My website is getting redirected to another website and downloading virus

Website, Application, Performance Security
1

My website thelawbrigade[dot]com started redirecting to another website suddenly and everytime someone visit’s the website, it sends to the malware website and downloads virus files such as update.exe, google.scr etc.

I hired a security expert and he informed me that this is a Cloudflare Issue and many people are facing it. He simply changed the nameservers and got the domain to point to the original server (not to Cloudflare). After the nameserver update the website started working.

Today, I again tried to update the nameserver to point to Cloudflare. As soon as the nameserver got updated, the same issue started happening. I found no article/forum discussions etc.

Then I explored Couldfare settings and found that there was a single redirect rule that was added. I am attaching the screenshot of the same.

Web capture_23-1-2023_201511_dash.cloudflare.com
Web capture_23-1-2023_201511_dash.cloudflare.com1398×1044 101 KB

Now my question is, how did this happen? Can someone from Cloudflare tell me how someone got into my Cloudflare account and added this redirect?

Also, is there a way I can check all the activities/changes made to my Cloudflare account?

Now the website is working but I cannot use Cloudflare anymore.

2

The current running theory is someone got access to a list of user/password combinations. It has been escalated.

You can find audit logs here. Would you mind sharing some details on the log entry when you find it?

https://dash.cloudflare.com/?to=/:account/audit-log

2 Likes
3

Hi @matteo

Thank you for helping me find the audit log.

I am attaching the screenshot of the relevant entry. The issue cropped up on 19th January in the evening (Indian Time). I checked the log and saw that there was a rule created.

Web capture_23-1-2023_202638_dash.cloudflare.com
Web capture_23-1-2023_202638_dash.cloudflare.com1419×795 117 KB

In addition, I’m attaching the entire log CSV for a 1-month period.

https://drive.google.com/file/d/1IrGSMkdCAWNNp0CnZmav_Hd12eK6RO2_/view?usp=sharing

One question, how can I find in the audit log if someone other than me logged in and when?

4

It tells you the IP of the user, if it doesn’t match yours then it’s not you.

1 Like
5

Exact same issue for me. not solved yet

6

You need to remove the unauthorized modifications after you first secure your account.

7

You should have also received an e-mail to the account e-mail address prompting you to check and secure your account.

8

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.