Hacked Cloudflare domains


#1

Hi,

Sorry for my bad English, I’m French. I explain my problem because I am worried.

I have domain names for which I put the Cloudflare DNS in my registrar but I did not add them to my Cloudflare account (error on my part).

I could see that these domain names were taken over by a hacker, who posted his pages (porn sites, illegal download, etc.). I guess it was enough to add my domains to his Cloudflare account to put the DNS of his own server.

So far I understand what could have happened, and it was my fault I had to do things in order.

But what worries me the most: it was enough for me to add these domains to my Cloudflare account to regain control. I added the domain, Cloudflare scanned the existing DNS, I deleted the IP address of the hacker’s server and the rest of its configuration, I put the IP address of my server instead and everything is income in order.

How could I add a domain to my Cloudflare account when it was already in the hacker’s Cloudflare account? That would mean that we can recover and then control any site under Cloudflare in this way?

I have an assumption: maybe the hacker’s Cloudflare account was identified as unlawful and closed, which allowed me to add my domains since they were no longer in his account. But in this case, why was the DNS pointing to his server kept?

I hope it’s understandable, thank you very much for your answers!


#2

To test, I added the domain under Cloudflare of a friend (which is therefore associated with his own Cloudflare account).

While the domain is already in his account, Cloudflare has added it to my account. And I could see the information of his DNS. He had activated the HTTP proxy but with this method I could see the real IP address of his server. I think it’s already a flaw, right?

I do not want to try to change its DNS because I do not want to crash his site even for a few seconds (it’s a site that generates a lot of business) but I intend to test it on a small site without impact. If this makes it possible to change the DNS of a third site and to take control of it, it would be surrealistic…


#3

Hi @deslee.webagency, thank you for the post. The domain of your friend will not activate in your account as it is active in your friends account, it will stay as pending. But, concerned if you’re seeing their origin IP. I will investigate and post back.


#4

Thank you for your quick reply. And concerning the domains that the hacker had associated with his account, how is it that I was able to regain control if they were already added on his account ?


#5

I’ll investigate but I assume they could not change the name servers so when you added it to your account it activated. My investigation will prove/invalidate that.


#6

If I could see the sites of the hacker is that the domain was active on his account, this is strange because I could change the DNS and have active status in my account for these same domains. Do you want me to send you the relevant domains privately to assist you in your investigation ?

In any case, I think it would be better if you close the Cloudflare account of this hacker, or ban the IP from its server. He takes advantage of a fault by appropriating domains that are not his own …

Thanks again.


#8

I tested, I was not able to validate another domain to my Cloudflare account because the names of the DNS that I have to fill in and those filled in for these domains (ben, brenda, seth…) are different. That means that the hacker had the same 2 DNS to fill in as me. If there is a vulnerability, it can only happen in this case (I think).


#9

Hi @deslee.webagency, can you login and contact support at https://dash.cloudflare.com/?account=support. I think there are 2 issues to describe to them:

  1. Open the ticket under the domain for which you put the Cloudflare DNS with your registrar. Let them know you think the domain was hijacked & why. (I don’t know what steps/actions they can take against the person, but support will know if and what they can do.). Edit - they’ll be able to see this, but let support know you’ve re-added the zone.

  2. Describe the test you performed adding your friends zone to your account and the visibility of IPs you observed.

In all of this, I think #2 is the bigger issue as I believe you’ve successfully taken control of your domain. but, if I am incorrect, please let us know. When you have a ticket number, please add it here as I’d like to keep track of it.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.