Domain serving injected “/aes.js” + “__test” challenge (OpenResty) — Google flagged as deceptive sit

Hosting Support
1

Hello InfinityFree team,

My domain gestionmarchi.com has been flagged by Google as a deceptive site / social engineering, and I’m trying to remove the cause so I can request a successful review.

What is happening

When I request the homepage directly from the origin server (without Cloudflare proxy), the server returns an HTML/JS challenge that loads /aes.js, sets a cookie called __test, and redirects to /?i=1. The response header shows Server: openresty.

This content is NOT part of my website project (I searched my project files and there is no aes.js, slowAES, __test, toNumbers, etc.). It looks like an injection or server-level rule.
Evidence (curl output)

HTTP (port 80)

HTTP/1.1 200 OK

Server: openresty

Content-Type: text/html

HTTPS (port 443)

curl.exe -vk --http1.1 -A “Mozilla/5.0” “https://gestionmarchi.com/”

HTTP/1.1 200 OK
Server: openresty
Content-Type: text/html

Also, requesting /__test returns Cloudflare-style errors (520) when proxied, and origin responses are inconsistent, which made me suspect proxy/origin security behavior.

What I already tried

  1. I checked my website files and aes.js does not exist in my project.

  2. I downloaded the full account files as a ZIP and searched for:

    • aes.js, slowAES, __test, toNumbers, auto_prepend_file, etc. → no matches

  3. Cloudflare was previously Proxied and returned 520; I switched DNS records to DNS only (grey cloud) to troubleshoot origin directly.

Request / What I need help with

Could you please:

  1. Confirm if InfinityFree adds any OpenResty/Nginx security challenge that injects /aes.js + __test cookie, and if so, how can it be disabled for my domain?

  2. If this is NOT expected behavior, can you check whether my hosting account or domain is affected by:

    • server-level injected rules,

    • compromised account,

    • malware / hidden scripts outside htdocs,

    • PHP auto_prepend_file / .user.ini behavior,

    • or anything in OpenResty/WAF that could be forcing this response?

  3. Provide the exact steps I should follow to fully clean this so Google Safe Browsing review will pass.

I’m happy to provide any additional info you need (account username, hosting details, etc.).
Thank you for your help — this is urgent because the domain reputation is impacted.

Best regards,
Giomar Marchisio

4
41250×413 73.8 KB

2

This is part of the security system. This helps explain it further:

That said, this shouldn’t trigger the deceptive site warning from google safe search
The more likely reason this is showing is because your sites home page is a fairly generic login page, with no details as to what the site is or what you’re logging into.

I’d recommend adding a landing page with some details about your site, that then links to a login page. I know it seems excessive, but there’s a reason most sites you visit online don’t have their homepage as just a “log in” page

This article may help you too:

8 Likes
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.