Is X10Hosting adding code to my site? If so, w)hy?

rhinosfl · Feb 27, 2013

I recently noticed that I was getting a Firefox infobar that mentioned that Firefox had prevented my site, http://sfl.x10host.com, from doing a page reload. I couldn't think of what my code was doing to cause a page reoad and looked at it carefully; but I couldn't find anything that would force a page to refresh. But when I went to the site and used Firebug to display the page before I cleared the infobar, I saw this:

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd">


<html>
<head>
<meta content="0.1" http-equiv="Refresh">

<meta content="no-cache" http-equiv="Pragma">

<meta content="-1" http-equiv="Expires">

<title></title>

<script type="text/javascript">
if (window.addEventListener) {  

  var callback_func = function(evt) {  
    if ('undefined' != typeof evt.target && "A" == evt.target.nodeName) {  
      var url = evt.target.href;  

      EBCallBackMessageReceivedd3763e0c_d5a0_4a2c_95f6_6d1ecf107360(url);  

    }  

    return true;  

  };  

  var cb_add_listener_result_click = window.addEventListener('click', callback_func, true);  

  var cb_add_listener_result_contextmenu = window.addEventListener('contextmenu', callback_func, true);  

} else if (document.attachEvent) { 

  var callback_func = function () {  

    if ('undefined' != typeof event.srcElement &&'A' == event.srcElement.tagName) {  

      var url = event.srcElement.href;  
      EBCallBackMessageReceivedd3763e0c_d5a0_4a2c_95f6_6d1ecf107360(url);  
    }  

    return true;  
  };  
  var cb_add_listener_result_click = document.attachEvent('onclick', callback_func);  
  var cb_add_listener_result_contextmenu = document.attachEvent('oncontextmenu', callback_func);  
}  
  
 


</script>


</head>

<body>
<p>  </p>


</body>


</html>

This is _not_ code that I wrote or uploaded to X10. So how did it get there?

Is X10 adding it to my site? If so, why? Or is this some kind of third party messing with the code on the X10 servers, presumably against the wishes of X10?

Can anyone explain what's going on here?

Ideally, I'd like to keep this code from appearing when people go to my website. It seems likely to worry visitors that something shady is happening. But I may be able to live with it if someone can explain some good purpose that this code is accomplishing.

Can anyone enlighten me about this code?

hbazer · Feb 27, 2013

At about 16:00 2013-02-27 UTC

with URL http://sfl.x10host.com/ - I do not see that code with Firefox or chrome or chromeOS

x10hosting dose not stuff code into you pages

It might be added by some app in your browser or by your ISP - but it is not from x10hosting

My cellphone hotspot (ISP) adds java-script code to sties I view - some of the other host I use add code for ads - but not with x10hosting

rhinosfl · Feb 27, 2013

I'm having trouble believing that my ISP or browser would be adding this code for one simple reason: it isn't being added to other websites.

If they were adding this code, they would presumably add it to EVERY website I visited, not just this one. Why would they add it to only one site? And HOW would they manage to ensure that it only got added to one site?

I'm not sure why you're not seeing the code. All I did was go to the site and, before clicking on the infobar, I launched Firebug and expanded all HTML, then copied it to my clipboard. If you've got Firefox and Firebug, you should be able to do the same thing. Now, I will say that I mentioned this problem on a newsgroup and one individual used Firebug to look at the code, saw the Refresh code for a few seconds, then it disappeared. He was baffled by that and so am I. I'm not sure what would cause behaviour like that. Maybe that's the reason you aren't able to see it.

hbazer · Feb 27, 2013

At about 18:30 2013-02-27 UTC

I am using Firefox ver 19.0 with Ubuntu ver 12.04 LTS - 64 bit

I have set [ accessibility.blockautorefresh ] preference setting in about:config to [ True ]

see --> http://www.mydigitallife.info/stop-and-disable-web-pages-auto-refresh-or-reload-in-firefox/

see --> [ Accessibility ] --> https://support.mozilla.org/en-US/k...owsing-network-updates-encryption#General_tab

at http://sfl.x10host.com/ - I do not receive a notice or "Firefox infobar"

nextonx1 · Feb 27, 2013

rhinosfl said:
I'm having trouble believing that my ISP or browser would be adding this code for one simple reason: it isn't being added to other websites.

If they were adding this code, they would presumably add it to EVERY website I visited, not just this one. Why would they add it to only one site? And HOW would they manage to ensure that it only got added to one site?

