My website is getting redirected to another website and downloading virus

My website thelawbrigade[dot]com started redirecting to another website suddenly and everytime someone visit’s the website, it sends to the malware website and downloads virus files such as update.exe, google.scr etc.

I hired a security expert and he informed me that this is a Cloudflare Issue and many people are facing it. He simply changed the nameservers and got the domain to point to the original server (not to Cloudflare). After the nameserver update the website started working.

Today, I again tried to update the nameserver to point to Cloudflare. As soon as the nameserver got updated, the same issue started happening. I found no article/forum discussions etc.

Then I explored Couldfare settings and found that there was a single redirect rule that was added. I am attaching the screenshot of the same.

Now my question is, how did this happen? Can someone from Cloudflare tell me how someone got into my Cloudflare account and added this redirect?

Also, is there a way I can check all the activities/changes made to my Cloudflare account?

Now the website is working but I cannot use Cloudflare anymore.

The current running theory is someone got access to a list of user/password combinations. It has been escalated.

You can find audit logs here. Would you mind sharing some details on the log entry when you find it?

https://dash.cloudflare.com/?to=/:account/audit-log

2 Likes

Hi @matteo

Thank you for helping me find the audit log.

I am attaching the screenshot of the relevant entry. The issue cropped up on 19th January in the evening (Indian Time). I checked the log and saw that there was a rule created.

In addition, I’m attaching the entire log CSV for a 1-month period.

https://drive.google.com/file/d/1IrGSMkdCAWNNp0CnZmav_Hd12eK6RO2_/view?usp=sharing

One question, how can I find in the audit log if someone other than me logged in and when?

It tells you the IP of the user, if it doesn’t match yours then it’s not you.

1 Like

Exact same issue for me. not solved yet