Many Websites using CF DNS Getting Redirected to 3rd Party Website

webreflex.in · September 29, 2023, 11:50am

Hi CF Community,

Recently we are experiencing a weird error that multiple domains in our account using Cloudflare proxy is getting redirected to this website : https://genesis-celestia.ltd/

IPs and all have no change and showing exactly as it should be.

Turning off Proxy by greying Cloudflare cloud fixes the issue. Has anyone else experienced the same ? Currently using paul and ruth ns of cloudflare.

CF Admins kindly look into this matter asap.

cbrandt · September 29, 2023, 11:54am

Hi,

It sounds like your Cloudflare account has been compromised. Change your password and enable 2FA, and follow other steps in the following guide:

Then review your Audit Log to find any Page or Redirect Rules or other settings that may be causing this redirect, and delete/adjust them.

webreflex.in · September 29, 2023, 12:01pm

Thank you so much. Seems account was compromised as some one from another country logged in, and set the following rulesets which caused the redirect.

{
  "description": "",
  "id": "c1d565b1f7e94bd69f55910ab9ba66f4",
  "kind": "zone",
  "last_updated": "2023-09-28T08:40:54.6925Z",
  "name": "default",
  "phase": "http_request_dynamic_redirect",
  "rules": [
    {
      "action": "redirect",
      "action_parameters": {
        "from_value": {
          "preserve_query_string": false,
          "status_code": 301,
          "target_url": {
            "value": "https://genesis-celestia.ltd/"
          }
        }
      },
      "description": "vz",
      "enabled": true,
      "expression": "true",
      "id": "a5c10690f7d24c3ab6624fac9566f8b6",
      "last_updated": "2023-09-28T08:40:54.6925Z",
      "ref": "a5c10690f7d24c3ab6624fac9566f8b6",
      "version": "1"
    }
  ],
  "version": "1"
}

Now cleaning all those, Thanks again !

cbrandt · September 29, 2023, 12:03pm

I’m glad you quickly found the rule. Make sure to also review the security of the email account linked to your Cloudflare account, as often that is the origin of issues like this.

webreflex.in · September 29, 2023, 12:03pm

Sure, Thanks a lot !

darren.james · October 2, 2023, 7:33am

I have had 5 different clients, totaling something around 20 different websites, in the last 3 days that have also been affected with this exact same problem, with the same redirect to https://genesis-celestia.ltd/. It can’t be coincidence that all their accounts have been ‘compromised’ at once.

All the audit logs were the same, logins from random countries creating the same redirect.

All were wordpress sites, all using some sort of caching plugin (W3 Total Cache, Litespeed and WPRocket) has something happened that has exposed Cloudlfare API keys?

Laudian · October 2, 2023, 7:56am

There have been a few people with redirects recently, but probably not enough for a vulnerability in some of the most popular plugins.

Did these logins use an API key or account name + password to create the refirects?

In either way, I’d recommend activating 2FA for all accounts, checking your pc for malware and making sure that wordpress plugins and the webserver are kept updated.

system · October 5, 2023, 7:56am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.