Malicious redirect all of a sudden on all my websitesAuthor: John H.
I have noticed that all of a sudden, every website I have uploaded with X5Pro (2023.1.5), starts a malicious redirect.
This happens when the site is first displayed in a browser (does this on all browsers) there is no link (hand button) just the arrow. When clicking on a link the site gets redirected somewhere else.
After this has happened the hand button link is back and all works fine. This happens on all four websites that have been created with X5Pro. This has only started to happen a short while ago, maybe a week or so.
I have also been able to duplicate this error an someone else computer. It also happens on mobile browsers.
I have run a full Norton scan on my system but nothing bad comes up.
Any help would be much appreciated.
1) Contact your hosting technical support service. They may be able to provide additional information. For example, a virus scan report.
2) Do you only host sites that are made in WebSite X5?
My tests, see
hendoswebdesign.com.au/index.html - ok
garfield.org.au/index.html - ok
garfield.au/index - ok, but index.html is shorten to index
garfieldweather.com.au/index - problem with redirect and index.html is shorten to index
Were entries made in the .htaccess file on the web space and if so, which ones?
The experts could examine the code in the .htaccess file. I'm not an expert on this.
Hi Aleksej, I will contact Crazy Domains hosting people and see if they can do a virus check. Yes, I only host sites that are created with Website X5Pro - Thanks for your input.
Hi Daniel, The .html extension was set not to show in my web.config file so I could shorten the links. My .htaccess file has never been touched by myself and I don't even know what should be in there. Thanks for your input.
John, please report back here so we know the outcome. I see the same problem (malicious link to Telstra phone scam in my case).
Just heard back from my lovely hosting people and they confirm it is a scripting issue in the index.html files and that I should contact my website developer. (That is me - LOL)
I just fill in the blanks on Website X5 and upload to the server. I do not have any virus on my computer, so how did the scripting issue get there in the first place and how do I get rid of it. Also, some of my websites that I haven't changed in quite a while seem to now, all of a sudden be affected. All up, all of my 11 websites are affected. To me it looks like someone went into all of them and changed some scripting in the index.html files. Why ?? Who ??
The only solution Crazy Domains gave me was to delete my websites and start over with a fresh website and upload that. This is really not a solution as it affects all of my websites. Months of work involved.
Maybe I should try and set up a dummy website and upload that to the server and see what that does. If the scripting error occurs with that as well, then it is not worth redoing all my sites.
I have no idea what to do next and I am starting to panic that my visitors are going to stop using my websites.
Does anyone have any idea as to what to do next.
Thanks in advance.
Cheers - John
After redirecting the website, my Firefox browser shows a warning message that this is a dangerous website.
There may be a virus on the PC or in WebSite X5, which now affects all websites and installs a redirection script.
There will probably be no choice but to clean the PC and/or the web space from the virus.
Maybe the antivirus experts can help.
John, what are you using to check your PC for virus/malware??
When in doubt I run both malwarebytes and superantispyware (both can be run for free). If you haven't already done so, please create an iwzip (step 5, export project) for every project to protect yourself and your projects in case of catastrophe. Keep a copy of your iwzip files external to your PC.
I am local to you, you can find my phone number at https://esahc.com in case you wish to discuss alternatives.
Thanks Daniel, I have checked my computer for viruses and nothing came up. I don't know how to check the webspace for viruses or how to check if Website X5 has a virus.
Strange thing is I just uploaded a completely new website, which I am currently working on, and that one so far does not seem to have any issues that I can see.
I'm not a virus expert.
In the case of webspace, you would probably have to delete all files and directories.
If a database is used, that would probably need to be cleaned as well, but the database experts would need to help with that as I haven't cleaned a database of viruses yet.
After the PC has been cleaned of viruses, you can download a clean version of WebSite X5 from here in the community using the user name in the upper right corner and clicking on "My Profile" via "Download".
Perhaps the longstanding moderators have experience in removing viruses and other malware from web space, databases and PCs.
Thanks Daniel, I think I will start by downloading a fresh version of Website X5Pro. I will also start by looking at another malware checker instead of Norton, they say I have no viruses on any of my systems.
I will then have to delete all space I have on the server at Crazy Domains, which I think I should let them do. They can hopefully give me a complete clean directory. Then upload all the files of all my websites back in again using a clean version of Website X5Pro.
I was going away this weekend but I think that is going to be out of the question
Again, thanks for your help. Will keep you posted with the outcome.
By the way, I have tried to replicate the issue with the fresh website I uploaded this morning and so far still no redirects on that one?? Weird hey?
Cheers - John
Thanks Esahc for also helping out.
