In the last week, changes were made to the domain’s DNS records twice without intervention from either of the two registered accounts.
After the first change, passwords were changed and 2FA enabled on both accounts. However, there was another change and the IP used was 80.66.81.104 in a type A record pointing to the root domain.
After enabling the security measures to the accounts, what are the next troubleshooting steps I could do?
Are you using Ezoic or any other service that you allowed to make changes to your Cloudflare account, or run anything that uses the API to update your settings?
You can check what/who made changes in your audit log here…
https://dash.cloudflare.com/?to=/:account/audit-log
Make sure you roll your API key and any API tokens, and check for any new API tokens created.
There are no services connected to this account.
We don’t use the API for anything.
Since we don’t use the API, should I remove the API tokens and then change the Global API and Origin CA Key?
Changing the Global API Key and Original CA Key could cause downtime on my website?
PS.: This account just have a Wordpress website running. It uses only caching and DNS.
Did you find anything in the audit log?
You should still roll the Global API key (add, and check for any tokens) in case your account was compromised, since the API only needs that key and your email to make changes, and won’t use any 2FA.
Yeah, I saw that the changes on the DNS records were made by the other user’s account (not mine)…
I’ll talk to him to roll his Global API key (already did on mine)
If you think his account was compromised, then ensure he has 2FA enabled as well.
General guide here…
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.