Hello dear Community,
I have a problem with my domain. One of our domains seems to have been hacked.
The domain “dezentralbox.org” points to a torrent page. This is not our Site and we dont know why this happen.
Here is a screenshot of the site: Imgur: The magic of the Internet
We have 20+ domains. The Domains are located on on Raidboxes.de and are redirected with Claoudflare to our main side “decentralbox. com”.
I do not know unfortunately, how my old agency made that with the forwarding by Cloudflare. But they claim that they have NOTHING to do with it.
Also raidboxes says, that this is a problem on Cloudflare, because the domains point to the nameserver of Cloudflare.
But if I log in on Cloudflare, I do not see forwarding or an entry for the Domain “dezentralbox.org”
Here are some screenshots of Cloudflare:
1.) Imgur: The magic of the Internet
Only the domains that can be seen will redirect you to the main page.
One post is usually enough to start 
. Begin with removing the non-Cloudflare name server
$ dig ns dezentralbox.org +short
decentralbox.com.
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.
Hello, thanks for replying. So that I can explain the whole problem in detail, I wanted to insert more than 2 links. Unfortunately this was not possible.
That’s why I divided it up.
where should I remove it?
With your domain registrar. You should only have two Cloudflare nameservers, no others, no more.
At your registrar 
Hello dear Support,
I have a problem with my domain. One of our domains seems to have been hacked.
The domain “dezentralbox.org” points to a torrent page. This is not our Site and we dont know why this happen.
Here is a screenshot of the site: Imgur: The magic of the Internet
We have 20+ domains. The Domains are located on on Raidboxes.de and are redirected with Claoudflare to our main side “decentralbox.com”.
I do not know unfortunately, how my old agency made that with the forwarding by Cloudflare. But they claim that they have NOTHING to do with it.
Also raidboxes says, that this is a problem on Cloudflare, because the domains point to the nameserver of Cloudflare.
But if I log in on Cloudflare, I do not see forwarding or an entry for the Domain “dezentralbox.org”
Here are some screenshots of Cloudflare:
1.) Imgur: The magic of the Internet
Only the domains that can be seen will redirect you to the main page.
2.) Imgur: The magic of the Internet
When I search for the capped domain “dezentralbox.org” Cloudflare does not find an entry
3.) Imgur: The magic of the Internet
Also the audit log does not show up when I search for “dezentralbox.org”. The period is from 2018.
whoishostingthis.com spits out these details about the capped domain to me:
Imgur: The magic of the Internet
I have now set the name server on raidboxes to default for the capped domain, before it was this one:
These nameserver from Cloudflare are also active on other domains from me, but there was no such mess.
Question 1: What was hacked now? Account of Raidboxes or Cloudflare?
Question 2: Which passwords do I have to change? Email, Hoster, Raidboxes and Cloudflare, or just EVERYTHING?
Question 3: Can our website “decentralbox. com” also be hacked, only we don’t know it yet?
Thank you very much for your attention and help!
i changed the nameserver… set it to standart.
But I don’t understand it. other domains of mine also point to Cloudflare. only one domain redirects to this torrent page.
By registar you mean raidboxes or? there are my domains.
raidboxes says that the problem is with Cloudflare!
Just remove decentralbox.com.
Check the audit logs ob your dashboard if there were any changes to one of your domains.
Your domain registrar is the company where you registered the domain name. That may or may not be the same as your hosting company.
This is the offending name server that needs to be removed - decentralbox.com
I don’t know if that will resolve the issue or not, you may have an incorrect IP address in the DNS tab of your Cloudflare dashboard. But, decentralbox.com as a name server is incorrect and needs to be removed.
if I remove decentralbox.com, is my website no longer accessible?
I have no idea what my agency has done here. Is this a mistake by my agency or was I hacked?
where you can see it?
do you say this, because of this screenshot: Imgur: The magic of the Internet
i set the domain nameserver now on this: Imgur: The magic of the Internet
is this correct now and solve the problem?
@user382, it does not appear that you’ve successfully even added the zone to Cloudflare.
No, your site should not go down when you remove the name server, but it’s one less variable in troubleshooting the issue.
Regarding your other questions, if you think you’ve been hacked, change all your passwords (cf, host, registrar), (use a pw manager), rotate your api key, turn on 2fa, and scan all devices for malware.
first of all, Thank you very much for your help!
1.) My agency set the nameserver to this: Imgur: The magic of the Internet
is this incorrect?
2.) can you mark me, what is not correct and cause the problem?
3.) what is the zone? does my agency forgott that? what happen when i dont add it?
$ dig ns decentralbox.com +short
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.
decentralbox.com) that should be removed. Seems if you remove the incorrect name server on dezentralbox.org and where ever else you have an extra one on any of your other domains, we’ll be at a point where we can figure out what issue we’re facing:$ dig ns dezentralbox.org +short
decentralbox.com.
george.ns.Cloudflare.com.
dorthy.ns.Cloudflare.com.
$ dig ns dezentralbox.com +short
decentralbox.com.
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.
For background on why not to change your name servers before adding a site to Cloudflare, see item #4 on malicious hijacking in this #CommunityTip, Community Tip - Best Practices to Address DNS Hijacking.
Huh?
Non-authoritative answer:
dezentralbox.orgcanonical name = decentralbox.com.
Name:decentralbox.com
Address: 104.28.5.118
Name:decentralbox.com
Address: 104.28.4.118
Name:decentralbox.com
Address: 2606:4700:30::681c:576
Name:decentralbox.com
Address: 2606:4700:30::681c:476
ok thank you very much! i will forward this to my agency.
Many thanks for your help! really many thanks!
@user382, when you contact them, here is what I suspect happened:
@user382, I’d ask your agency to add dezentralbox.org to your Cloudflare account, verify the nameservers you’re assigned are george & dorthy, and then make sure those are the only two your registrar has for that domain.
I really appreciate your help. You’ve helped me very much. You are a great person. Really thanks!
i don’t know since when my domain is linked to the torrent site. But I know that the name server was changed few times ago.
I think my agency didn’t register it on Cloudflare. I guess the domain was hijacked.
I found this description:
https://support.cloudflare.com/hc/en-us/articles/360000977291-My-domain-has-been-hijacked-how-did-this-happen-
That means that I probably wasn’t hacked, but the mistake is that the domain wasn’t registered on Cloudflare, right?
I can undo this by simply adding the domain to Cloudflare, right?