CloudFlare IPs + Apache Logs Showing Criminal Hacking


#1

A server that I manage had been receiving malicious files from a fake “transfer.sh” website, which has been successfully blocked from being accepted. However, what it disturbing is that I find in the access logs three IP addresses that are attempting to exploit the server that caused the malicious files to be uploaded in the first place … and all three (now four) belong to CloudFlare and they continue to attack the server!
How do I report someone hiding behind a CloudFlare IP address, when I don’t know who the real culprit is behind your IP addresses or have your CloudFlare servers been compromised?
108.162.246.222 - Seattle, Washington, USA
162.158.154.50 - London, England, UK
162.158.88.147 - Frankfurt am Main, Hesse, Germany
162.158.2.119 - Melbourne, Victoria, Australia


#2

Cloudflare does not provide IP addresses to the masses to use them for outbound connections.

You can report abuse at any time here:

https://www.cloudflare.com/abuse/


#3

Are you suggesting that CloudFlare is behind it then? It’s their IP’s showing up in the access logs, if the IP’s weren’t theirs, I’d be taking my concerns elsewhere.

Second, the abuse form doesn’t take into consideration that only an IP is known and that the problem is with CloudFlare IP addresses showing up and doing questionable actions. IP addresses are refused by the form as “URLs” and the field is requiring it be filled out.


#4

No.

You can also send an email to abuse[@]cloudflare.com with a detailed description and logfiles.

It’s also possible that the IPs are simply spoofed but that need’s to be checked by Cloudflare staff.

I assume that you’re not a Clodflare user. Am I right?


#5

Not exactly. I have an account, but no services attached to it. It wasn’t until today that I “created” the community account since the abuse form wasn’t helpful in reporting suspicious activity from CloudFlare IPs. I was hoping they could figure out what’s going on and why their IP shows up in the access logs showing their addresses sending suspicious POST data to Apache that directly resulted in Apache running malicious code that ended with the server downloading a Trojan through wget, then curl when wget was no longer accessible to the code.


#6

That was my question. :slight_smile:

As mentioned in my last post. Use the old fashioned way: send an email to the abuse team.

They can. Send them your logs. If they can see any suspicious behavior originating from
their network they can take apropiate action.

Unfortunately abuse is something the community can’t really help with.