Some users are redirected to Malicious websites

blogtex · April 1, 2025, 12:25am

What is the name of the domain?

example.com

What is the issue you’re encountering

Seems like DNS poisoning to some ISP’s

What steps have you taken to resolve the issue?

I received some complaints from users coming from Portugal regarding a malicious redirection from a proxied domain I have with Cloudflare, free plan.
Domain is using kara and pete DNS redirection, when I turn off proxy users can see the domain with no issues. I already checked all SSL, HSTS, CACHE and of course my own server for any possible code injection, nothing has found, so I’m 99% sure the issue is coming from Cloudflare. Right if I ping the domain i get 188.114.96.0 Cloudflare’s IP, but I think this IP changes from place to place, right? I can not see the redirection myself, have tried several VPN’s and nothing, but users have sent me screenshots of fake Temu websites, fake virus detect websites and even explicit websites redirections. If the poisoning really ocurred - and I’ve checked with some of them to clear cache and cookies, still didn’t help - what can I do on my side to revert this?

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

Can’t really tell, just some random ISP’s redirecting the domain elsewhere.

Screenshot of the error

blogtex · April 1, 2025, 10:38am

just did a test, and created a new CNAME with a non-proxy redirection. All worked fine for those users. When I proxy it, all goes bad again. Checked firewall and page rules and nothing was there.

DarkDeviL · April 1, 2025, 9:51pm

From time to time, it happens that (malicious) redirects are being created, when your Cloudflare account has been compromised.

I would therefore advice you to look through the following:

Log in to your Cloudflare account, change your password, and preferably also enable two-factor authentication (2FA).

Check the Audit Log page, to figure out who/what is making the changes:

→ https://dash.cloudflare.com/?to=/:account/audit-log

Check the "Members page, to see if you’re letting others access your account:

→ https://dash.cloudflare.com/?to=/:account/members

Check the “API Tokens” page, to see if there are any tokens you don’t use or otherwise know about:

→ https://dash.cloudflare.com/?to=/profile/api-tokens

Check the “Redirect Rules” page, and delete the bad one(s) from there:

→ https://dash.cloudflare.com/?to=/:account/:zone/rules/redirect-rules

I also suggest to go through the other kind of Rules your zone may have, and check for any potential malicious changes there as well.

There are more rule types available, that can be used for such redirects.

When Cloudflare accounts previously have been compromised, there have some times been redirects that target very specific operating systems and/or browsers.

If you can collect such information from the users that are having issues, you can use that to run the problematic URL through the Cloudflare Trace utility, for more visibility about which exact Cloudflare Rules are being triggered.

→ https://dash.cloudflare.com/?to=/:account/:zone/rules/trace/search

blogtex · April 1, 2025, 10:36pm

Thanks for your time checking all this, like you I did all those checks previously to post the issue. Gave it another try and again, see nothing. I can also almost confirm that my account hasn’t been hacked, although I can’t see older login changes. I’ve created a demo CNAME for the domain without proxy and asked one of the affected users and he said it was working fine.

So all I’m left with is the chance of my domain been somehow poisoned in Cloudflare’s resolver cache, if that’s even possible. I can’t get a hold of official support because I’m on a free plan

cscharff · April 1, 2025, 10:39pm

The other strong possibility is that your origin has malware. Being shown a different site (without the associated DNS lookup), the most likely answer is the lookup was correct and there’s an issue in the http stream.

blogtex · April 2, 2025, 12:40am

Might also be that, it’s weird that a bunch of visitors had the same issue at the same time and every website works for them, not mine.

system · April 4, 2025, 12:40am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare's DNS redirecting my websites to others DNS & Network	8	673	September 29, 2023
Cloudflare proxied DNS makes my website re-direct to another website DNS & Network	3	614	August 28, 2023
Cloudflare is pointing my domain to some random IP DNS & Network	2	1570	November 16, 2022
Domain being redirect to spam web/malware websites DNS & Network	6	947	January 25, 2024
MY DOMAINS REDIRECTING TO 2no.co [CLOUDFLARE VULNERABILITY] General	5	1688	February 25, 2023