Visiting my website downloads a suspicious rar file

I haven’t touched my website in months and just decided to look at it today and a file immediately started downloading. This happens every time you visit my website. A website online says it’s a trojan… My website won’t load on my browser, it just starts downloading “Updaters.rar”. What’s going on? How do I get my website or how do I archive it?

my website is visible only to staff


You probably have some sort of malware on your site, because as soon as I open dev tools the download does not start (Which is really weird). The .rar file contains a .exe file, which is definitely suspicious.

I would delete everything in your htdocs folder and restore your site from backup.



What are you doing ? Did you delete everything from htdocs?

I just visited your website and was served this zip file

Screenshot 2023-04-28 153844

Please do something or we will have to !

I assume that your PC is infected or some program you are using
maybe some packer with which you create exe etc.
I don’t know if you are dealing with java dev and if your files are in zip or not.

Judging by the addresses it wants to contact



Please check the audit logs on your Cloudflare for any suspicious activity going back

somehow I have the impression that there is some code or worker on your CF (injected)
which, depending on the UA (user agent), decides whether to serve the virus or not

the infected file comes from


yeah, someone hacked my cloudflare. I wouldn’t have thought of this. thanks


We got worried because you didn’t answer for 2 days

The content you have here on the hosting was reviewed and we did not find any “malicious link”, because of that we suspected that the problem was somewhere further (like for example on CF).

We also noticed that you directed the domain to Google NS / A (no more CF - but now the certificate for HTTPS is missing),
does this mean you no longer control the CF account or is it just your precaution?
Right now we are no longer your hosting because of that !
consider going back (because as you can see the hosting is not to blame for the hack)

Be sure to contact CF support if you do not have access to CF and thus try to recover your CF acc.
and of course, use 2FA wherever you can.


Thanks for your concern. I was changing some of the settings on my google domain to try to fix the problem before realizing that it was coming from cloudflare. I will work on reverting back all of the changes done on my domain by me and cloudflare by the unsolicited user to get my website back up and running.


Thanks for the feedback and good luck :+1:


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.