I'm a bit of an amateur so I'm sure I've missed something.
I'm running Divi on Wordpress. When i go to update a page, I get the "Your updates couldn't be saved" error. My Wordpress site, as well as it's CPanel, also are loading unusually slowly, which I think is related to the issue. After working on this for a bit, both my site and it's CPanel will fail to load, giving me a "can't establish a secure connection to the server" error. The third symptom, which I can't make heads nor tails of, when I click "update" in the page editor, my browser will often (but not always) launch another tab/pop-up either displaying a preview of the edits or the "pages" page on the WP admin side. All of these issues are new (although I've had similar loading speed issues in the past with this site).
Thinking it may be an overload on my server (which happened due to an attack a few months ago), I let it sit for a few days with no luck. Then, thinking it may be a caching issue on my end, I changed my DNS servers, cleared my browser cache, tried private browsing, used my phone, used different wifi and cellular networks. All to no avail. I briefly had slight luck using my phone as a hotspot, but it only temporarily improved the loading speeds.
I also tried disabling plugins. I made sure everything was up to date. No help.
I went into my wp-config.php file and increased the memory limit to 128M and the WP-max memory limit to 256M. This helped briefly–I could update and save one page but when I tried to change the next, I was back to base 1. I've also increased the memory limits in my .htaccess file. I don't have access to my PHP.init file (there are often delays reaching my host so I'm trying to avoid relying on them when possible).
My last guess (which I have yet to implement) is to update my PHP. That said, I'm running 7.3.6 and had no issue updating the site a few days ago so I'm not sure that's the problem, unless divi's newest update has compatibility issues with 7.3 versions of PHP...
Any further ideas would be greatly appreciated! I'm partway through a cosmetic update (which, I know should be done on a staging site but sometimes best practices are best learnt through mistakes like this) so my site looks somewhat half-finished. That is, I'm anxious to be able to edit it again.
Many thanks in advance
Whenever you try to save something, Divi will make a request through admin-ajax.php, it often happens that a security firewall detects that as a threat (which is obviously not), thus giving you the failed save message. Can you ask you host to check the rules that are triggered and whitelist that action? It can also come from plugins like Wordfence, make sure to whitelist it there too.
You can also attach that layout as JSON here, I can test it on my own server and if I can save changes, we should be on the right path.
I volunteer supporting a news website in Russia, which was hand-crafted in PHP back in 2002-2004. Needless to say, I was super excited when editors hired some folks to build a new version, based on WordPress.
The old site is running on mydomain.press. I put the new WordPress version, which is meant to replace the old one, on subdomain.mydomain.press.
And there's a mysterious problem with it.
When an editor is trying to access the site at subdomain.mydomain.press, her browser (Chrome in Russia) instantly reports err_connection_reset, in 9 cases out of 10. Not spinning trying to load the site - an instant error is reported.
On my machine (Canada) the same website opens no problem. Well, a little slow (hence I mentioned she's not even seeing the delay - the error is instant), but it opens in 10 out of 10 trials.
When her Chrome gets the content (in that 1/10 case), it also shows a slight delay. Only the error case is instantaneous. The old site at mydomain.press is opening 100% of the time.
Connecting remotely to her Windows machine (I'm using Mac OS X) via TeamViewer, I did observe the behaviour described when using Chrome. Interestingly enough, IE didn't show this problem - it loads consistently, except that once in ~10 reloads the page loads with a garbled styling. As if some css isn't loaded properly (but not in a way that would make it an invalid document, obviously).
I'm completely out of my depth. I tried disabling her Windows Defender to see if it's the culprit - nope. I've tried to reset her IP address (as suggested by the same page which offered the earlier way to try and fix the err_connection_reset) - no dice.
I'm not seeing either error from my own Chrome, nor the garbled css (though I didn't try with IExplorer from Canada).
I know they had some ISPs in Russia block them (silly political reason, AFAIK) in the past - but this doesn't look like blocking; she'd be 100% unable to view it otherwise. She's not under any firewall (nor is the website).
what else... nginx is the server used, the setup is "basic", I suppose (I'm not that proficient in configuring it to try anything fancy).
