301 to discordapp when proxied by Cloudflare? Hijacked DNS?

Answer these questions to help the Community help you with Security questions.

What is the domain name?
Irrelevant for now as the proxy is disabled. will discuss in private if required.

Have you searched for an answer?
Yes

Please share your search results url:
nothing helpful.

When you tested your domain, what were the results?
regarding the root A record:
when cloudflare proxy is enabled → 301 redirected to a malicious file
when cloudflare proxy is disabled (DNS only) → website is loaded and working well.

Describe the issue you are having:
when cloudflare proxy is enabled, the site is 301 redirected to a malicious file (ChromerUpdater.rar) stored on discord’s CDN

What error message or number are you receiving?
301 redirect

What steps have you taken to resolve the issue?

  1. clearing the cache - multiple times and on span of over a day - didn’t work.
  2. pausing cloudflare completely - it worked, but I like to enable it.
  3. using the host company DNS records without Cloudflare - it worked, but I like to use Cloudflare

Was the site working with SSL prior to adding it to Cloudflare?
it is working with SSL now. but when proxy is enabled, it will automatically redirect to the malicious file.

What are the steps to reproduce the error:

  1. enable the proxy
  2. wait - less than a minute
  3. open the root A record

Have you tried from another browser and/or incognito mode?
yes. both Chrome & FireFox gave the same result

Please attach a screenshot of the error:
will share privately if required.

Extra info

  1. when tested with redirect-checker[.]org/ I notice something odd:
    if I was using a ToolBot User-Agent, I got a valid result.
    but if I use Chrome/FireFox User-Agent, I’ll got the 301 redirection to the malicious file.
  2. if I ping the root A record, I’m getting: 172.67.153.65 which is in cloudflare range (172.64.0.0 - 172.71.255.255)
    but it is NOT one of my two cloudflare NS:

lisa.ns.cloudflare.com 172.64.32.131
elliot.ns.cloudflare.com 172.64.33.162

so, pretty sure this is cloudflare issue, or an elaborate hack.

  1. redirection example:

301 Moved Permanently

Status: 301 Moved Permanently
Code: 301
Date: Thu, 12 Oct 2023 21:01:30 GMT
Connection: close
Cache-Control: max-age=3600
Expires: Thu, 12 Oct 2023 22:01:30 GMT
Location: hxxps://cdn[.]discordapp[.]com/attachments//ChromerUpdater.rar?ex=&is=&hm=&
Report-To: {“endpoints”:[{“url”:“hxxps://a[.]nel[.]cloudflare[.]com/report/v3?s=”}],“group”:“cf-nel”,“max_age”:604800}
NEL: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
Server: cloudflare
CF-RAY: 8152474af9dd37d4-FRA

if anyone has any suggestion, I’m all ears :slight_smile:
Thank you in advance.

It sounds like your account was compromised. You can follow the following guide to secure your account:

2 Likes

agreed, it does seems like a compromised account for two reasons:

  1. I had ~20 extra random A records (xenical, wellbutrin, venlor…) which I already removed.
  2. the fact that the main A record leads to a malicious file.

but I still fail to find the malicious setting. where does it come from?
I don’t see it in the Rules, not in the DNS records.

I’ve just changed the password, rotated my API keys, and it’s still the same :frowning:

Furthermore, I see nothing in the Audit log (except the things I did just now).

Thank you.

I just did all of the suggestions, but the behavior is still the same.

  • changed password.
  • rotated the keys.
  • searched for anything suspicious in the Audit logs - found nothing.

Unfortunately, the behavior is still the same:
once I enable the proxy, the user is redirected to the malicious file.

Once again, thank you very much.

I’d check for redirects, they should be in audit log somewhere.

2 Likes

it was the redirect rules!
you are amazing.
thank you so so much! :slight_smile:

2 Likes

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.