Domain redirects to unknown torrent page

Hello dear Community,

I have a problem with my domain. One of our domains seems to have been hacked.
The domain “dezentralbox.org” points to a torrent page. This is not our Site and we dont know why this happen.
Here is a screenshot of the site: https://imgur.com/a/ntAG5s7

We have 20+ domains. The Domains are located on on Raidboxes.de and are redirected with Claoudflare to our main side “decentralbox. com”.

I do not know unfortunately, how my old agency made that with the forwarding by Cloudflare. But they claim that they have NOTHING to do with it.

Also raidboxes says, that this is a problem on Cloudflare, because the domains point to the nameserver of Cloudflare.

But if I log in on Cloudflare, I do not see forwarding or an entry for the Domain “dezentralbox.org

Here are some screenshots of Cloudflare:
1.) https://imgur.com/a/3q7wDoo
Only the domains that can be seen will redirect you to the main page.

One post is usually enough to start :wink:. Begin with removing the non-Cloudflare name server

$ dig ns dezentralbox.org +short
decentralbox.com.
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.

Hello, thanks for replying. So that I can explain the whole problem in detail, I wanted to insert more than 2 links. Unfortunately this was not possible.

That’s why I divided it up.

where should I remove it?

With your domain registrar. You should only have two Cloudflare nameservers, no others, no more.

At your registrar :slight_smile:

1 Like

Hello dear Support,

I have a problem with my domain. One of our domains seems to have been hacked.
The domain “dezentralbox.org” points to a torrent page. This is not our Site and we dont know why this happen.
Here is a screenshot of the site: https://imgur.com/a/ntAG5s7

We have 20+ domains. The Domains are located on on Raidboxes.de and are redirected with Claoudflare to our main side “decentralbox.com”.

I do not know unfortunately, how my old agency made that with the forwarding by Cloudflare. But they claim that they have NOTHING to do with it.

Also raidboxes says, that this is a problem on Cloudflare, because the domains point to the nameserver of Cloudflare.

But if I log in on Cloudflare, I do not see forwarding or an entry for the Domain “dezentralbox.org

Here are some screenshots of Cloudflare:
1.) https://imgur.com/a/3q7wDoo
Only the domains that can be seen will redirect you to the main page.
2.) https://imgur.com/a/t3hryLc
When I search for the capped domain “dezentralbox.org” Cloudflare does not find an entry
3.) https://imgur.com/a/3AVdIos
Also the audit log does not show up when I search for “dezentralbox.org”. The period is from 2018.

whoishostingthis.com spits out these details about the capped domain to me:
https://imgur.com/a/481pK7d

I have now set the name server on raidboxes to default for the capped domain, before it was this one:

  1. dorthy.ns.Cloudflare.com
    2: george.ns.Cloudflare.com

These nameserver from Cloudflare are also active on other domains from me, but there was no such mess.

Question 1: What was hacked now? Account of Raidboxes or Cloudflare?
Question 2: Which passwords do I have to change? Email, Hoster, Raidboxes and Cloudflare, or just EVERYTHING?
Question 3: Can our website “decentralbox. com” also be hacked, only we don’t know it yet?

Thank you very much for your attention and help!

i changed the nameserver… set it to standart.

But I don’t understand it. other domains of mine also point to Cloudflare. only one domain redirects to this torrent page.

By registar you mean raidboxes or? there are my domains.

raidboxes says that the problem is with Cloudflare!

Just remove decentralbox.com.

Check the audit logs ob your dashboard if there were any changes to one of your domains.

Your domain registrar is the company where you registered the domain name. That may or may not be the same as your hosting company.

This is the offending name server that needs to be removed - decentralbox.com

I don’t know if that will resolve the issue or not, you may have an incorrect IP address in the DNS tab of your Cloudflare dashboard. But, decentralbox.com as a name server is incorrect and needs to be removed.

if I remove decentralbox.com, is my website no longer accessible?