And to make things even more mysterious - the website at mydomain.press (the old version, php-hand-crafted) is opening just fine, 100% of trials.
Opening using the IP-address doesn't change the picture, so doesn't look like a DNS issue.
Any ideas?
There is an ongoing battle of Roskomnadzor against Telegram messenger in Russia, which affects subnets, DNS and DPI hardware around the country. Try to connect via proxy or VPN server outside Russia and see if the problem goes away.
I'm not very technical so apologies up front! Unfortunately, I've been left to figure this out though as the company who deal with my dedicated server are being less than helpful.
Really hoping someone can shed some light on this. We host around 100 websites and currently, all sites on our server are up and down like yoyos. There doesn't seem to be a pattern - it's very sporadic and intermittent. Usually, you can just click around one of the sites, for example www.innivo.com for a few mins and you’ll see the site drop out, and then after a few refreshes, it will come back, then back down – you get the idea.
In Chrome, I get: No data received
Unable to load the web page because the server sent no data.
Error code: ERR_EMPTY_RESPONSE
In Firefox I get:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
The server doesn’t go down completely, it just doesn’t seem to serve the page. This also agrees with the firewall theory I mentioned on the call.
We have paid a lot of money to a security company who have removed a few bits of malware in the hope that it would fix the problem, but they now say that the server is completely clean and exploit free. My service provider is saying they won't help until I upgrade PHP on the server but although I'm going to do this, I'm pretty sure that this won't fix the sites dropping out all the time.
I found this post which describes EXACTLY what is happening, but he doesn’t really say how to fix it, or even if his ever got fixed but it’s the closest thing I’ve found!
http://progblog10.blogspot.co.uk/2013/09/modsecurity-causes-sporadic-no-data.html
I looked for this on the server but mod_security didn’t seem to exist otherwise I would have tried to disable it to see if it made a difference. I think though, that this firewall theory sounds plausible. I wonder if we have some other type of firewall which was maybe activated or updated when we updated CPanel last week.
I'm running WHM / CPanel / Apache
Any help would be massively appreciated. Hoping that this has happened to someone else!
My personal experience. I have xplornet. I was unable to access a local site with none of my browsers. I have my computer, my Hughes, my printer, my monitor all plugged into a power bar. I shut off the computer, Unplugged everything including the plug in on the back of the hughes. Left it for a few minutes then plugged everything back in into different outlets on the power bar. I was able to access the site after that. Why I have no idea but it worked.
ive been struggling with this error and i think i have found the solution . I ran my website on local host( MAMP ) . Its worked fine so i called my hosting provider and they said i needed an upgrade cos my existing account did not support simultaneous connections . So i upgraded and its perfectly working
I have a CI app that uses db sessions, and a few hundred users on at any one time.
Sessions work perfectly for everyone, except one guy, who keeps getting booted back to the auth/login controller after a few actions. It seems that clearing his cache works for a few days, but the problem then comes back.
As far as I am aware, he is the only user with this problem. Even his business partner sits next to him on a different pc and does not suffer the same problem.
Apparently he is using IE (8 or 9, cant remember which). I asked him to try chrome or FF, which he has said gives the same problem. I’m not sure if he actually has tried them or not…but I can’t exactly argue with the guy.
Needless to say, the guy is pretty pissed off and ready to throw his pc out the window…or perhaps at me.
Any ideas on what to do or suggest here?
In the end, it seems that this was caused by the user being on a USB mobile dongle. Same laptop on a wireless network worked fine. Go figure.
I own a website running on LAMP - Linux, Apache, mySQL and PHP. In the past 2-3 weeks the PHP and jQuery files on my website have become infected from malware from a site called gumblar.cn
I can't understand how does this malware get into my PHP files and how do I prevent it from happening again and again.
Any ideas?
UPDATE:
Looks like it is a cpanel exploit
Your site is cracked, so the crackers simply replace your files.
You should always upgrade your Linux OS, Apache, MySQL, PHP, and the web PHP programs whenever a security alert is announced.
