Domain used for malware wrongly informed as not hosted on Cloudflare on Abuse Report page

When trying to report the domain wpsys.org on the “Submit an Abuse Report” page, I receive the error that this domain isn’t hosted on Cloudflare.

But it is. Doing a dig -t ns wpsys.org returns:

; <<>> DiG 9.16.1-Ubuntu <<>> -t ns wpsys.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64591
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpsys.org.			IN	NS

;; ANSWER SECTION:
wpsys.org.		86400	IN	NS	dora.ns.cloudflare.com.
wpsys.org.		86400	IN	NS	max.ns.cloudflare.com.

;; Query time: 451 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: sab giu 25 19:55:01 CEST 2022
;; MSG SIZE  rcvd: 92


And dig wpsys.org returns:

; <<>> DiG 9.16.1-Ubuntu <<>> wpsys.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpsys.org.			IN	A

;; ANSWER SECTION:
wpsys.org.		300	IN	A	198.37.113.30

;; Query time: 456 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: sab giu 25 20:28:41 CEST 2022
;; MSG SIZE  rcvd: 54

This domain is used to receive the hostname/domain of infected servers (victims) where vulnerable Wordpress are exploited (customers of our hosting company included).

The source code of one of the malware files is here: Hastebin: Send and Save Text or Code Snippets for Free | Toptal®

Decoding the line 4 (after many steps) we got:

define('RURL', 'http://wpsys.org/html/'.HTTP_HOST);

Thank you in advance

While it does use Cloudflare for DNS, if you dig for the A record to see where it is pointing you will see that it resolves directly to the hosting provider of the site and not Cloudflare’s IPs. This means any reports should go straight to the host.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.