Windows User-Agent requests for domain names are hijacked to other websites

Answer these questions to help the Community help you with Security questions.

What is the domain name?
lxns,org

Have you searched for an answer?
Yes

Please share your search results url:
No result

Describe the issue you are having:
At first I found that my domain was hijacked (access jumped to other phishing sites), so I checked if the server was attacked, but there was no trace of any attack. Secondly, I suspected whether Cloudflare access to the source server was hijacked, but it was not the reason. After I opened Under Attack Mode and set the firewall rules (all blocked), but the User-Agent carrying Windows will still automatically 301 jump to the phishing site, not carrying can return the results normally.
Then I set up a firewall and blocked all requests, but the problem still persists, and it didn’t log any requests that contains Windows User-Agent.

What error message or number are you receiving?
When I turned on firewall in Cloudflare:

  1. UA didn’t contain Windows: 1020 error
  2. UA contain Windows (No log in firewall): 301 redirect to harmful URL

What steps have you taken to resolve the issue?

  1. At first I thought that Cloudflare was being hijacked when requesting the source server, so I changed the SSL/TLS encryption mode to Full (strict), but the issue still exists

  2. Then I turned on Under Attack Mode, and requests without a Windows User-Agent displayed authentication normally

  3. Then I set my Cloudflare firewall rules to deny all requests, but the issue still exists

Was the site working with SSL prior to adding it to Cloudflare?
Yes, used cert by Let’s Encrypt.

What are the steps to reproduce the error:

  1. Check my vultr server stats (is it being attacked? No)
  2. Set SSL/TLS encryption mode to Full (strict)
  3. Set Cloudflare Firewall: Deny ALL
  4. Go to Liberate the Hostname
    The issue still exists.

Have you tried from another browser and/or incognito mode?
Yes, I tried by curl and Chrome in my macOS computer and Windows Server.

Please attach a screenshot of the error:

Can you post screenshots from

And https://dash.cloudflare.com/?to=/:account/:zone/workers

All right, should not be Workers. You said you tried

already, right? Did you run this also on the naked domain?

yes, but still not working

Can you also post screenshots of

Can you edit the 404 entry and post a screenshot?

1 Like

Oh, it should be the cause of this, thank you!

1 Like

Absolutely, you can go through https://dash.cloudflare.com/?to=/:account/audit-log to verify when that was set up and by whom.

1 Like

Maybe reset the password and access credentials.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.