:

a.  uploaded a malicious file to the database

b.  or found an error in the code and subsequently exploited it

I even thought that I may have pinpointed a user who’s registration date was perhaps suspiciously close (1.5 days) to the first recorded traffic (according to Clicky) to /~bitsofev/apple.de

I abandoned this theory regarding the referenced user after I learned the following:

a.  I was using the free version of Clicky which provided history for only the last 30 days. I really and truly couldn’t know the first recorded date of traffic to the url

b.  I hadn’t been checking my site’s (the site with the strange added url) admin inbox and when I finally did I discovered an email from Google, which was dated August 4, 2015, warning me that they to had discovered the url.  The 30 day traffic history that I was viewing on Clicky didn’t go back that far (i.e., August 4, 2015) so I don’t know if the url was tracked in Clicky prior to that date.

c.  The possibly suspicious user registration date occurred sometime after the date of Google’s email (i.e., August 4, 2015).

The following is a reproduction of Google’s email:

Dear site owner or webmaster of XXXXXXXXX.com,

We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://www.XXXXXXXXX.com/~bitsofev/apple.de/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.XXXXXXXXX.com/~bitsofev/apple.de/

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content

If your site was compromised, it’s important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

Once you’ve secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an “incorrect forgery alert.” We will review this request and take the appropriate actions.

Sincerely,
Google Search Quality Team

The site that we’ve been discussing doesn’t yet have many registered users (less than 10), and while it may be possible that one of them is responsible for the url, I have no objective evidence of this.

Typically a phishing site is a forgery of the original site. A few questions that I have been asking myself, and searching for the answer to, regarding /~bitsofev/apple.de are as follows:

Scenario 1.  If this is url belongs to a forgery of my site then why does it show up in my real site’s web analytics?

Scenario 2.  If this url is not part of a forgery site then how did someone add this url to my real site?

Scenario 3.  If there is a link somewhere on a tracked page within my real site (which probably would show up in web analytics) which leads to a forgery site (if there is a forgery site) then how did this link become a part of my site?

Other observations that I have made regarding this url include the following:

a.  Someone using the following IP 208.184.112.75 visits /~bitsofev/apple.de every single day.

b.  The only visitor to the url who did not access the url directly was someone who got in through http://10.100.1.1:8085/redirect.php and the IP that was recorded was 168.1.75.27 (Melbourne, Australia).

c.  The above b seems to indicated that someone got access using port 8085.

d.  Most of the other traffic arriving at /~bitsofev/apple.de seems to come from Russia, The Netherlands and China (at least according to IP).

e.  I cannot find any sort of reference to this url in any of the files and code that the site consists of.

f.  I cannot find any sort of reference to this url in the mysql database that the site connects and interacts with.

The only advice that I can find at Stack Overflow is the following question (posted on August 27, 2015 by user somuch72) from an individual who is experiencing a similar problem:

my site hijacked, added url on my site and can’t be redirected

If anyone reading has encountered similar problems regarding a url being added to your site, or anything at all regarding ~bitsofev/apple.de, please leave a comment here with your thoughts.

UPDATE: MUCH CLOSER TO BEING SOLVED – November 7, 2015 – Read the comments

9 comments

  • A few minutes ago I ran a report on [my_website]/~bitsofev/apple.de at http://urlquery.net/

    These are the results that I was provided with:

    Overview
    URL [my_website].com/~bitsofev/apple.de
    IP 108.167.182.40
    ASN AS20013 CyrusOne LLC
    Location [United States] United States
    Report completed 2015-09-21 03:29:16 CET
    Status Report complete.
    urlQuery Alerts No alerts detected

    Settings
    UserAgent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
    Referer
    Pool
    Access Level public

    Intrusion Detection Systems
    Snort /w Sourcefire VRT No alerts detected
    Suricata /w Emerging Threats Pro No alerts detected

    Blacklists
    Fortinet’s Web Filter / fortiguard.com No alerts detected
    MDL / malwaredomainlist.com No alerts detected
    DNS-BH / malwaredomains.com No alerts detected
    OpenPhish / openphish.com No alerts detected
    PhishTank / phishtank.com No alerts detected
    Spamhaus DBL / spamhaus.org No alerts detected

