What is the name of the domain?
ankoraa.shop
What is the issue you’re encountering
Suspicious script injection (j.src=‘/eryh/’) only when Cloudflare proxy is enabled
What steps have you taken to resolve the issue?
I’m experiencing an issue where my website (ankoraa.shop) is serving suspicious JavaScript code that includes j.src=‘/eryh/’ only when Cloudflare’s proxy (orange cloud) is enabled on my DNS records.
Details:
The suspicious code does not appear when accessing my origin server directly via IP or when DNS is set to DNS-only (gray cloud).
I have disabled all Cloudflare Apps, Workers, Rocket Loader, Auto Minify, Mirage, and cleared cache, but the code injection persists.
This behavior strongly suggests the injection happens inside Cloudflare’s proxy layer.
I have reviewed my Cloudflare account for unauthorized Workers and apps but see nothing unusual.
I am concerned this may be a rogue worker, app, or compromised edge cache.
Please assist in investigating and resolving this as it impacts the integrity of my website.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
