This has been two times within three months I have to manually update all my dns again. What is happening with the cloudflare, They are claiming to protect our website, but they are not able to protect their own server??
If someone has gained access to your Cloudflare account, I recommend that you follow these steps:
4 Likes
Can you share the name of the site in question and the url to which your site is being redirected?
At the moment, all your DNS records are by passing cloudflare so I suspect the redirect is on the origin server, but let’s start with the name of the domain?
2 Likes
How can this happen to my two different account with having two different emails and two different password Actually, I am using two Cloudflare account, one for my business and one for my personal site And both of them having the same issue another one is /redacted/
And with 2FA enabled?
2 Likes
Can you share the name of a site in the other account that is being redirected?
The websites with the odd cname records are not proxied, whatever redirect is happening is not happening in cloudflare.
Change your password, rotate your API tokens and follow the suggestions in the links shared to Secure compromised account · Cloudflare Fundamentals docs
And, +1 to the 2FA input from @sdayman!
2 Likes
I don’t remember the website name, but through the dns record websites was being redirected to 80.66.81.104, Somehow, two dns record A records were created And redirecting the website url and www value to 80.66.81.104, I haven’t enabled the two FA. So are you sure this is the issue because My password had been compromised What is it from the cloudflare, I have manually removed those dns records. My client from the site Mystic Ink Nepal pointed out this issue
I am unable to send you the website urls. So I have posted this image Please find the website urls from this image
[/quote]
no i Hadn’t enabled that
You should to secure the account and prevent further issues with record changes on your dash.
We have see instances of page rules being added to compromised accounts. That does not seem to be the case here. In any event the sites you shared all return an nxdomain error and your dns records are not proxied.
If records were added, you should remove those. If records were edited, you should edit them back to the previous values and proxy 
the records. At the moment, cloudflare is not involved as the records are 
not proxied.
1 Like
because i have manually disabled the proxy and changing the dns records to it original value.
If the values are back to the original values, what happens if you proxy those records? If the redirect happens when you proxy, you should look for redirects at the origin.
from audit report it says:
Date:
2024-03-18T20:32:56+05:45
User IP Address:
194.61.9.234
Resource:
dns.record
Resource ID:
c5d1566d2f92fb021040f91f32f05562
New Value:
{ "content": "80.66.81.104", "data": {}, "id": "c5d1566d2f92fb021040f91f32f05562", "name": "mysticinknepal.com", "proxied": true, "ttl": 1, "type": "A", "zone_id": "bf74add489d7103a27682e7bcac71fc8", "zone_name": "mysticinknepal.com" }
Interface:
UI
Audit Record:
b63611ea-e124-435a-9c51-f24aeb51fcc4
Metadata:
{ "zone_name": "mysticinknepal.com" }
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.