Urgent: Malicious Script Injection Only on HTTPS (Cloudflare Issue?)
Hey everyone, I'm facing a serious issue with my website, and I need help identifying the cause.
- My website is https://americadelsurtours.com and it's behind Cloudflare.
- When accessing the site over HTTPS, a malicious script is injected into the page.
- The script attempts to fetch data from data-seed-prebsc-1-s1.bnbchain.org and runs obfuscated JavaScript.
- However, when accessing http://americadelsurtours.com (without HTTPS), the script does not appear.
- I have checked my Nginx configuration, SSL certificates, and server files (/var/www/html/index.html), and the script is not present on my server.
- Running curl -s -k https://americadelsurtours.com | grep -i "data-seed-prebsc-1-s1.bnbchain.org" confirms that the script is being injected only when using Cloudflare HTTPS.
This makes me suspect that either Cloudflare is compromised, or there is an unknown misconfiguration. Has anyone encountered this issue before? Any ideas on how to fully debug and fix this?
87 Replies
blockchain 🤔
ah, that makes more sense
Start by checking if the malicious code is also injected if you visit your site directly, without Cloudflare.
have you tried using a different browser / disabling browser plugins?
I've visited your site and couldn't find any script that made requests to the bnb chain
yeah, I would check your website files and whatever its hosted on.
UPDATE: I removed Cloudflare by setting my A and CNAME records to DNS Only and installing Certbot to continue using HTTPS. Once I did that, the malicious CAPTCHA disappeared, so the problem was Cloudflare. I don't know how the attacker did this.
Check the update
How do I check that? Sorry, I'm not a pro at using Cloudflare. I just use it because, at least for me, it's easier to set up HTTPS using their DNS.
Because now my other webiste that also uses Cloudflare: https://incremental.store has the same malicious CAPTCHA.
Run a trace and see if anything is active for a normal request to your domain:
https://dash.cloudflare.com/?to=/:account/trace
Which HTTP Method?
both?
oh, that. get
Okay
yup, a worker
First, add 2FA, then change your password, then change your API key, then delete any API tokens
and then delete the worker
I already have 2FA thats weird
Yesterday I had to change my password, but already have the 2FA enabled...
I'll add a new 2FA then
check your computer for malware
Do you use Wordpress with the Cloudflare addon?
No, I don't use Wordpress
I've been checking my server logs, there are a bunch of bots trying to exploit Wordpress stuff
Also, check that you don't have any members in your account
Okay I will run also the Windows Security thing to check for malware.
Did you maybe fall for the scam captcha that is now running on your website and paste the code into your cmd?
That's how these things spread like 99% of the time
I didnt touch the captcha
I change the 2FA again, and the password I changed it yesterday
I also changed the API keys and deleted the API tokens
Did you check for any Members in your account?
How do I check that?
Sorry I don't know that much about Cloudflare as I said...
Only me
And below that, account api tokens?
Thats the workers
below members
look on my screenshot
I'd also check your computer with malwarebytes
I'm installing it rn
Also how do I delete the worker?
Click on the worker, go to settings and then at the bottom
Should I first run the malwarebytes test and windows defender test or it doesnt matter?
I don't think the order matters^^
I deleted the worker and now the captcha is gone
Thank you so much Laudian
Can you check in the audit log when and how it was created? https://dash.cloudflare.com/?to=/:account/audit-log
That is so weird
Ive been sick so I didnt even login to Cloudflare yesterday, not even this week
The attacker did all that without even loggin into my account
The only active sessions are mine
Can you check if any custom hostnames have been added to your account? Account home -> select domain -> ssl/tls -> custom hostnames
I'm from Peru btw
I check all my domains, no custom hostnames
I'm still looking through the logs btw. There's a lot about rulesets updates. Can you check in the Rules section if you see anything?
Also Security --> WAF -> Custom Rules and Managed Rules
No rules added
No custom rules added
And in the tools section of WAF?
I have old IP bans from my old game back in 2019
anyone except you using the computer?
Only me
Thats why its so weird
Because I was using 2FA with the Google Authenticator app
phone is up to date?
This guy did that
Yes I'm using the iPhone 15 with iOS 18.3.2
Also the app is up to date
I'm not even sure how this guy did that
I've seen quite a few sites with these fake captchas in the last few days.
With 2FA enabled, I think the most likely cause is malware on your pc, however it may have gotten there.
The scan finished
No malware in my pc
That is so weird...
Theres probably a Cloudflare security breach they didn't notice yet
Nothing found doesn't mean there is nothing 😉
Should I run the Windows Defender Complete Scan then?
That's very very unlikely. In that case, you'd have a lot more sites infected, and also very large sites.
Well that's true
But then how did he got access to my Cloudflare account, created the worker and do all that stuff
They probably had access to your computer at one point.
That's impossible
Not physically, via malware.
But I've been sick, I didn'
use the computer for like 3 days
they sent me this message yesterday
i didnt get into any malicious link or smthing
thats why i don't understand how they did this
im still sick i have fever rn lol
im using the pc now because i had to fix this issue
The routes were created march 10th, so it started 3 days ago. Might have gotten the access sooner than that.
My fever started sunday
sunday was 9
so yeah 3-4 days without getting into the pc
They could've gotten access weeks ago, copied the API key and only acted now.
I have weekly windows defender scans
i dont have malicius reports tho
As @Leo said, it's quite common that the malware deletes itself after doing what it's supposed to do to avoid detection.
Any ideas guys how can I prevent this in the future?
I think I should start using a vm lol
maybe it's physical access to your computer.. some random guy who knows your discord sending your a first message with that kind of info is something sketchy
I noticed: 1 server in common in your screenshot.. it's possible you shared a screenshot of your api token or something to that server that might've been misused... you need to censor the sensitive info when sharing a screenshot and manually destroy those tokens as an extra security act just go complete paranoid when it comes to this