1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026

Forum Moderators: open

Message Too Old, No Replies

Is This a New Hack Method?

         

Angonasec

12:13 pm on Dec 12, 2021 (gmt 0)



Christmas Greetings log watchers!

Scanning my raw access logs I came across a contabo.de IP 66.94.126.xx probing bot that created a very weird url ... that works!

Have you seen anything like this before?

Forgive the long explanation, but it is required.

The site is static html, virtually hosted with two other domains (same name different tlds), on the same cPanel account, and has the normal Apache rewrites, and SSL, http to https redirects etc. we use to protect them, plus a well known bad-bot firewall.

It has worked fine for over a year.

To describe what I'm seeing, let's say the site homepage is here:

https://www.example.com

The raw access logs show the contabo bot fishing for exploits without using the 
www
, and by looking first for non-existent directories such as; 
 /blog/ /wp/ /wordpress/


I see this in the access log: 
http://www.example.com/blog/


When I check such urls in my browser view I am nicely redirected to 
https
and 
www

and see the homepage. Meaning my redirects are working as expected.

Next the bot looks for this url: 

http://www.examplecom.myotherdomain.org/blog/


Where 
myotherdomain.org
is my wordpress site on the same cPanel account, but it does not have the directory /blog/ either, and never has.

Notice the dot missing before the first tld

Amazingly that weird url displays the example.com homepage in my browser (and with https).

How can this happen?

There are a few normal links from the org site to the com site, otherwise they are not connected.

I'm flummoxed.

Could it be an exploit of cPanel domain mapping?

I know how to block the offending bot using "deny from" rules in htaccess, but what bothers me is the weird url configuration actually displays the site!

Perhaps it will help if I ask this way;

"If you wanted to access a target site using such a url configuration how would you create the url?"

Ta!

not2easy

3:46 pm on Dec 12, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



How can this happen?
You don't happen to have nested folders below the root public_html directory that contain the other domains do you? That is what the setup sounds like and in that case you might have separate .htaccess files under the main rewrites. If that is the case you may only need to add the 301 rules to those subsequent .htaccess files because Mod_Rewrite rules are not inherited when folders have additional .htaccess files.

Note that this is not an always-in-every-environment answer - some differences matter on your other settings and on the version of Apache of your hosting. It is a starting point to look for the cause. Additional information can help with resolving it but it sounds like a case of subdomains and non-inheritance.

Not sharing the relevant rules leaves it all to guesswork, so the 'answer' here may not be at all what you need.

This is an older discussion (2015) roughly involving Mod_Rewrite inheritance that might help: [webmasterworld.com...]

Angonasec

12:31 am on Dec 13, 2021 (gmt 0)



Wow, thank you for your diligence, and I suspect you have put me on the right trail, which is allI was requesting.

Yes, the flat file site has several nested folders, and it functions well, so I will check carefully before fiddling.

I'm relieved it's (probably) not a domain mapping problem, because I know nthing about that, and don't want to bother my hosting techs about it. (In case they use hasty fat fingers.)

I'll read the thread you pointed me too, tread carefully myself, and then report back here in due course.

Thanks again for the nudge in the right direction. :)

Angonasec

10:51 pm on Dec 13, 2021 (gmt 0)



Update:

1) The target site has several sub-folders, but no htaccess files in them, so just the one htaccess file in the domain root.

2) I now see where the strange url arises; cPanel automatically "chose" that form of the .com domain when it was added to the account, thus; 

examplecom.myotherdomain.org Document root: /example.com

Redirection: http://examplecom.myotherdomain.org/(?i)([a-z0-9]{2000,})


It did this because all three domains on the account are the same domain name, just different tlds.
(myotherdomain.org being the "parent/primary" domain on the account.)

So that cpanel redirection is responsible for the redirecting, and my root htaccess rules subsequently function properly to convert it to https and www as desired.

3) So not an new hack method after all.

4) I'm still eager to stop the weird url from showing in the browser url address bar, AND to force a 403 for calls to non-existent directories. Could anybody suggest code to do that (either at the cpanel level, or perhaps safer, via the .com root htaccess file) ...pretty-please?

Here's the relevant rules currently in the root htaccess file:
(I'll spare you the other firewall code.) 

