Search on Information Security… Log in Sign up

Home Website randomly downloading html files to visitors [closed] Ask Question

Questions Asked 2 years ago Modified 2 years ago Viewed 1k times

Unanswered

Tags Closed. This question needs details or clarity. It is not currently accepting answers. The Overflow Blog
“The power of the humble embedding”
1 Want to improve this question? Add details and clarify the problem by editing this post.
Users “Are AI agents ready for the enterprise?”
Closed 2 years ago.

Featured on Meta
Companies
Improve this question
Community Asks Sprint Announcement -
March 2025
TEAMS
Experimenting with a new experiment
Another behaviour I found on a website with malware issues. opt-out option

It keeps downloading random files like one named s2bbGoEJ.html to users computers. It actually
Ask questions, find answers
and collaborate at work with tried to automatically download one such file on my own computer. This looks like a 0 byte file. Related
Stack Overflow for Teams.

How do I go about finding this malware and removing it. This has brought our business to knees 12 What are the dangers of storing webserver
Try Teams for free temp files in the /tmp/ folder?
and we need desperate help.
Explore Teams
4 Nginx - SSL Website shows up on desktop
Edit: I have tried every Linux scanner I could find (ClamAV, rkhunter and couple more) with no luck but not mobile

whatsoever. I'm moving my website to a new server,

4
what implications does this have for my SSL
Drupal 7.91, Centos 8, PHP 7.2 certificate?

4 Is storing files under a web server root

nginx unsafe if it is handled by PHP and blocked
by the web server site configuration file?
By clicking “Accept all cookies”, you agree Stack Exchange Prevent download of an angular website by
1
can store cookies on your device and disclose information in unauthenticated users
Share Improve this question Follow edited Mar 14, 2023 at 22:02 asked Mar 14, 2023 at 21:53
accordance with our Cookie Policy.
JM John
11 3 Hot Network Questions
Accept all cookies Necessary cookies only
Hidden blades: what's the point?
Customize settings PCB Opinion and issues with NRF14L01
Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's
currently written, it's hard to tell exactly what you're asking. – Community Bot Mar 14, 2023 at 21:55 Why has Paramount not released Star Trek:
Starfleet Academy?
Web servers do not download a file, unless the web browser requests the file. This is the nature of HTTP(S)
protocol. The first step to diagnosing this is to figure out what is causing the user's web browser to request Is the story Evidence intended to end with an
these random files. – mti2935 Mar 14, 2023 at 22:02 unambiguous ending?

Is Daniel Dennett's argument against qualia valid?

Thanks - is it possible that my browser or personal computer is compromised too. I can confirm that my
browser requested (as you say) a file while just browsing pages and my server provided it as a download Lilypond chordmode superscript flat and sharp
instead of opening it despite being an HTML file. – JM John Mar 14, 2023 at 22:07 symbol

Is asking for a feedback on a paper from a

As mentioned on your previous questions, there is no indication, yet, that your server is compromised. If this professor grounds for co-authorship?
is affecting your business, then random strangers on this site are going to be of little help. You need
someone to actually look at the situation. – schroeder ♦ Mar 14, 2023 at 22:17 more hot questions

1 @JMJohn, then the most likely explanation is that a page on your site that you surf to first (such as your
home page) is infected, with references to these random pages. Try to identify the first page, then look at the
source of this page to see if anything looks malicious. – mti2935 Mar 15, 2023 at 10:14

Show 5 more comments

1 Answer Sorted by: Highest score (default)

It turned out a hacked Memcached installation. They took control of memcached server and
changed the file permissions/security settings on files folder and executed scripts from there.
0
Share Improve this answer Follow answered Mar 16, 2023 at 2:48
JM John
11 3

Add a comment

Start asking to get answers Explore related questions

Find the answer to your question by asking.
nginx

Ask question
See similar questions with these tags.

INFORMATION SECURITY COMPANY STACK EXCHANGE NETWORK

Tour Stack Overflow Technology

Help Teams Culture & recreation
Chat Advertising Life & arts
Contact Talent Science
Feedback About Professional
Press Business
Legal
API
Privacy Policy
Data
Terms of Service
Cookie Settings
Cookie Policy

Blog Facebook Twitter LinkedIn Instagram

Site design / logo © 2025 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2025.3.27.24496