Phantom editing of WAF rules

I have 2 members registered with administrator access on my account (plus myself as super administrator). Unbeknownst to me, someone added 3 rules to my WAF. The critical one is a rule allowing any request with hostname containing mocha.auction to skip all rules and access my site. In the previous 24 hours there were 143,000 requests containing mocha.auction passed through to my site. 75% of them originated from Yemen.

None of my registered users are claiming responsibility for editing the rules. Is it possible that someone other than the 3 of us made this change? If so, is there a way to audit what happened and (more importantly) prevent it from recurring?

Audit log…
https://dash.cloudflare.com/?to=/:account/audit-log

From that, if it’s possible your account was compromised follow the advice here…

1 Like

Thanks so much for this information! After going into the audit log one of my 2 delegate users had been dormant from Aug 11 2023 - Jan 9 2024 at which time there was a lot of activity on the account (not just rules updates… Actions also include: Initializing, Create, Created, caching change setting, Enable TLS13 0RTT, ordered, Zone enable quic, Speed change setting). Is there a simple way to revert the configuration to the way it was prior to Jan 9 when these phantom changes started happening?

Enterprise users have zone versioning, but otherwise you’ll just have to go through the list and undo the changes in turn.

Make sure to secure the compromised account - change password, add 2FA, cycle global API key (even if you’ve never used it), check for unexpected API tokens, etc, etc.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.