RewriteEngine On
RewriteCond %{HTTP_HOST} !=""
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


# Redirecting all root 404 traffic to the root folder
Options +SymLinksIfOwnerMatch 
RewriteEngine On 
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . / [R,L]


# 7G:[CORE]
ServerSignature Off
RewriteEngine On
RewriteBase /


I'll also add: 

# Contabo scan bot
deny from 66.94.96.0/19

Angonasec

12:01 am on Dec 14, 2021 (gmt 0)



Apache Version2.4.51
cPanel Version100.0 (build 5)

not2easy

3:33 am on Dec 14, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I would take a look at your access logs because CPanel defaults to a 302 and not a 301 for rewrites. I have not seen rewrite rules such as you have listed and won't try to second guess what they are doing. But that does not mean they are wrong so long as they were provided by your host and they do what you want them to do.

Why are 404 pages sent to the root directory instead of using a 404 error page? That gives users a rude experience with no idea of what happened or why their request went awry. You should be returning a 404 error for non-existing URLs and save the 403 response for unwanted traffic but I might have misunderstood the 403 traffic.

WP can be in any directory and use the root .htaccess file because it will write its own .htaccess snippet as long as the Admin > Settings > General are set up with the correct WP URL and Site URL and you have an index.php file in the root directory. Again, if it is not broke, don't fix it.

Angonasec

7:54 am on Dec 14, 2021 (gmt 0)



Thank you for your helpful comments.

1)
I would take a look at your access logs because CPanel defaults to a 302 and not a 301 for rewrites.


The access log of example.com confirms my root htaccess 301 defaults to a 302 :) 

66.94.126.xx - - [07/Dec/2021:xxxxx] "GET /wp/ HTTP/1.1" 301 707 "-" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J111F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
66.94.126.xx - - [07/Dec/2021:xxxxx] "GET /wp/ HTTP/1.1" 302 683 "http://examplecom.myotherdomain.org/wp/" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J111F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"


2)
Why are 404 pages sent to the root directory instead of using a 404 error page?

That was me, not my host :) To be frank, I can't recall precisely why I chose to do that, but it would be something to do with Asiatic languages and fonts. I recall I had trouble getting the text to display as intended, so I contacted host Techs about that aspect. I wanted to assist visitors unfamiliar with keyboards and western fonts to be able to reach the homepage, from where they could see their native language and font.

But I agree, it is an odd choice by me, so I'll have to test and wrack my brain again. I may do as you suggest.

3)
WP can be in any directory and use the root .htaccess file because it will write its own .htaccess snippet as long as the Admin > Settings > General are set up with the correct WP URL and Site URL and you have an index.php file in the root directory. Again, if it is not broke, don't fix it.


Ahh... I've confused you by mentioning wordpress. Apologies :)

The example.com site is flat-file, static html with no wordpress at all.

Hence my request for help to stop the weird url from showing in the browser url address bar, AND to force a 403 for calls to non-existent directories. (Because that would be an obvious malicious scan/probe.)

I'm very grateful for your input :)

not2easy

2:25 pm on Dec 14, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



In your first post of this thread, you said that "myotherdomain.org" is your wordpress site on the same cPanel account. That is why it was included, because your statement about having only one .htaccess file would be a little confusing for 3 domains otherwise.

There is an even older discussion about setting up add-on domains that could help you see how to separate the paths of the domains - see [webmasterworld.com...] There are settings to use in CPanel, but a.) I am not familiar with those settings and b.) I do not use or trust CPanel to manage settings. Their defaults can be surprising.

I am not sure why a 302 (temporary location) would please anyone for long term server responses but I can't guess the reasons, so it might be right for your purpose.

Angonasec

11:07 pm on Dec 14, 2021 (gmt 0)



I'm sure I can fix the problem using the example.com's own htaccess file, and avoid disturbing the cPanel's settings.

I'll keep after it.

Thanks for your help :)

Angonasec

7:37 am on Dec 15, 2021 (gmt 0)



Actually success arrived by using cPanel>Domains>Redirects

In the section labelled; https?://(www.)? that dropdown menu displays all my public domains, and amongst them is the "weird" url.

By selecting that one, and typing in where I want it to redirect to (also selecting the wildcard option) cPanel make the redirect, and blow me it functions just as I'd expect it to!

It must be Christmas!

tangor

12:07 am on Dec 16, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Heh!

I love Happy Endings!

blend27

2:33 pm on Dec 19, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Tangor, comments like above would not be understood unless one reads the whole thread..., to the T, on a big monitor.... :}`
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026