Domain redirects to unknown torrent page

Your domain registrar is the company where you registered the domain name. That may or may not be the same as your hosting company.

This is the offending name server that needs to be removed - decentralbox.com

I don’t know if that will resolve the issue or not, you may have an incorrect IP address in the DNS tab of your Cloudflare dashboard. But, decentralbox.com as a name server is incorrect and needs to be removed.

if I remove decentralbox.com, is my website no longer accessible?

I have no idea what my agency has done here. Is this a mistake by my agency or was I hacked?

where you can see it?

do you say this, because of this screenshot: https://imgur.com/a/XmIv9hp

i set the domain nameserver now on this: https://imgur.com/a/04yExSi

is this correct now and solve the problem?

@user382, it does not appear that you’ve successfully even added the zone to Cloudflare.

  • dezentralbox.org is pending and has completely incorrect name servers. You need to login to your Cloudflare account for that .org domain, verify what name servers you should use, contact your registrar and have them update them to the ones you should use.
  • decentralbox.com is active, has the correct name servers and also has one incorrect one. You need contact your registrar and have them remove the non Cloudflare name server.

No, your site should not go down when you remove the name server, but it’s one less variable in troubleshooting the issue.

Regarding your other questions, if you think you’ve been hacked, change all your passwords (cf, host, registrar), (use a pw manager), rotate your api key, turn on 2fa, and scan all devices for malware.

first of all, Thank you very much for your help!

1.) My agency set the nameserver to this: https://imgur.com/a/vbXgXXW
is this incorrect?

2.) can you mark me, what is not correct and cause the problem?

3.) what is the zone? does my agency forgott that? what happen when i dont add it?

  1. This looks good:
$ dig ns decentralbox.com +short
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.
  1. This domain has a non-cf name server (decentralbox.com) that should be removed. Seems if you remove the incorrect name server on dezentralbox.org and where ever else you have an extra one on any of your other domains, we’ll be at a point where we can figure out what issue we’re facing:
$ dig ns dezentralbox.org +short
decentralbox.com.
george.ns.Cloudflare.com.
dorthy.ns.Cloudflare.com.
  1. Finally, this domain (also called a zone) is not even on Cloudflare and that leaves it vulnerable to takeover as it has Cloudflare name servers (and a non-cf one). You need to add this zone to your account ASAP, verify the name server names, and give those two names to your registrar and have them update them.
$ dig ns dezentralbox.com +short
decentralbox.com.
dorthy.ns.Cloudflare.com.
george.ns.Cloudflare.com.

For background on why not to change your name servers before adding a site to Cloudflare, see item #4 on malicious hijacking in this #CommunityTip, Community Tip - Best Practices to Address DNS Hijacking.

Huh?

Non-authoritative answer:
dezentralbox.orgcanonical name = decentralbox.com.
Name:decentralbox.com
Address: 104.28.5.118
Name:decentralbox.com
Address: 104.28.4.118
Name:decentralbox.com
Address: 2606:4700:30::681c:576
Name:decentralbox.com
Address: 2606:4700:30::681c:476

ok thank you very much! i will forward this to my agency.

Many thanks for your help! really many thanks!

@user382, when you contact them, here is what I suspect happened:

  • I suspect you started to see issues about 20 days ago?
  • The name servers for dezentralbox.org were changed to Cloudflare george & dorthy 4 months ago, based on the security trails link below, but not added to a Cloudflare account. Does that timing make sense?
  • About 3 weeks ago, the name servers were changed, https://securitytrails.com/domain/dezentralbox.org/history/ns and that’s when the problems started?

@user382, I’d ask your agency to add dezentralbox.org to your Cloudflare account, verify the nameservers you’re assigned are george & dorthy, and then make sure those are the only two your registrar has for that domain.

I really appreciate your help. You’ve helped me very much. You are a great person. Really thanks!

i don’t know since when my domain is linked to the torrent site. But I know that the name server was changed few times ago.

I think my agency didn’t register it on Cloudflare. I guess the domain was hijacked.

I found this description:
https://support.cloudflare.com/hc/en-us/articles/360000977291-My-domain-has-been-hijacked-how-did-this-happen-

That means that I probably wasn’t hacked, but the mistake is that the domain wasn’t registered on Cloudflare, right?

I can undo this by simply adding the domain to Cloudflare, right?

2 Likes

Yes and no. Due to the agency error, someone is pointing your domain elsewhere.

Yes. But also verify name servers with your registrar.

Please post back and let us know how it turns out. There were/are bad actors doing things with your domain due to not configuring it properly, but nothing that you cannot reverse.

Hello @cloonan

My agency has now taken care of the problem. All my domains are now forwarded correctly.

My agency also thinks that nothing is faulty anymore and that everything is configured correctly.

Could I ask you to check that? It is only about the main entry of “decentralbox.com”?

This is my main domain, where also my mail server is configured. I am afraid that my agency may have overlooked something. You talked about the “zone” at that time, is it now active? Do you see anything else, something dangerous?

I would be thankful for a last help, so that I can close this chapter.

Greetings from Vienna!

1 Like

Hi, yes, will do. I am enroute at the moment and once back at desktop will give it all a once-over. (And, I like Vienna, but fell in love with Salzburg!)

1 Like

+1, all looks really good.

I went to the .com, .net, .org, .eu sites, www and non-www, http and https. Each time, I landed successfully on your page on https://decentralbox.com/ meaning the page rules and dns settings are working as anticipated. Name servers are set and it looks like you’re good to go.

1 Like

Thank you very much @cloonan
Now we are calmed down and can finally continue with other more important things.

You’ve been a great help to us. Want to thank you again from the heart.

have a nice evening! :)))))

1 Like

Hi @cloonan,

can you maybe help me quick? I get these email:

Then I looked at raidboxes to see if the nameservers were actually changed. And yes, they were probably set to the default values by raidboxes.

I then changed them back to :

  1. dorthy.ns.Cloudflare.com
  2. george.ns.Cloudflare.com

But now I see the entry “Moved” on Cloudflare.

How do I get rid of this? I don’t have a button for “Recheck Nameservers”.

Many thanks in advance!

If the domain is no longer listed in your account, you’ll want to re add it. I’ll dig in and see why they changed, typically due to domain expiry. If that is not the case, you’ll probably want to make sure your registrar account is secure and that no one can change them on your behalf.

So I guess my registrar set the DNS to default because there were problems with me, they just reacted late.

The domains don’t expire until October, until then I renew everything.

I just wonder why the entry “Moved” is in Cloudflare, although the DNS settings fit now?

1 Like

Move indicates the name servers were changed. 7 days after we detect the change, we check again and if still moved, we delete from your account.

and if the dns entry fits again (like now), should it be “Active” again after 7 days?