Cloudflare hacked? Audit log shows malicious actions on my account from a local network IP, and error code 1098


#1

Hello!

When looking in the audit log there are 3 actions that I did NOT do, all with the User IP Address of 127.0.0.1. These three actions are ‘delete’, ‘delete’ and ‘purge’. Please see the attached image!

Has Cloudflare been hacked, since all of these requests come from 127.0.0.1? Please can you explain how this happened? The login on Jul 23, 2018 was me and has my IP address, however I confirm I certainly did not delete any zones, and there was no way I was still logged in over a month later.

When I try to add the deleted domain back I get the error “This zone is temporarily banned and cannot be added to Cloudflare at this time, please contact Cloudflare Support. (Code: 1098)”.

I contacted support, and they suggested that I wait for a few hours before trying to add the domain again, but after waiting a few days it still doesn’t work. The ticket number is 1567972, and it’s been open without reply for 7 days.

This is quite worrying and I would like to get to the bottom of it, as the cloudflare account I use at my job has several domains on the pro plan and one on the business plan, and it would cost them a lot of money if these were removed without explanation as has happened here! I don’t want to get in trouble if that one has problems :frowning_face:

Thank you


#2

As far as I know local IPs are used to perform purges for domains which have not Cloudflare’s assigned nameservers for a specific amount of time. I don’t know exactly if it only on the Free plan or also on the paid ones.

Maybe @ryan can help you with the ticket. It seems strange 7 days without a reply. Maybe something happened there. Try writing again in the same ticket, creating a new one won’t solve usually.

Probably the ban is due to some issues with some rate-limit or something… Really don’t know that, you would need to wait for a reply.


#3

Thank you for your help, I will reply to the ticket although I don’t want to come across as rude!

The domain was pointing to cloudflare nameservers, and a record for @ pointed to an IP showing a blank page with proxying turned off. I’ll see if support can help, but if anyone else knows why let me know.


#4

That seems strange, check at your registrar. I would maybe suggest trying to change DNS provider for a couple of days and then retrying.


#5

I had the same issue at the exact same dates (delete at Aug 5 and purge at Aug 25). I had, in fact, my domain expired for a while which removed its NS entries to CF.

I understand if this is the normal behavior, but I think it should be improved in some ways:

  • This kind of action need to be notified by default. A lot. Like, 3 days earlier, then 1 day earlier, then at 0 day. We need to be informed about this.
  • The audit log should be clear. Instead of saying “User IP address: 127.0.0.1” it should say something like “automatic/internal/etc”
  • There should be a way to download and restore the purged settings. I understand you not wanting to keep old data forever, but considering this is something that, when happened by accident, we only notice after the damage is done, keeping a easy way to revert it for like 30 days would be nice.

#6

This domain has been listed as “suspended” for over 3 years, but everything has continued working perfectly fine and I’ve added new domains since, I never got an email about it and support said that the domain wasn’t actually suspended (ticket 473384) so I assumed it was just listed wrong :pensive:

Some strange back end bug? Could my domain have been half suspended, but still working fine?


#7

It could be that they do it periodically so the dates could match this way.

As far as the e-mail notification I would agree with you, it was already discussed somewhere I believe, but don’t recall exactly the reply (I think it was a confirmation that they need to do that).

The User IP = 127.0.0.1 is saying it that basically. I would assume they can’t add text to the database since it assumes IPs, maybe something on the UI side.

They should notify you of the pending deletion, that is the only thing missing here.


#8

That I am not qualified to reply, maybe the team can.