I'm not sure why you're not seeing the code. All I did was go to the site and, before clicking on the infobar, I launched Firebug and expanded all HTML, then copied it to my clipboard. If you've got Firefox and Firebug, you should be able to do the same thing. Now, I will say that I mentioned this problem on a newsgroup and one individual used Firebug to look at the code, saw the Refresh code for a few seconds, then it disappeared. He was baffled by that and so am I. I'm not sure what would cause behaviour like that. Maybe that's the reason you aren't able to see it.

A very quick Google search reveals that this is code from the Conduit Toolbar for FF. (Probably, potentially, maybe.)

EDIT: You could try firefox in safe mode to confirm it is a toolbar?

rhinosfl · Feb 27, 2013

I appreciate your help with this hbazer and I believe you when you say you aren't seeing the code that I mentioned. It's part of the mystery about what is happening here.

I already know how to turn off the infobar but that's not my main concern. I want to know why this unwanted code is appearing for at least some people. (I'm also curious about why it doesn't appear for some people.) Changing the browser settings to prevent the infobar would be like taking the batteries out of my smoke detectors: it would prevent alarms when I'm cooking dinner but I wouldn't get notified about a real fire either. I'd like to know why this code is appearing. For all I know, it is some form of malware and will cause problems if ignored.

I plan on opening a support ticket with X10 if I can figure out how to do this. I'd like some official confirmation that they aren't generating this code. Personally, I suspect they ARE generating it for some fairly harmless purpose. I just want to know what it is doing and find out if I can stop it from appearing.

nextonx1 · Feb 27, 2013

Another Google result suggests it may be the microtorrent toolbar.
I have looked at your code in Chrome and there is no trace of the Javascript, and no reload.
I've also visited the site using Telnet, and put it through the W3C Validator, no code.

Relevant searches:
https://www.google.co.uk/search?q=EBCallBackMessageReceived
https://www.google.co.uk/search?q=JSinjection

descalzo · Feb 27, 2013

rhinosfl said:
I already know how to turn off the infobar but that's not my main concern. I want to know why this unwanted code is appearing for at least some people. (I'm also curious about why it doesn't appear for some people.

It should be your concern.

Third party toolbars often inject code.

Sort of makes sense, doesn't it? You use Toolbar X and see the code. I do not use Toolbar X and do not see the code.

We are both getting the page from x10hosting.

You want to blame x10hosting and ignore the Toolbar.

Okay.

rhinosfl · Feb 28, 2013

Sorry for the delay in getting back to this thread; I took some time to run malware sweeps on this computer and it took a long time for those to complete. It found a few things but moving them all to the isolation chest hasn't changed the behaviour I'm seeing at all.

Actually, descalzo, I'm not ignoring any toolbar. My initial suspicion was that x10hosting was the source of the code but I'm not fanatical about that. If someone can make a good case for another culprit, that's fine. I'm much more interested in solving this problem than in blaming anyone or just complaining for the sake of complaining.

I was not aware that toolbars inject code. I thought they were usually just groups of icons to launch applications.

Nextonx1 has said that he/she sees signs of Conduit and Microtorrent toolbars on my system, although it was hedged in terms of "maybe/probably". As a result, I've looked at my extensions in Firefox and there is exactly one toolbar there and it's not Conduit or Microtorrent. The one toolbar I have has been there for a couple of years or more and has never given me any trouble. The problem I'm seeing with my website only began two or three weeks ago. It seems unlikely that my one toolbar is the culprit then.

Also, I tried putting Firefox into Safe mode here on my desktop but that didn't change anything either. If toolbars were injecting this code, wouldn't safe mode stop it from happening?

Just for the heck of it, I had a look at my X10 site via my laptop which is also running Firefox and I don't get the infobar there. When I open Firebug, it shows only the code that belongs there, not this injected stuff. That starts to make me think the problem is isolated to my computer. But the other day, when I posted about this on a newsgroup, someone else saw the refresh code as well. I'm at a loss to see how that could happen if the problem is on my computer or is in my browser.

A really spooky element of this whole thing is that the injected code grows over time. I've left the sfl.x10hosting.com page just sitting in a browser tab for hours on end and looked in periodically. Over time, the number of <script> tags goes up as new sections are added to the existing code. I can't think of any reason for _that_ to happen. Can anyone else?

I really am trying to get to the bottom of this and stop this injected code from appearing (unless I can be satisifed that it is harmless). If anyone has any ideas, I'd love to hear them.

essellar · Feb 28, 2013

Whoa, up there. "Things are different on different machines, therefore the thing that they have in common must be at fault." Where is the logic there? It's sort of like saying, "the toaster's fine, but the television isn't working, therefore the power must be out."

