Hello.
Just curious why my sub domain website suddenly redirected to the main domain with 301 settings, enable redirection active (ticked) suddenly?
Debian 12, Hestia 1.9.4
Maybe if you used any template, where you may have copied that over (apache/ngix), or even htaccess file.
I look into user log, and this is what happened, time around 05.55 up.
and this time 17.39 up is because my activity when setting back to disable redirection:
Seems you have been hacked. Unless you say those domains are yours?
See if any scripts have been loaded onto your server. Also, suspend the site initially to ensure the attacks does not spread. Change the password etc.
Someone more expert should be able to give more idea, but definitely someone has access to your server.
Doesn’t seem so to me.
@pakdhetimin show the output of this command (replace YourUser with the actual user name):
v-list-web-domain YourUser sidj.gkjamb.org json
1 Like
I was not sure, hence I stated that someone more expert will help here. 
yes, those are my domains.
{
“sidj.gkjamb.org”: {
“IP”: “74.50.67.52”,
“IP6”: “”,
“DOCUMENT_ROOT”: “/home/MyUser/web/sidj.gkjamb.org/public_html/”,
“U_DISK”: “6”,
“U_BANDWIDTH”: “17”,
“TPL”: “default”,
“ALIAS”: “”,
“STATS”: “”,
“STATS_USER”: “”,
“SSL”: “yes”,
“SSL_FORCE”: “yes”,
“SSL_HSTS”: “yes”,
“SSL_HOME”: “same”,
“LETSENCRYPT”: “yes”,
“FTP_USER”: “”,
“FTP_PATH”: “”,
“AUTH_USER”: “”,
“BACKEND”: “default”,
“PROXY”: “default”,
“PROXY_EXT”: “css,htm,html,js,mjs,json,xml,apng,avif,bmp,cur,gif,ico,jfif,jpg,jpeg,pjp,pjpeg,png,svg,tif,tiff,webp,aac,caf,flac,m4a,midi,mp3,ogg,opus,wav,3gp,av1,avi,m4v,mkv,mov,mpg,mpeg,mp4,mp4v,webm,otf,ttf,woff,woff2,doc,docx,odf,odp,ods,odt,pdf,ppt,pptx,rtf,txt,xls,xlsx,7z,bz2,gz,rar,tar,tgz,zip,apk,appx,bin,dmg,exe,img,iso,jar,msi,webmanifest”,
“FASTCGI_CACHE”: “no”,
“FASTCGI_DURATION”: “0s”,
“REDIRECT”: “”,
“REDIRECT_CODE”: “”,
“CUSTOM_DOCROOT”: “”,
“SUSPENDED”: “no”,
“TIME”: “19:58:08”,
“DATE”: “2025-10-27”
}
}
i look into those logs and i think it happened after ssl renewal process
I just tried visiting this site:. The site is showing this error:
Warning: mysqli_connect(): (HY000/2002): Connection refused in /home/bamboo/web/sidj.gkjamb.org/public_html/config/koneksi.phpon line10
gagal koneksi ke database
Yes, it did. The certificate renewal process removes the redirects, and once the certificate is renewed, it adds the redirects again.
Looks like for some reason, REDIRECT variable had www.gkjamb.org so Hestia re-added it during certificate renewal process. Now all is ok.
You could check whether other web domains have similar redirects.
for u in $(v-list-users plain | cut -f1); do echo "Checking user $u";for d in $(v-list-web-domains $u plain | cut -f1); do echo "Checking web domain $d"; REDIRECT="$(v-list-web-domain $u $d json | jq -r '.[]|.REDIRECT')";echo "REDIRECT=\"$REDIRECT\"";done;echo;done
If it happens again, before modifying the redirect, take a look to the current conf:
v-list-web-domain YourUser AffectedDomain json
the site is fine now, maybe sometime it just lagged process (1 vcpu and 2gb ram server 
)
1 Like
yes, you are right. okay i will try it, thank u
2 Likes