Latest update. I found a malware issue on my system with Malwarebytes called RiskWare.Dumper file and they have quarantined the file .htaccess which was located in my \appdate\local\temp folder. My Norton 360 did not find anything.
I thought I would update my website https://garfield.org.au and see what happens. Now I get the following error message when uploading. I had this message with another website I uploaded recently and I renamed the folder on the server and reloaded all files with Website X5 into a clean folder.
The jquery.js file is locked on the server and cannot be deleted, renamed or anything else.
Don't know if this is going to help. I checked on companies deleting virus/malware from servers and most charge around the 250 US per site. That is a joke seeing as I have so many infected websites.
Yes, Esahc, I am prioritising a full backup of all my websites through Website X5 as you suggested. Plus a complete file/system backup off site.
It just doesn't get any better.
John, in the past I have had much success with Filezilla when deleting (and moving/copying) files on the host, but if you are hosted with crazydomains I am sure they will come to the party and delete your existing sites without charge, then it is just a matter of uploading them again.
I have lost faith in Norton unfortunately, if using Win 10 or Win 11 I only use and recommend Windows Security as supplied by Microsoft for day to day protection.
The iwzip file (ignore backups and previews and append date when creating) is a complete backup, it will import as a complete project with all source files available (every time a new version of WX5 is released I import my latest iwzip, I never upgrade an existing project).
Dear John - I had the same problem with ipower.com - they got hacked more than once. I gave up trying to convince them it was there fault - it really was. Suddenly a partner site in the "stable of Endurance Intl which had given it's responsibilities to another company" called Web.com (lots more hosting entities) took over ipower.com to "fix" the problem. So I decided to abandon all of those Endurance companies for an independant company & took down my ecommerce site & transferred everything over to them. And I can use it for my clients plus it was actually cheaper. My advice: do a Google search on your host & see if there are complaints. Hosts never want to admit they aren't as secure as they want you to believe. A word to the wise :)
Blessings & hope you solve your problem.
Thanks for your comments, Dianne and Esahc. Much appreciated.
Dianne, I wish I could transfer all my hosting to another site; however, I am paid up with Crazy Domains until 2026 and they are usually pretty good to deal with.
Esahc, I have done what you suggested with the iwzip files yesterday but added the Preview and Backup so will do this again this morning omitting these. I will give Crazy Domains a call and have them delete all my files/folders.
I will need to uninstall and reinstall a fresh copy of WX5. Then import all my projects and upload each of them to the server... and hope for the best. I hope I am not just reloading the problem again.
I use WX5 to upload my files and Cute FTP Pro 9 for other things.
Any idea why the jquery.js file is not allowed to be overwritten or deleted? Never ever had this problem. It is doing this on every update I do. The only thing that has changed over the last few days has been my upgrading to the latest version of WX5 and purchasing a template from WX5 called Mike Bailey Architect which was written for Evo but usable in latest version according to WX5.
Ohh well looks like my weekend is going to be tied up. LOL
John, I am surprised cuteFTP can't delete jquery.js, have you tried?
If malwarebytes has knocked out the malware I would be surprised if a reload of WX5 is required.
I am sure CrazyDomains will help, I have used them in the past.
I have tried to delete jquery.js through CuteFTP yesterday but it didn't work. I had to rename the folder to xxx .old and reloaded the full website. Still with the redirect happening after that.
I will call CD and get them to delete all my folders so I can reload them. I did do a folder delete myself through Plesk and uploaded site again. Still has the redirect issue even after removing malware.
Think I may have to have everything deleted at CD's end. Hope that helps. Will have to remember to copy all the Norton Safeweb files and reload for each website. if this doesn't work I may retire and give it all away. LOL
It's just so strange that the redirect only works for that split second when loading the website, if it sits for a few minutes it doesn't happen. Once the redirect has happened it won't redirect again and all is well. Also you don't need to click on a link, just click anywhere on the page as soon as it loads and you get the redirect. I am tearing my hair out here, not that I have much left at age 73.
Cheers mate, I will keep you posted.
Just a quick update on the situation. This morning I spoke to a lovely lady at Crazy Domains, who actually took a few minutes to listen to the problem. She scanned my files on the server and could not find any malware or virus.
I am probably only a handful of their customers left on their Windows Server and they usually don't pay much attention to our part as most business comes from Linux.
Well to my surprise she admitted that it looks like the problem could be on their Server end and they have escalated the case. So, there is not much more we can do.
I must admit I feel a bit more relieved now. I was that stressed out I haven't slept the last two nights
I will let you know what the outcome is.
OK, were back to Website X5 - PHP seems to be the problem according to the gurus at Crazy Domains.