Linux servers running open services without upgrading them regularly are the most vulnerable boxes on internet.
No one here can provide a conclusive solution based on the information you provided, so all we can suggest is that you follow good security practices and standards and correct any weak points immediately.
Make sure your software is up-to-date. It's very possible to gain access to local files through exploits in PHP programs, so keep any third-party applications you're running on their latest versions (especially very widespread programs like Wordpress and phpBB), and do whatever you can to ensure that your server is running the correct versions of its services (PHP, Apache, etc.).
Use strong passwords. A strong password is a long, random list of characters. It should have nothing to do with your life, it should have no readily available acronyms or mnemonics, it should not resemble a dictionary word, and it should contain a healthy interspersing of different characters; numbers, letters of different cases, and symbols. It should also be reasonably long, ideally more than 26 characters. This should help keep people from bruteforcing your credentials for enough time for competent sysadmins to take action against the attackers.
Work with the administrators at your hosting provider to understand what happened in this particular case and do things to correct it. They may not have noticed anything unusual; for instance, if you have an easy password, or if this attack was perpetrated by a trusted individual, or if you have an unpatched exploit in a custom PHP application, there would be nothing to indicate an improper use.
Shared hosts also have many people with access to the same local machine, so things like file permissions and patching of locally-accessible exploits both within your application and generally is very important. Make sure your host has good policies on this and make sure that none of your software unequivocally trusts local connections or users.
The nature of the attack (an import of malware from a site that appears to do this kind of thing en masse) suggests that you were running an exploitable application or that your username/password combination was not sufficiently strong, but the administrators at your provider are really the only ones able to supply accurate details on how this happened. Good luck. :)
Chances are, there is an application on your server with a known vulnerability that has been attacked, and something has modified files on your web site or installed a new file.
When searching for information on gumblar.cn, it looks like they use a trojan called JS-Redirector-H. Not sure if this is what is involved here.
Fixing this may involve restoring your web site from backup, if you have no way of knowing what has been modified. If you have source control or a recent version, you may be able to do a whole-site diff. But you will also need to fix the security vulnerability that allowed this to happen in the first place.
Chances are it's some insecure app, or an app you installed some time ago but have not updated recently. A few people who have complained about this mentioned that they use Gallery (ie PHP Gallery). Though I'm not sure if that's connected.
If you are not the server administrator, talk to the server admin. They may be able to help, and it would be wise to let them know about this.
Google Advisory:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://gumblar.cn (linking doesn't work)
First, contact your hosting company and report this. If this is server-wide, they need to know about it.
The most common cause of infections like this is vulnerable popular PHP software (such as PHPBB, Mamboserver and other popular systems). If you're running any 3rd party PHP code, make sure you have the latest version.
If you've determined that this only affects your site, restore from a backup. If you don't have any backups, try re-installing everything (you can probably migrate the database) you have (to the latest version) and go through your own PHP code (if any).
PHP Programs are actually simple text files that run on the server by the PHP interpreter. if your application is infected, then I think there are tow posiibilities:
1.they have used some security hole in YOUR application to inject some code into your server, so now they have changed some of your PHP files, or some of your database information.
if this is the case, you better double check every single place where you are fetching information from the user (text inputs, file uploads, cookie values, ...), make sure everything is well filtered. this is very common security practice to filter anything that comes from the user. you also better make sure that the data that is currently saved in your database (or file system) is clean. I suggest using Zend_Filter component of the Zend Framework to filter user input. there are many full featured filter libraries out there.
2.they could have run some program on your server, that is affecting your PHP source files. so somehow they have accomplished running some program/script your server, that is changing your application.
if this is the case, I suggest your check all your server processes and make sure you know every process that is running. although I think this is less possible.
Ok, this is NOT a programming question and SO is not the place for this because if we would tolerate such questions here we would soon be a first aid / support site for ppl with bad shared hosting accounts.
I only didn't vote for closing because I feel bad turning a few ppl down who are probably feeling really bad about a problem they don't have the knowledge to fix.
