I have never seen such thing in my life, I’m livid right now but I have no idea where this is coming from. The company which I work for has recently purchased a new domain as “REDACTED” and I have told them to set the name servers of domain to name servers that cloudflare gave me. Everything went fine and I have checked the name servers so they were exactly correct! We left everything for about 2 weeks and now I was going to register the zone for this domain in my cloudflare panel and cloudflare gave me a pre-defined IP address which made me wondering where is this coming from because this domain was not being used any where else…I clicked on the domain and a web page with porn content came up! Yeah! Imagine my feelings. So can please someone help me get this that where the hell is this coming from? I checked the audit-log and there was no record from earlier of creating this zone.
Hi @kiavash.rst, ugh, sorry you’re having an issue with this. The solution is to create another Cloudflare account, get two new name servers, and then change the name servers with your registrar.
What you’ve described is the result of changing your name servers to point to Cloudflare before adding the zone to Cloudflare.
Here is a great summary of what happened, Security in place to prevent Domain Hijacking.
Hey @cloonan , Thanks in advance for your reply! Just to make sure I completely understood the situation…the problem came from someone else who made multiple accounts to gain lots of pairs of name servers and then finds domains with the same set of name servers and creates zone for the domain to bring up their own website?
They don’t need to gets lots of combinations and hope they match the combination of a zone, as mentioned in the article, Cloudflare replies to DNS queries corresponding to the first account which adds the domain or the current active account’s until the registrar’s nameservers change.
In your case, I show the zone as active in what appears to be your account. If you did not add that zone to your account, that is a good indication your cloudflare account has been compromised. If you did not change the name servers with your registrar to the current settings, that’s a good indication you registrar account has been compromised. Finally, I don’t show any activity in your account that corresponds to the “left everything for about 2 weeks” time frame you mentioned.
OK, now I know what happened. I may have not explained the situation very well…
Actually if you see domain whois, the created-on date is 2019-02-04 which is around 10 days and not 2 weeks. We set the name servers on the domain right at this date and did nothing else since then, neither on the registrar nor on the cloudflare so your right, there has not been any activity since that time. About half an hour ago I started creating the zone on cloudflare and faced the content on this website on my own domain which made me to come here and ask. Right now the reason of this issue is clear & I have to remember create the zone right after registering the domain.
Thanks again for your help!