URGENT: Suspicious URL redirection occurring, ONLY via Cloudflare DNS proxy

I’ve got a very odd issue occurring. I’ll do my best to spell it out. I’ve been an I.T. consultant for nearly 35 years, so I have a lot of network / DNS / Server / etc. troubleshooting experience.

This is occurring on the computers of my client, who are in Melbourne, Australia. I am in New Zealand. The sites are hosted in Australia. Same thing happens on both sites.

  1. When he views either site — let’s say one of his domains is mydomain.com.au, for example) the request is redirected to https://mydomain.com.au/paidjob.co. I can see in the server logs that there is no hit on the server with that URL. And, obviously, Wordpress isn’t involved either. So it doesn’t appear to be a redirection coming from the site or server stack.

  2. It happens on both computers at his location.

  3. It doesn’t happen for me (located in NZ).

  4. His browser gives him the ERR_TOO_MANY_REDIRECTS error. The server does not appear to be involved in those redirects. No indication of it in NGINX logs, Apache logs, or PHP logs. This had me thinking it must be happening on his computer or within his browser (due to one or other having malware)

  5. After going through all troubleshooting steps I could think of (including scanning his computer for viruses), the only remaining thing I could think of that was the same for both his computers (other than his router, and ISP’s DNS servers) is that the Cloudflare proxy stands between them and the site. And it’s likely a different proxy from the one I am running through, when browsing from NZ. I imagine my requests go through Cloudflare via either Sydney or Auckland. I would expect his requests are going through the Melbourne data centre.

  6. When I disable the CF DNS proxy on each domain, and run through a routine to ensure his browser is now resolving the domains directly to the server IP address, the issue goes away.

  7. When I turn DNS proxy on again, and confirm his browser is resolving the domains to a Cloudflare IPs, the issue returns.

  8. We ran through that routine twice, each time when CF is out of the picture, no issue. When CF proxy is involved, the issue occurs.

  9. When trying to access the site https://paidjob.co it happens to also be proxied through Cloudflare. Cloudflare shows the site server is down.

So I went to the Internet archive for that domain. It has records starting on Dec 17th 2022, and no earlier. I’ve tested numerous snapshots, and each snapshot has a redirect on the URL, and the redirect goes to a page that tries to trick the user into install a browser update, which I imagine is a virus payload.

Here’s the snapshot from Dec 17th, for example.

Here’s one from January 4th …

Redirects to …

If it wasn’t for the fact it goes away when CF proxy is disabled, I would have been putting my bets on his local computers being infected with a virus. Although, as mentioned, an Avast virus scan came up negative.

But as I can in effect turn the issue on and off with the CF proxy it has me scratching my head.

Is there any way Cloudflare can be dishing up a bad redirect from its proxy? A redirect that, as far as I can tell, has never existed on the server (at least not within Wordpress, and not at the level of the server stack (Nginx, Apache, PHP).

The site owner has confirmed this morning that domain1 which I disabled Cloudflare DNS proxy on yesterday, continues to now work without the nefarious redirect.

His other site, which I left the Cloudflare DNS proxy activated on, continues to do the redirect.

What this means is we’ll need to keep CF DNS proxy service disabled going forward. Which essentially defeats the purpose of using CF.

I’m hoping someone from CF support will help walk us through how this could be occurring.

This is happening to me, and only happens when i activate the proxy, is there a solution?

Please visit the Audit Log in your Cloudflare Dashboard, pick the relevant zone, and check for records of any redirects that you did not create.

If you do find one (or several), remove them. Then re-set your Cloudflare password and enable 2-factor authentication. This in all likelihood is a case of your username/password being compromised, either by a breach in a third-party service (in case you reuse the same password), malware in your computer or browser, or something similar.

If you do in fact find that there’s been a redirect rule (or page rule, transform rule etc.) added by an unauthorized agent, please let us know, as there have been several recent such cases and knowing the details might help with the ongoing investigation.


You are correct.

I can see there’s an unknown user in the Members list.

I am managing this account for my client. I already have a single-use, totally random password, and 2FA enabled. I suspect it’s my client’s CF account that was hacked.

I don’t see any record in the logs of this new Member being created though. But perhaps that’s because I only have Admin access, and not Super Admin. I’ll find out once I log in as my client. Waiting to hear back from him.

The hacker username is: kle**@*****work.co

UPDATE: It turns out the account that made the changes was that of a developer my client gave Admin access to. So it would seem that developer’s account was hacked.

A WAF rule was created for both domains.

Shown in the rule editor:

There are a lot of other changes made by from my client’s account (he never users the account, so it wasn’t him doing these changes). However, I have been unable to determine what they do and where they would be accessible.

For example:

Here’s a full list of the toggle_WAF_set changes that were logged:

Here is a list of all the IP addresses this hacker used:

I’ve checked a number of the IPs and all those I checked originated in France. E.g.

Please let me know if you have any further thoughts or suggestions.


I’ve since figured out the list of rules created by my client’s account is something that automatically occurred when my client upgraded one of his zones to a paid account (which then makes “Managed rules” available).

So it appears the hacker only added a redirect to each of the zones on the account.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.