I have no idea what my agency has done here. Is this a mistake by my agency or was I hacked?

where you can see it?

do you say this, because of this screenshot: https://imgur.com/a/XmIv9hp

i set the domain nameserver now on this: https://imgur.com/a/04yExSi

is this correct now and solve the problem?

@user382, it does not appear that you’ve successfully even added the zone to Cloudflare.

  • dezentralbox.org is pending and has completely incorrect name servers. You need to login to your Cloudflare account for that .org domain, verify what name servers you should use, contact your registrar and have them update them to the ones you should use.
  • decentralbox.com is active, has the correct name servers and also has one incorrect one. You need contact your registrar and have them remove the non Cloudflare name server.

No, your site should not go down when you remove the name server, but it’s one less variable in troubleshooting the issue.

Regarding your other questions, if you think you’ve been hacked, change all your passwords (cf, host, registrar), (use a pw manager), rotate your api key, turn on 2fa, and scan all devices for malware.

first of all, Thank you very much for your help!

1.) My agency set the nameserver to this: https://imgur.com/a/vbXgXXW
is this incorrect?

2.) can you mark me, what is not correct and cause the problem?

3.) what is the zone? does my agency forgott that? what happen when i dont add it?

  1. This looks good:
$ dig ns decentralbox.com +short
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.
  1. This domain has a non-cf name server (decentralbox.com) that should be removed. Seems if you remove the incorrect name server on dezentralbox.org and where ever else you have an extra one on any of your other domains, we’ll be at a point where we can figure out what issue we’re facing:
$ dig ns dezentralbox.org +short
decentralbox.com.
george.ns.Cloudflare.com.
dorthy.ns.Cloudflare.com.
  1. Finally, this domain (also called a zone) is not even on Cloudflare and that leaves it vulnerable to takeover as it has Cloudflare name servers (and a non-cf one). You need to add this zone to your account ASAP, verify the name server names, and give those two names to your registrar and have them update them.
$ dig ns dezentralbox.com +short
decentralbox.com.
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.

For background on why not to change your name servers before adding a site to Cloudflare, see item #4 on malicious hijacking in this #CommunityTip, https://community.Cloudflare.com/t/community-tip-best-practices-to-address-dns-hijacking/58584.

Huh?

Non-authoritative answer:
dezentralbox.orgcanonical name = decentralbox.com.
Name:decentralbox.com
Address: 104.28.5.118
Name:decentralbox.com
Address: 104.28.4.118
Name:decentralbox.com
Address: 2606:4700:30::681c:576
Name:decentralbox.com
Address: 2606:4700:30::681c:476

ok thank you very much! i will forward this to my agency.

Many thanks for your help! really many thanks!

@user382, when you contact them, here is what I suspect happened:

  • I suspect you started to see issues about 20 days ago?
  • The name servers for dezentralbox.org were changed to Cloudflare george & dorthy 4 months ago, based on the security trails link below, but not added to a Cloudflare account. Does that timing make sense?
  • About 3 weeks ago, the name servers were changed, https://securitytrails.com/domain/dezentralbox.org/history/ns and that’s when the problems started?

@user382, I’d ask your agency to add dezentralbox.org to your Cloudflare account, verify the nameservers you’re assigned are george & dorthy, and then make sure those are the only two your registrar has for that domain.

I really appreciate your help. You’ve helped me very much. You are a great person. Really thanks!

i don’t know since when my domain is linked to the torrent site. But I know that the name server was changed few times ago.

I think my agency didn’t register it on Cloudflare. I guess the domain was hijacked.

I found this description:
https://support.cloudflare.com/hc/en-us/articles/360000977291-My-domain-has-been-hijacked-how-did-this-happen-

That means that I probably wasn’t hacked, but the mistake is that the domain wasn’t registered on Cloudflare, right?

I can undo this by simply adding the domain to Cloudflare, right?

2 Likes