First of all: google for gumblar.cn, there is a growing number of potentialy helpful posts accumulating as we speak.
If you're a real beginner and you feel you don't get any of the things in the answers here then just do the following:
Get a new host
Google for information about all your software until you know, if the software is safe. If it's not, don't use it, until the developers have fixed the problem. An example of a not secure software is 'Galery'.
Install all your software (the secure ones only) FRESH INSTALL!!
Copy over static files (like images) to the new server. Do NOT copy over any dynamic files, like php scripts, as they could be infected.
Don't upload any of your own PHP scripts until you've checked them for security vulnerabilities. If you don't know how to do this, don't upload anything before you've learned about these things.
I have been affected by this virus/malware and currently cleaning up. I hope this will be helpful:
1) You most likely have a TROJAN on your PC. To verify this simply run (Start > Run... or Windows key + R) and type "cmd" or "regedit". If either of those doesnt open its window as expected, you have the Js:Redirector trojan. You can also verify that the anti virus programs aVast and Malware Bytes can not connect to updates for some reason (sneaky trojan that is). Plus, you'll notice that the Security program of the Control Panel was disabled, you wouldn't have seen a notification in the tray icons to tell you that the virus protection was disabled.
2) This is a very recent exploit, apparently of vulnerabilities inflash or pdf plugins, thus you are not safe even if you didn't use Internet Explorer!
As for me, I believe because I hate programs slowing down my PC, I have my Windows Updates on "manual", and I didn't have resident protection (scanning of all web connections, etc), and I was probably infected by visiting another hacked site which was not blacklisted yet. Also I was over confident in non-IE browsers! I sometimes ignore the blacklist warning as I am curious about what the scripts do etc, and forgot once again just how BAD Windows really is. Conclusion: leave Windows Updates on automatic, have minimal resident protection (aVast Web Shield + Network Shield).
3) Because this is a trojan that sends back your FTP password, it doesn't matter how good your password was!
4) Try to lceanup your PC with Malware or aVast, it will find a file ending with ".ctv"
You MUST have a virus database dated 14 May or more recent. If you can't update (as explained above), then follow these instructions (you'll need to extrapolate but basically you have a file, the name may vary, which is pointed in the registry, and use HiJackThis to remove it, once you rebout without this file excuted, all is fine)
5) Of course update your passwords, BUT make sure the trojan is removed first!
6) For an exact list of all pages modified try to get a FTP log and you'll find the IP of the script/hacker and all touched files.
7) If you have a complete local copy of the "production" environment, then the safest is to delete ALL the site on the server, and re-upload all files.
8) During the clean up process DONT visit your infected site, or you will re-install the trojan! If you have the latest aVast Home Edition and the "Web Shield" protection it will give you a warning and block the page from being executed by your browser.
like Francis mentioned, try to get your hosting company to make sure their software is up to date.
On your side, change your ftp password to something completely obscure as soon as possible. I've seen this happen to people before. What these 'hackers' do is a brute force on your ftp account, download a couple of files, modify them slightly, and then re-upload the infected copies. If you have access to the ftp log files you'll probably see a connection to your account from an IP other than yours. You may be able to submit this to your hosting company and ask them to black-list that IP from accessing their servers.
That website (gumblar.cn that you mentioned) is being tested for malware. You can monitor results here: http://www.siteadvisor.com/sites/gumblar.cn/postid?p=1659540
I had something like this happen to me at an old hosting provider. Somehow, someone, was able to infect Apache in some way so that a special header was injected into all my PHP files which caused the browser to try to download and run in the browser. While they got it fixed, the quick solution was to take down all my PHP files, and change my index file a plain HTML file. Whether or not this stops the problem for you depends on how the server is infected. The best thing and probably most responsible thing you can do is to protect your visitors by taking down site, and if possible (if text files aren't infected), display a message stating that if they visited recently they may have been infected.
Needless to say, I switched hosting providers quick soon after my site was infected. My hosting provider was pretty bad in a lot of other ways, but this was pretty much the final straw.