No, it’s not from the server. I am very much sure about that.
If it was so, the same file would have downloaded after I pointed the domain to the nameserver of the host. The website started working properly after I pointed the domain to the host’s nameserver.
My host only identified the issue and advised me to point the domain to their nameserver. I found that site started working after that.
I changed that temporarily as I want to continue using Cloudflare if someone can help identify the issue and fix it.
This is a very clever hack.
The problem is under “Rules” >> “Redirects”
Delete the planted redirect and then secure your account.
The issue started with your Cloudflare password being compromised. So do the following:
Firstly go to “My profile” and then from left menu find “Sessions”
Close all active sessions except your own.
Then, Change your password and enforce 2FA On your Cloudflare account.
Lastly, i suggest going through the audit logs under “Manage account” to see if anything else was changed/added.
I closed all the sessions except my own. I noticed that in the last few days, my Cloudflare was accessed from Great Britain and France even though I am based in India.
I changed the password and enforced the 2-step verification.
I could not find the audit logs as I could not find Manage Account. Is it because I have not given access to anyone, I mean I have no team members.
I checked the rules but could not make out what to do. Normalize incoming URLs is turned on. See the screenshot below and please advise.
Thanks for the reports all. For those seeing this, are you using a specific host? A Cloudflare partner? We’re trying to isolate how/when this started happening, and a potential cause.
I am facing the same problem I did research and found your post
my domain automatically redirects to a link and downloading this New Browser Zip file
I extract it and I got its showing - (Tanks Game) looking like a spam
I just removed my website from Cloudflare and everything is normal now
I don’t know what the ■■■■ is this but I am sure its happened because of Cloudflare
It’s most likely a virus, from previous reports. Extracting it might have been very bad.
Running theory is a credential stuffing list which matched your (and others) account credentials. Have you used partners or used this password in other services?