Hundreds of odd redirects in new account ?

[nyjimbo]

We just setup a clients new account on our cPanel 11.25.0-C43473 - WHM 11.25.0 - X 3.9 CENTOS 5.2 box and he added a subdomain and did some other work.

Later on he claims he found almost 200 redirects for all the files he uploaded. I cant tell if he did it somehow or if the system just went nuts and did it but it basically shows that its set for ALL domains under the clients account then a file like:

/gallery/new_hampshire/01-BirchFoliage.html

redirects to

http://www.xxx.com/gallery/new-hampshire/

Type permanent
Match (blank)
WWW (blank)
Wildcard (blank)

of course each redirect is unique and seems to be for all files and folders.

when you click remove it asks you if you:

"Are you sure you wish to permanently remove the redirect /gallery/new_hampshire/01-BirchFoliage.html on ** All Public Domains **"

if you answer yes it acts like it did it but the redirect remains.

Has anyone else seen this before ?. I would like to just delete the account and let the client start over but I am worried the delete of the account might clobber the whole httpd.conf file or something else.

Is there a location for all the redirects outside of the httpd.conf or any other file that could affect other customers if this account is deleted ?

Thanks.

[nyjimbo]

I also noticed a weird redirect:

domain: ALL
directory: /gmail
redirect url: https://www.google.com/a/xxx.com
type: permanent

however no file or folder matches anything with the name google or google.com

(note, the xxx.com is just my edit to remove the real domain)

[mohit]

is it all under one account or its on multiple cpanel users on server ?

check .htaccess in public_html fodler mostly redirects should be mentioned there.

Also check if the user is exploited due to outdated gallery version or weak cpanel password.

however running a full system scan would be recomended if its more than one cpanel user.

[nyjimbo]

is it all under one account or its on multiple cpanel users on server ?

check .htaccess in public_html fodler mostly redirects should be mentioned there.

Also check if the user is exploited due to outdated gallery version or weak cpanel password.

however running a full system scan would be recomended if its more than one cpanel user.

Its one account. I think it is the .htaccess file, it appears it was moved from another server and the redirects might have been entered manually but now cpanel is picking them up but it wont delete them so I have to figure that out. The file permissions on the .htaccess seem the same as any other .htaccess file on any other account so its something else.

[Spiral]

You can look in all ".htaccess" and "httpd.ini" files in the account and also at the VirtualHost section in the httpd.conf file (/usr/local/apache/conf) and outside of that, redirects can also be setup within the PHP scripts themselves so might want to take a peek in those and in particular their main index page and maybe grep for "header", "Location", or "url" and see what that turns up as well.

If you are running DSO based PHP, I would strongly consider changing but also on that note, if this client has any files or permissions set to '777',
I would open those files and take a deeper look into those as well.

Code:

find /home/(username)/public_html -perm 777
find /home/(username)/public_html -type f -name '.htaccess'