    Files Captured

    Recent reports on same IP/ASN/Domain
    Last 6 reports on IP: 108.167.182.40
    Date UQ / IDS / BL URL IP
    2015-09-20 22:47:59 0 – 0 – 1 http://www.screenwatchr.com/~bitsofev/apple.de [United States] 108.167.182.40
    2015-09-20 22:41:02 0 – 0 – 2 http://www.wageslavenomore.info/~bitsofev/apple.de [United States] 108.167.182.40
    2015-09-20 22:15:32 0 – 0 – 1 http://www.dlcracked.com/~bitsofev/apple.de [United States] 108.167.182.40
    2015-09-20 22:08:01 0 – 0 – 1 http://www.premierpartnersinsurance.com/~bitsofev/apple.de [United States] 108.167.182.40
    2015-09-20 22:02:42 0 – 0 – 1 http://www.nexusshopping.info/~bitsofev/apple.de [United States] 108.167.182.40
    2015-09-20 19:45:11 0 – 0 – 1 http://www.tesoclothing.com/~bitsofev/apple.de [United States] 108.167.182.40

    Last 6 reports on ASN: AS20013 CyrusOne LLC
    Date UQ / IDS / BL URL IP
    2015-09-21 03:25:26 0 – 0 – 1 hope.org.ec/index.php/galeria/image?view=image [United States] 192.185.190.128
    2015-09-21 03:23:27 0 – 0 – 1 http://www.bharatdarshans.com/blog/free-online-dating-in-india-16.html [United States] 192.185.106.161
    2015-09-21 03:21:40 0 – 1 – 0 http://www.birdiesoftware.com/pro/birdie-emlx-to-eml.exe [United States] 192.185.52.186
    2015-09-21 03:16:38 0 – 0 – 1 deonfourie.co.za/ [United States] 192.185.119.142
    2015-09-21 03:12:46 0 – 0 – 1 http://www.bharatdarshans.com/blog/free-online-brazilian-dating-12.html [United States] 192.185.106.161
    2015-09-21 03:09:22 0 – 3 – 0 any-file-backup.com/anyfilebackuppro_setup.exe [United States] 192.185.16.247

    JavaScript
    Executed Scripts (3)
    Executed Evals (0)
    Executed Writes (0)

    HTTP Transactions (8)

    Request / Response

    GET /js HTTP/1.1
    Host: static.getclicky.com

    [United States AS13335 CloudFlare, Inc.] 190.93.245.10
    HTTP/1.0 200 OK
    Content-Type: application/x-javascript

    GET /in.php?[my_website & tracking code by clicky] HTTP/1.1
    Host: in.getclicky.com

    [United States AS2044 Infinity Internet, Inc.] 198.145.13.8
    HTTP/1.0 200 OK
    Content-Type: text/javascript

    GET /favicon.ico HTTP/1.1
    Host: [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: image/x-icon

    GET /~bitsofev/[my_website].css HTTP/1.1
    Host: [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: text/html

    GET /~bitsofev/[my_website].css HTTP/1.1
    Host: [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: text/html

    GET /~bitsofev/[my_website].png HTTP/1.1
    Host: [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: text/html

    GET /~bitsofev/[my_website].png HTTP/1.1
    [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: text/html

    GET /~bitsofev/[my_website].jpg HTTP/1.1
    Host: [my_website].com

    [United States AS20013 CyrusOne LLC] 108.167.182.40
    HTTP/1.0 200 OK
    Content-Type: text/html

  • New traffic early this morning (Sept. 21, 2015) at url /~bitsofev/apple.de.

    IP: 12.167.151.81 (Baltimore, Maryland)

    They did not arrive directly at the url.

    The arrived from http://serw.clicksor.com/redir.php

  • Last night (after 9:00 PM – September 28, 2015) I renamed the main index.php at the other site (the unnamed site featured in the report) to index.html

    Immediately after making the change I checked the /~bitsofev/apple.de url and found that it was no longer functional and I received a ERROR 404 – PAGE NOT FOUND

    It appears that someone was able to hack (or exploit some segment of the code) the php.index file.

    For the time being I am going use index.html file rather than index.php

    After I learn more about the problem that I was creating (my error alone) in php I plan to again use index.php

  • Today I used this link (because I’ve secured my other site and removed the content involved in the suspected phishing attack):

    https://www.google.com/safebrowsing/report_error/?tpl=emailer

    to request that the phishing warning (which visitors are apparently seeing upon arrival at my other site) be removed.

  • I’m now using index.php again (for the referenced site) because of I’ve ascertained that the following code (which I write into the the referenced site’s .htaccess file blocks the ~bitsofev/apple.de url:

    RewriteCond %{THE_REQUEST} ~bitsofev/apple.de($|\ |\?) [NC]
    RewriteRule .* - [F]

    This code will block (403 error) the file and url from being accessed. However, it wont specifically correct the problem.

  • Here’s what I’ve learned recently:

    Recently (Nov. 5, 2015) some visitors attempting to view the referenced site received the following warnings from Norton Internet Security:

    This is a known dangerous website. It is recommended that you do NOT visit this site. The detailed report explains the security risks on this site.

    For your protection, this web page has been blocked. Visit Symantec to learn more about phishing and internet security.

