Somebody is using Cloudflare to point to my website

Hello,

I am not a Cloudflare user, but it look like somebody with the domain name faidragtajut.tk is using Cloudflare to point to my website [edited], probably using a CNAME record.

Seeing the SSL certificate and DNS records lookup, that person is using Cloudflare.

https://viewdns.info/dnsrecord/?domain=faidragtajut.tk

Is there any way I can stop them? I already ask Cloudflare but still no answer at this time.

Is their traffic hitting your server? This is usually due to a server misconfiguration. Your web server should not serve your content if the request does not match your hostname.

Check with your host to make sure this is not the case.

Please start here: https://www.cloudflare.com/abuse/

Also: you can prevent that if you set the right Security Header. And you also could prevent that by (if hosted on an Server) not mapping that other domain to your WebSpace, but maybe you just map with “wildcard” which could make any domain pointing to your Server “duplicate” your website.

So in fact the best way to prevent this is: make sure your server rejects all requests for unknown vhosts.

But as @sdayman just mentioned it also could be the fact that they hacked and cloned your website.

Already did.

Nope, this is really my website. I just posted the last article and it was immediately visible on the other domain.

How/where is your site hosted?

This is just possible becasue your environment does not deny it.
Please restict access to your website to your domain

Another possibillity is: they mirrir/proxy your domain. Why I think so: they have different PHP header then you do. That could indicate that they (on every request to their domain) just call your domain and forward the response. And this way they are always up to date with the content
If this is the case it would just help to tell CloudFlare to take them off (or at least expose their IP so you can take any further action on legal ways

To really “fight” them you could include something like this:

window.onload = function(){
   try
   {
       if (window.parent && window.parent.location.hostname !== "www.voxcatch.fr"){
          throw new Error();
       }
   }
   catch (e){
      alert("Please visit www.voxcatch.fr for the real website!!! This is a dumped & insecure domain.");
      //You could do whatever you want here
   }
}

If they even replace strings in JS you can compare the hashes (like md5 hash) it they dont match redirect to your domain (which you paste in base64encoded and before you use it you decode it. This way they can not replace this by string replacements

3 Likes

Another option is to call THEIR domain 1000 times and check the log for the IP calling this. This will be their Server, then Block it. As I think they call your site with a PHP Script and deliver it (after strings/domains ahve been replaced) with their domain

Also a JS Script that immediately redirecty if Domain does not match yours would be very effective as they could not debug this very good.

There are a bunch of options.

Even better would be if you would set this domain (you compair against) dynamically to your WP_SITEURL.

Another option (yes again) is: they cloned your system and your DB is publicly accessable. So thei just have to set up the WordPress installation again and it connects to your DB (and therefor to your new content also) but I think thats not the case. You could test this if you just create a new .txt in the root-folder and call it from their domain. If it works thei are proxying. If not, they have been cloned your website.

1 Like

Thanks for all your answers.

My website is hosted on a linux container and I use ISPConfig (easier for me as I have other websites on this container).

So I just try this:

And it worked.

Then they are proxying your domain to their domain and replacing all the stuff.

Please try the JavaScript prevention. But include it like this:

window.onload = function(){
   try {
       if (window.parent && window.parent.location.hostname !== "www.voxcatch.fr"){
          window.location = "https://www.voxcatch.fr";
       }
   }
}

Hope that helps, as all visitors of your page (on other domains then yours) are getting instantly redirected to your Domain. Just include that Javascript somewhere as custom JS and load it very at the very begining (but not inline in the DOM/HTML)

2 Likes

As they proxy they will also proxy dynamic content, so you could just redirect all traffic not comming from your domain with a clientside 301 to you domain like this:
(add this on top of your .htaccess)

<IfModule mod_rewrite.c>
  RewriteCond %{HTTP_HOST} !^www.voxcatch.fr(.*)$ [NC]
  RewriteRule ^(.*)$ https://www.voxcatch.fr$1 [R=301,L]
</IfModule>

This could redirect all traffic to your page before they load the other page with a cachable 301 redirect. This I think will work as they will also proxy your 301 redirect without checking it.

If you do both they will be redirected to you original domain as soon as possible, wether on request with a redirect or on JavaScript execution

1 Like

Hello

Same probleme here (Cloudflare Business).

I reported the problem ( On 21 Apr 05:31, [[email protected]]), but CF did not answer… I cannot recommend CF support at all…

The attacker used a reverse proxy. They get additional stealth with CloudFlare. Instructions: https://codeburst.io/go-phishing-making-the-proxy-sneakier-3814fd085fb3

and https://codeburst.io/phishing-with-a-reverse-proxy-23dd99557b5b

What CF should have done:

  1. CF should block them. They use CF for several domains. And it is not a coincidence that they use CF.
  2. Its not OK, that CF is easy used to attack other sites. (https://codeburst.io/go-phishing-making-the-proxy-sneakier-3814fd085fb3)

What i did:

  1. I saw the referrer in Google Search Console.
  2. I looked for requesting IP in the access logs.
  3. I blocked the IP via .htaccess

These days, ~1 month later, the provider from the origin server or the webmaster deleted the domain. The domain was https://hywavetrou.tk/ and their IP was 5.61.57.17

kind regards
Dan

By referrer you mean “Links” under GSC. Am i right?
Will it work if i block that ip at CF.

Lots of free domain (.tk, .gq, .ga, .ml) exists on this ip.
https://networksdb.io/domains-on-ip/5.61.57.17
None of them works.
At first they will use Cloudflare Nameserver, Later the domain will not resolve or give timeout error, then change it to freenom Nameserver.

But If you check the google cached version of .tk domain it will show the fresh content of the real site’s homepage.
This reduced my Visiblity in SERP and loss of organic traffic.

This topic was automatically closed after 30 days. New replies are no longer allowed.