If different machines exhibit different behaviours, then it is much more probable that the differences between the machines has something to do with the problem. x10Hosting does not inject code (although some web site software, notably themes for WordPress, often does). But toolbars, browser extensions and Greasemonkey scripts/bookmarklets are designed specifically to inject code. That's how they do what they do.

descalzo · Feb 28, 2013

How about this

1. Open your site in Chrome/Iron/Safari and check to see if there is any injected code.

2. Delete Firefox. Reinstall. Add you widgets and toolbars, one at a time. Check to see if/when any code is injected.

3. Currently with your Firefox, do you find any other page on the entire Web that has the code injected?

4. "someone else saw the refresh code as well." -- you ask him if he uses Firefox loaded with widgets?

Corey · Feb 28, 2013

We do not inject code into our any of our customers websites, whether free or paid.

rhinosfl · Mar 1, 2013

Essellar, perhaps I didn't present my argument as logically as I intended. However, I have now heard from two other people at different forums that have seen the same injected code. One was using SamSpade and the other used wget. Both of those tools confirmed that the code originated at the server. I think we can all agree that my browser can't be the culprit since they are using their own browsers.

The code only appears intermittently and that is the biggest mystery for me. I'm still not clear on what it's doing or how it's doing it. I don't much care about the Refresh itself; that seems harmless enough. But the additional <script> tags that eventually occur if the infobar is not cleared concern me. I'm also concerned that X10 is injecting code without my consent. Even other users here seem to have taken X10's word for it that no code is being injected on good faith. I'm not sure whether X10 is misinforming people or if they've been hacked and aren't aware of it.

essellar · Mar 1, 2013

No, we can't all agree, since other browsers, mine included, don't show the symptoms. Again, look for commonality that explains the whole phenomenon. I've been around forums long enough to take what people post with a truckload of salt. (And the CEO just told you that x10Hosting isn't injecting code, by the way.)

rhinosfl · Mar 1, 2013

How do you account for SamSpade and wget showing the injected code? That's three separate people - not counting me - who have seen the injected code, although admittedly intermittently. I don't know any of them. How could THEY be seeing this code?

hbazer · Mar 1, 2013

I do not agree with you...

At your site URL [http://sfl.x10host.com/] near the bottom of the page I see

This page, /index.shtml, was last updated on 2013-02-20 at 10:16:15 CST

Note the file extension of [ shtml ]

Your sorce code includes server instructions or server side includes
it is telling the sevrer to add stuff

To be sure of what I am saying - here is one of many links --> http://www.computerhope.com/jargon/s/shtml.htm

IMO you should put a very short test HTML web page in your account then run it with your Firefox browser

I have made one that has one line of code and is 28 bytes in size

This is the code

Code:

<html><body>Hi</body></html>

jjordan has put this page in her account which is on the same server as yours - server name [ Absolut ] - server IP [ 198.91.81.2 ]
as --> http://jjordan69.pcriot.com/test_one_line.html

run it in your browser - anything added to it ?

Now make you own test page and run it from your account - anything added to it ?

rhinosfl · Mar 1, 2013

hbazer, you are absolutely right: I am using the .shtml file extension all over the site. That was a deliberate and conscious choice. I have several bits of my pages that get repeated over and over again but might need to change occasionally so I wrote them as SSI (server side includes). All of the files included through this technique - which is a standard well-known technique that is documented by Apache - are present on my website. But NONE of the included files does a refresh. So that is not relevant to the problem at hand.

The code I - and others - are seeing intermittently is NOT code that I wrote and it doesn't appear in any page of my site. If you'd like to do a search on my files to satisfy yourself that I am not doing any refreshes in the code I wrote, feel free to do so.

Some of the other people in this thread have said that they think I have a toolbar that is injecting this code. I have only one toolbar and it's been there for at least two years. I've only started seeing the infobars in the last few weeks. I haven't updated the toolbar since I installed it. But perhaps it has auto-updated itself; that's possible, I suppose. Therefore, I've disabled that toolbar until we can rule it out as the cause of the problem. The injected code still appears. I've even run the browser in Safe Mode and still get the code showing up.

You are absolutely right: I am using the .shtml file extension all over the site. That was a deliberate and conscious choice. I have several bits of my pages that get repeated over and over again but might need to change occasionally so I wrote them as SSI (server side includes). All of the files included through this technique - which is a standard well-known technique that is documented by Apache - are present on my website. But NONE of the included files does a refresh. So the included files are not relevant to the problem at hand. Furthermore, I am writing using the XHTML 1.0 and HTML5 doctypes on my pages; the injected code is using HTML 4.01.

The code I - and others - are seeing intermittently is NOT code that I wrote and it doesn't appear in any page of my site. If you'd like to do a search on my files to satisfy yourself that I am not doing any refreshes in the code I wrote, feel free to do so.