    The ‘detailed report’ is provided below:

    Norton Safe Web has analyzed XXXXXXXXX.com for safety and security problems. Below is a sample of the threats that were found.
    Summary

    Computer Threats: 0
    Identity Threats: 0
    Annoyance factors: 1
    Total threats on this site: 1
    The Norton rating is a result of Symantec’s automated analysis system. Learn more.
    The opinions of our users are reflected separately in the community rating on the right.

    Community Reviews (0)

    Here is a complete list: (for more information about a specific threat, click on the Threat Name below)

    Threat Name: SWBPL
    Location: http://XXXXXXXXX.com/~bitsofev

    Myself I don’t use Norton but I started receiving similar warning (started on Nov. 4, 2015) in my browser when accessing the referenced site.

    As we can see the url is only different in that it no longer includes the /apple.de (i.e., /~bitsofev/apple.de)

    I thought that I remembered checking just this segment of the url, a couple of months ago when the problems first began, and receiving a 404 error. However, I don’t specifically remember.

    When I check the XXXXXXXXX.com/~bitsofev url now (without the /apple.de) I’m taken to this website:

    http://bitsofeverything.net/

    I checked who.is to learn more about the site. Ascertained that the following:

    ns8413.hostgator.com IP 108.167.182.250

    ns8414.hostgator.com IP 108.167.182.251

    My site (the referenced site) also uses the same shared hosting severs at Hostgator, the exact same IPs.

    Here’s what appears (at this point) to be happening:

    bitsofev is a Hostgator user name. This bitsofev user is the owner/administrator of the bitsofeverything.net site which is hosted on Hostgator shared hosting.

    Hostgator uses Apache software (world’s most used web server software) and the use of the tilde “~” symbol represents the home directory on the server. Using the ~ (tilde symbol – on a US keyboard its the key to the left of 1) before a Hostgator user name (e.g, ~username) will direct you to that user’s home directory on the server (and probably their main index.php file).

    This is called mod_userdir.

    This allows user-specific directories to be accessed using the [whateverwebsite]/~user/ syntax.

    It appears that, for whatever reasons why my referenced site and the thebitsofeverything.net site are being combined by Google, Norton and some visitors (I still don’t why this is), that the mod_userdir needs to be disabled.

    I searched the Hostgator website to see what, if anything, they had to say about mod_userdir. It appears that they are somewhat aware of these sort of problems (sort of):

    mod_userdir

    The mod_userdir Apache module allows visitors to access websites on your server by entering a hostname or domain, followed by a tilde (~) and the website owner’s username as the directory path part of the URL.

    Examples:

    http://host.yoursitesdomain.com/~username
    http://yoursitesdomain.net/~username
    mod_userdir is most commonly used as a temporary URL system, allowing users to view their websites even when the DNS has not yet been configured or is not pointing to the server.

    and

    Shared

    Because of this module, cPanel clients often think that they have been hacked, when in fact this is not true.

    Apache mod_userdir allows any person to display their own web content on another person’s domain name by placing “~username” at the end.

    The actual content in these cases is hosted from the trailing user name and not the domain name, which so far has not been compromised.

    EXAMPLE
    So if my domain name is “bigjerk.com” and my user name is “big”, I can list any other domain name that shares a server with me (e.g. “notavictim.com”) and place my user name at the end like so…

    http://notavictim.com/~big/

    This will display the “bigjerk.com” website, but looks like the content belongs to “notavictim.com”.

    Hostgator also states that they will disable the mod_userdir for shared hosting accounts if a user creates a ticket and requests a disable.

  • I still have important questions:

    (a) Why did Google suspect (and penalize) my referenced site (my other site, not Justinbailey.info) as being part of a possible phishing attack when the apple.de was clearly a part of bitsofev‘s site?

    (b) Why would Google combine my site with bitsofev’s? For example, on our shared server (which might contain 5000 domains, ?) why specifically would my other site and files on bitsofev’s site be picked up together?

    (c) Why did Norton Internet Security also do (b)?

    (d) I can’t find a file (or folder) named apple.de on bitsofev’s site. Yet I can I still find it on my referenced site if I unblock the url in .htaccess and use the tilde ~ symbol and the bitsofev user name?

    (e) I still need to learn more about apple.de

    Anyone reading here who has more information please, please help.

  • @ Worthingham:

    a&b question
    Because the owner of bitsofev put backlink to linking your address together with bitsofev, so Google picking it up together.

    c question
    Norton working if there’s someone go to that address, and norton browser add on start to picking it on

  • Thank you so much for this I have just had this very problem with all my sites hosted with Hostgator, I have now asked for mod_userdir to be turned off on my hosting account.

Leave a Reply

Your email address will not be published. Required fields are marked *