When I am putting the website on the browser, a RAR file called NewBrowser.rar is getting downloaded. The site is not showing up.
My website host told me that the problem is from Cloudflare. After I pointed the domain to the namerserver of the host, site is working.
I still kept one of my sites on Cloudflare so someone can check and help me fix it.
belantti.in
Cloudflare does not serve any file on your behalf. Its your server which serves the files. Check your server for possible loopholes.
No, it’s not from the server. I am very much sure about that.
If it was so, the same file would have downloaded after I pointed the domain to the nameserver of the host. The website started working properly after I pointed the domain to the host’s nameserver.
My host only identified the issue and advised me to point the domain to their nameserver. I found that site started working after that.
I changed that temporarily as I want to continue using Cloudflare if someone can help identify the issue and fix it.
We also are seeing this on a clients account.
Downloads newbrowser.rar file, when we disable Cloudflare proxy mode the issue goes away!!
It’s not the first case I have seen. Can you please check if there are Page Rules, Workers, etc. acting somewhere?
Check audit logs for when and who did this. I am 99.9% sure someone got your credentials and accessed your account. Change your passwords, now.
This is a very clever hack.
The problem is under “Rules” >> “Redirects”
Delete the planted redirect and then secure your account.
The issue started with your Cloudflare password being compromised. So do the following:
Firstly go to “My profile” and then from left menu find “Sessions”
Close all active sessions except your own.
Then, Change your password and enforce 2FA On your Cloudflare account.
Lastly, i suggest going through the audit logs under “Manage account” to see if anything else was changed/added.
Have you figured out if it’s API or Dashboard?
Did you ever share the password anywhere? I know there are some services which ask for Cloudflare credentials.
I closed all the sessions except my own. I noticed that in the last few days, my Cloudflare was accessed from Great Britain and France even though I am based in India.
I changed the password and enforced the 2-step verification.
I could not find the audit logs as I could not find Manage Account. Is it because I have not given access to anyone, I mean I have no team members.
I checked the rules but could not make out what to do. Normalize incoming URLs is turned on. See the screenshot below and please advise.
Under Rules… go to “Redirect Rules”. There should be a planted redirect in there. Delete it
Audit log is on left menu while on main page (Not in a website profile) - see screenshot
Thanks for the reports all. For those seeing this, are you using a specific host? A Cloudflare partner? We’re trying to isolate how/when this started happening, and a potential cause.
The are in the account menu, not the site menu. This shortcut will take you to your audit logs.
I found the audit log and could see that some Rulesets Update happened on 21st Jan. 7 times it happened. Here is the screenshot -
The following what I could see on the single Redirect section. Do you mean those Redirects have been created and I should delete those?
@shahil.shaikh1407 have you used any Cloudflare partner in the past? Like Ezoic, SiteGround, Shopify etc.?
If I got to edit I could see the link where it is redirecting.
I put that link on the browser, it is downloading the same file. Now it’s clear what they have done. I need to remove those links.
I am facing the same problem I did research and found your post
my domain automatically redirects to a link and downloading this New Browser Zip file
I extract it and I got its showing - (Tanks Game) looking like a spam
I just removed my website from Cloudflare and everything is normal now
I don’t know what the ■■■■ is this but I am sure its happened because of Cloudflare
I just removed the redirect links they planted. I will direct the domain to Cloudflare again now and see if it works correctly now.
I will update here.
Thanks, brother.
I just removed the redirect links and now the websites are live and working fine.
Thanks once again.
It’s most likely a virus, from previous reports. Extracting it might have been very bad.
Running theory is a credential stuffing list which matched your (and others) account credentials. Have you used partners or used this password in other services?
