Our DNS A has been removed after a password change


#1

Early this morning our cloudflare password was changed by one of us (admin), and about ten minutes later the website went down. After consulting with a friend, our DNS A has been removed.

Does anybody know how this could/would happen? Would it have to be done manually? Is there any way to find it, and add it back?

FTR I am simply one of the forum admins and was not there when it happened, and do not currently have access to things like server info, from people that do.

Thanks.


#2

Sorry, I should probably clarify that our cloudflare password was the password that was changed.


#3

That would seem like someone got unauthorised access to your Cloudflare account and removed that record. Check your audit log for any access


#4

From what I can see in the audit log, the only people to access are the other two admin. Admin 1 did everything up until changing the password, logging out and logging in. The only thing I can see apart from me logging in later, is a ‘txt add’ relating to a DNS record for bluelight.org. Here is the audit log, I’ve tried to make it clearer and removed the account name.

Admin 3/me:
Jan 16, 2019
Login
Jan 16, 2019
Logout
Our account login here
Account
Jan 16, 2019
Login
Our account login here
Account

Jan 16, 2019
Deployed
Cloudflare
bluelight.org
Jan 16, 2019
Ordered
Cloudflare
bluelight.org

Admin 3? This has an IP by was done by domain “bluelight.org” rather than “account”. There is no record of the IP logging in:
Jan 16, 2019
TXT add
Our account login here
bluelight.org

Jan 16, 2019
Created
Cloudflare
bluelight.org
Jan 16, 2019
Created
Cloudflare
bluelight.org
Jan 16, 2019
Nameservers confirmed
Our account login here
bluelight.org
Jan 16, 2019
Crypto change setting
Our account login here
bluelight.org

Admin 1:
Jan 16, 2019
Login
Our account login here
Account
Jan 16, 2019
Logout
Our account login here
Account
Jan 16, 2019
Change lostpass
Our account login here
Account
Jan 16, 2019
Logout
Our account login here
Account
Jan 16, 2019
Zone reset check
Our account login here
Account


#5

Can you post a screenshot of that? Redact any confidential information (IPs, names, etc.)


#6

Here you go. Thanks for the help.


#7

From that log it doesnt seem as if an A record was deleted. You might want to open a support ticket for further clarification in this case.


#8

I’m one of the other admin for the site and was likely the one to cause this. The cloudflare account our site is under is inaccessbile to us, and the person who controls it has been unavailable. In an attempt to gain control, I set up our own cloudflare account (with the audit logs shown by my peer) and changed the nameservers to point to our account. However, in doing so, I did NOT have the DNS A settings in place yet and this likely is the issue.

I’ve switched our nameservers back to the cloudflare account of our unavailable friend so we should be operational again, and we’ll get the DNS A settings corrected in our own cloudflare account before attempting to switch again.

I write this for the benefit of those wondering what caused the problem, and for any tips or pointers on NOT making changes prior to having everything in place to function properly.


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.