Received this email from Crazy Domains just now:
Good day to you and hope you are doing well. We have already received an update from our Windows Tier 3 Administrators with regard to the case that we have escalated to them.
Looking at this - on initial load for a new browser - it loads a normal page. But any click on that website will open up a dodgy website. It looks like the HTML files are fine, after a reload, the website is all fine.
It seems to be that the X5 website PHP plugin that appears to handle a webstore (but there's no visible webstore) and also we think that this component handles the Analytics which is most likely what is doing with the initial intercept and fraudulent redirection.
IAs much as we would like to get this resolve for you, we are not familiar with X5 website - but our suggestion would be since the website is 99% plain HTML, just try to disable PHP and remove all PHP functionality and see if this resolves the issue. It would really be best if you will refer this back to the web developers who have helped you with this website creation and development.
So, we're back to stage one. ? ? ?
Should I open a new post for the .jquery.js issue that popped up after using latest update ?
Again guys, just a very big thank you for any one that can throw some light on this...
John, your thread has already been marked for Incomedia's attention so hopefully they will assist soon. Just a question, why are you using Windows hosting? Crazydomains offers Linux hosting and it is half the price I believe.
I upgraded the Windows hosting for a year a while back and they gave me hosting up to 2026, after which I will definitely move over to Linux. I have so much work on at the moment and now the other hassle that I don't know if I'm coming or going.
I did some more analysing myself this morning and found the PHP error logs on Crazy Domains - It looks like the issue may be with the "WX5 RSS Feed object" not being compatible with the latest version of WX5. I deleted the feed from all the affected websites. The redirects only seem to have started after I upgraded to the latest version of WX5 (2023.1.5)
I have attached the PHP Error log for the garfield.au website so Incomedia can have a look as well. I don't know if the redirect is still happening as sometimes it only does it once and then all is OK again.
Pulling those last few strands out.... LOL
Judging by the log you posted, I actually see that the issue seems to be this.
The Feed object is attempting to generate a file on your hosting space to store data here:
However, this folder doesn't have Writing Permissions, so the operation fails and the RSS Feed is unable to generate the files it needs to.
This is expressed clearly by the line which repeats multiple times:
mkdir(): Permission denied in W:\vhosts\hendosweb.com\garfield.au\pluginAppObj\pluginAppObj_740\src\Feed.php on line 186
"mkdir" stand for Make directory, which means the website attempts to create the folder and fails to do so due to lack of permissions
However, I don't see this linked to any malicious link in any way. I would advise investigating the website further since WebSite X5 generates no malicious link on its own. Those can only appear due to custom code inserted into the project or due to security issues on server-side
I remain available here
Thanks for your help with this Stefano. I knew Website X5 would not introduce any malicious code itself. I am not a coder myself so I don't know how to insert code into the HTML files, hence I use your software.
Trying to get this message across to the "gurus" at Crazy Domains is a whole different story. I have sent your comments through to them and hope to hear back soon.
Yes, I was also having issues where the .jquery.js file not being able to be overwritten when uploading a new version of my site. This only happened in the last week or so and is intermittent. Also having issues all of a sudden when uploading to the Server with X5 stating the folder I am writing to does not have write permissions set. I press "ignore" to bypass this, but this is also intermittent and the next upload could be fine again.
Seems like someone on the server end keeps changing things on my folders... I don't know what to do anymore.
Will keep you posted with the next instalment from the wonderful server people.
Thanks again and kind regards,
Have youn tried changing your password for the FTP and also change the password for the control-panel to your webspace?
Hey John, thanks for your advice. I changed both passwords and made sure no email accounts have access to the Server and checked there were no other PLESK users or FTP users set up.
Will do another reset of everything in the morning, just to be sure.
Thanks & Cheers
I have entered the 4 links that you provide and none of them redirects me to another page... I hope you have already solved it.
If not... the problem may be that you did have a virus that "perhaps" was already removed from the host. But, it may have left addresses in your browsers as pages to be redirected to. This happens when we install browser extensions that drop malware onto our system...
How to remove virus that redirects me to another page?
(in the upper right corner of Google Chrome and similar in other browsers), select "Settings". In the "On startup" section, look for the browser hijacker's URL under the "Open a specific page or set of pages" option. If present, click on the three vertical dots icon and select "Delete".
Check that in your browsers. I use two to enter your sites: Chrome and Edge and I don't see anything malicious.
Thanks for your help Miguel. I have checked your suggestion and I only have google.com listed as my startup page. So it all looks fine on that end.
I have been in touch with the hosting people and they may be working on the issue. Unfortunately the issue I have is intermittent and not permanent.
Thanks again for your time.