My domain is pointing to another domain - what's going on?

strange… when I open my website https://sitelift.co/

its’ redirected to this URL

https://stickmapworldpossible.live/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main9

The IP of my server is 178.62.90.241

But DNS Checker is telling me the A record is pointing to a different IP address… but the IP address of the A record in Cloudflare is the correct IP of my server. I don’t recognise the URL that my site is pointing to at all.

Why is this? Maybe my site got hacked?

This is getting done by the service which responds. Probably your origin server.
The URL itself returns a HTTP Status Code 200 and works fine.

Have a look at:
view-source:https://sitelift.co/
(copy this into chrome and call the whole link)

Then you will see the respons source like this:

<html> 
  <head>
    <META http-equiv="refresh" content="1;URL=https://stickmapworldpossible.live/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main9">
   <script>
   window.location = "https://stickmapworldpossible.live/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main9";
   </script>
  </head> 
  <body>
  To the new location please <a href="https://stickmapworldpossible.live/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main9"><b>click here.</b></a>
  </body> 
</html>

So the respons itself initiates the Browser to redirect to https://stickmapworldpossible.live/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main9

Without knowing anything more about your setup I can not help further. But the way this is implemented and judging based on what it does and what I have lately seen this probably was a hack of your Application, or even the server. (the whole server is unlikely)

Please never post your IP publicly. That’s not good, but actually it anyway is not getting proxied (:orange:) but you use Cloudflare as DNS Only (:grey:). So all the free features Cloudflare offers you are not profiting from. Not even the one for security, you actually have turned everything on Cloudflare off and just use the DNS

Thats not true for me.
https://dnschecker.org/#A/sitelift.co
It exactly provides the very same IP adress as you stated:

But once you will turn on proxy :orange: it ofc again shows CloudFlares IP adresses as it gets proxied.

It is not pointing to something wrong. It responds with a valid 200 code and an JS based redirect, redirects to this “not wished” URL.

I would say yes.
May I assume you have used Wordpress??

1 Like

I can confirm that the certificate provided by the server is actually your domain, so I agree with @M4rt1n’s theory that your site has been hacked.

1 Like