Some of the other people in this thread have said that they think I have a toolbar that is injecting this code. I have only one toolbar and it's been there for at least two years. I've only started seeing the infobars in the last few weeks. I've disabled that toolbar in any case. The injected code still appears. I've even run the browser in Safe Mode and still get the code showing up. Three other people, who I've never met, have also seen the code at least one or twice each. It only appears intermittently but it has appeared for them.

hbazer said:
IMO you should put a very short test HTML web page in your account then run it with your Firefox browser

I have made one that has one line of code and is 28 bytes in size

This is the code

Code:

<html><body>Hi</body></html>

jjordan has put this page in her account which is on the same server as yours - server name [ Absolut ] - server IP [ 198.91.81.2 ]
as --> http://jjordan69.pcriot.com/test_one_line.html

run it in your browser - anything added to it ?

Now make you own test page and run it from your account - anything added to it ?

I've tried accessing jjordan69's test page and I am seeing the injected code. I've done a screen cap showing the code. You can see it at http://sfl.x10host.com/images/2013-03-01_1417.png

I've added my own test page - http://sfl.x10host.com/test.shtml - and do NOT see the extra code at the moment. I've tried several times since creating it and don't see the injected code yet. But it _is_ an intermittent problem so that's not completely surprising, just frustrating.

I'm at a loss to think of any explanation other than that the code is coming from X10. I have no idea why it is intermittent but you seem to be the source of it. I'm glad to hear that you aren't doing it deliberately. Is there any possibility that someone has hacked you and is injecting this code without your knowledge?

descalzo · Mar 1, 2013

rhinosfl said:
I'm at a loss to think of any explanation other than that the code is coming from X10. I have no idea why it is intermittent but you seem to be the source of it. I'm glad to hear that you aren't doing it deliberately. Is there any possibility that someone has hacked you and is injecting this code without your knowledge?

No. Your end is the source of it.

You do not know what you are talking about.

A. Do you see it using IE, Chrome, or Safari. Yes or No?
B. If anyone else has seen it, are they using Firefox with toolbars. Yes or No.

hbazer · Mar 1, 2013

1.> The source code in your screen-shot above - is by Firefox when it throws - what you call - a "infobar" to your screen - there is no code from the server in it

2.> That screen-shot is not the same as the one within your first post in this thread

3.> The why of - one line of code without [ \n ] or [ \r ] inside of it and using the extension of [ html ] - is to test what if anything the server is adding to it

IMO you have not made your point of "X10Hosting adding code to your site"

rhinosfl · Mar 3, 2013

No one who has responded to this thread has given any acknowledgement to the fact that three independent observers have seen the same behaviour that I have. No one has offered a plausible explanation of how this problem could be isolated to my computer, as you keep insisting, yet still be seen by those independent observers.

The fact that this problem is very intermittent - it doesn't even happen 100% of the time for me - makes this a difficult problem. I can understand some reluctance on your part to accept that this is happening anywhere but on my desktop. But if three outside observers who are strangers to me say that they've seen the problem too, then I am satisfied that there IS a bigger problem here than some mysterious toolbar on my computer.

I've offered up my proof and you people are determined to deny it. Well, so be it. But I've got better things than to argue with you. I've moved my data to another site and left a simple placeholder for the sake of visitors. That page will disappear when my account expires in 30 days or so. I won't be back and I definitely won't be recommending X10 to any of my friends.

Personally, I think that one of two things is happening:
1. The administrators ARE injecting code for some purpose and lying about it. If it were harmless code, I see no strong reason for them to lie about it, although they may just want to keep from offending people by admitting to injection of code that is harmless. (I believe that the Refresh is harmless but I haven't been able to determine what the OTHER code, in the <script> tags, is doing. It may welll be dangerous.)
2. This site has been hacked and the administrators don't realize it or don't know how to handle it if they do.

There may be other explanations too. I don't pretend to have a comprehensive understanding of all the ins and outs of administering a hosting site so perhaps something else is going on.

I don't really want to leave this way but I've got too much other stuff to do to get into a prolonged argument when the people on the other side continue to deny some pretty damning evidence.

I hope the rest of you keep your eyes open and either succeed in getting the code injection stopped when you finally see it for yourselves or move on to another hosting service. Those are the only two ways to fight back.

Is X10Hosting adding code to my site? If so, w)hy?

New Member

Member

New Member

Member

New Member

New Member

New Member

Grim Squeaker

New Member

Community Advocate

Grim Squeaker

I Break Things

New Member

Community Advocate

New Member

Member

New Member

Grim Squeaker

Member

New Member

Free Web Hosting

Our Community

Legal