DNS appears to be hacked/polluted

user6771 · May 27, 2023, 5:18pm

media.writingclasses.com is a CNAME record pointing to gothamwriters-media.s3-website-us-east-1.amazonaws.com.

Something is hijacking the traffic and it’s actually returning someone else’s web site. http://media.writingclasses.com/ is not our content.

Since this is a CNAME record, these two URLs should serve content from the same place:

http://gothamwriters-media.s3-website-us-east-1.amazonaws.com/GWC/2022/featured_author_edited.mp4

http://media.writingclasses.com/GWC/2022/featured_author_edited.mp4

But http://media.writingclasses.com/ seems to be serving content from an S3 bucket that we do not own.

We’ve checked for redirects and can’t find any. I’m hoping that the Cloudflare community will have some troubleshooting advice. Thanks in advance!

sandro · May 27, 2023, 5:28pm

Afraid, this is not correct and that’s not how a CNAME entry works.

Your Amazon setup needs to know about the domain and it does not, which is why you are getting the error message.

On top of that, your Amazon server is not configured for SSL.

How to fix that

Configure your Amazon server so that it responds to HTTPS with a valid certificate for your domain
Configure your Amazon server to serve content for your domain

user6771 · May 27, 2023, 5:53pm

Afraid, this is not correct and that’s not how a CNAME entry works.

Doesn’t a CNAME record simply send traffic to the same IP as the A record it points to?

Configure your Amazon server to serve content for your domain

it is serving content from our domain. I’m confused.

Maybe I haven’t explained this correctly.

Something is hijacking traffic to our S3 bucket and sending it to a bucket maintained by someone else.

traffic to media.writingclasses.com is not actually going to the A record the CNAME points to.

sandro · May 27, 2023, 5:56pm

It does, but if the server does not recognise the domain you run into this exact issue.

Nobody will be hijacking anything, but your server is simply not correctly configured. Hence the two things I mentioned earlier.

As far as Cloudflare is concerned, it correctly resolves the hostname to the configured Amazon hostname. Everything else needs to be configured on Amazon’s side and Cloudflare is not involved.

As mentioned, make sure your server is properly configured for HTTPS and for the hostname and it will work.

user6771 · May 27, 2023, 6:01pm

OK - so once the traffic gets to S3 it’s not correctly resolving the domain? I think I understand now.

what’s confused matters is that I got an alert from Google that someone has added themselves as an owner of that domain and it’s not an email address I recognize

On top of that, the domain is now serving anime content in an Indonesian language, so there is certainly a hacker involved. This may be on the S3 side of things, not Cloudflare. I’ll dig further.

sandro · May 27, 2023, 6:06pm

That’s right, that configuration needs to be done on Amazon’s side. Just make sure it has a valid certificate and works for your domain.

user6771 · May 27, 2023, 6:11pm

OK, thanks for the help

system · May 30, 2023, 6:11pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
5xxx SEO attack spoofing domain name DNS & Network	11	2671	March 21, 2022
Trying to setup cloudflare DNS entry for a S3 bucket DNS & Network	5	4270	March 20, 2023
SERVFAIL resolving s3-1-w.amazonaws.com 1.1.1.1	11	3526	June 18, 2021
DNS Not Working Properly DNS & Network	6	2005	October 4, 2020
My domain is not accessible only from a partial audience DNS & Network	9	2095	May 17, 2020

DNS appears to be hacked/polluted

Related topics