Hacking attempts from CloudFlare?

Good day,
what is this?

Trying anything on my site to:

How is this possible?

Next IP in my logs:


Good day,

Might I ask are you a customer of Cloudflare? You f so is this a site where you are utilizing Cloudflare services?

Yes, I am. All sites with Cloudflare and set in Wordfence and other else CF header get real IP. Like you see, no I have only problem with this.

Are you making the reports on abuseipdb? They are likely accidental reports from users who are not reading the proper heading when users visit their sites behind Cloudflare.

1 Like

Im not connected with AbuseIPdb, I not pay for it. Only check there IPs what attack me too. So I not understand why CF IP have in my logs, how is possible.

I’ve had multiple experiences where an entity sets up a malicious domain with Cloudflare and then points at the target origin IP address they want to do application-layer attacks on. With WAF disabled, they just hit their front end domain and let CF proxy the malicious requests to the target, since this typically gets around sites who use CF and only allow traffic from CF, but now no longer have the firewall protection. It of course requires the target website being default for the IP on the origin side, otherwise the host header would not match and the site would not be reachable.

So, I’d set the site to not be default for IP, if the above is what is occurring.

1 Like

Without knowing what this is in this instance, it appears whatever you’re looking at isn’t restoring the visitor IP address.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.