Possible nefarious worker hack

Hello community,

I am seeing strange activity in the audit log.

  • creating my-name.worker.dev
  • changing ssl settings
  • zone changes
  • something relating to ssl handshakes but cant remember atm

these changes were made from a different IP address than mine, only I have logged in, but i had a website with API access (i removed the api access for now). I have the logs saved in a few spots. It shows my IP doing things i recognize has been the same for the last few weeks. These entries come from 2 different ips.


This is then combined with my personal machine having changed its DNS server to cloudflare, and an exception made to not use https dns requests for myname.worker.dev


Can anyone imagine what this would be trying to do? adding a worker and shifting my https dns requests and adding an exception for the worker domain?


Free Assange <3

Screenshot of Firefox with the added exception:

AUDIT LOG CUT PASTE OF THE USER LEVEL CHANGES FROM NOT MY IP

172.18.78.134 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],name:browser_cache_exp,type:caching,value:0,zone_name:o-wiltshire.workers.dev}
172.18.203.174 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],name:always_online,type:caching,value:off,zone_name:o-wiltshire.workers.dev}
172.18.250.249 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],name:SSL,old_value:flexible,type:crypto,value:full_strict,zone_name:o-wiltshire.workers.dev}
172.18.250.249 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],zone_name:o-wiltshire.workers.dev}
2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],name:SSL,type:crypto,value:flexible,zone_name:o-wiltshire.workers.dev}
172.18.250.249 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],name:IPv6,type:network,value:true,zone_name:o-wiltshire.workers.dev}
172.18.250.249 2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],zone_name:o-wiltshire.workers.dev}
2173b1781890bdc2311358768ca38144 zone e256fd8b298d37ab28c5f05f9ae2ec1a {actor_email:[email protected],zone_name:o-wiltshire.workers.dev}

one of many system level changes related to this that i dont understand and that seems suspicious when combined with the browser changes on my computer… What can be accomplished with this?

Action Details:

Certificates ordered from the Certificate Authority

Resource:

certificate_pack

Resource ID:

095ba-2d81-416b-84d6-05******89003

New Value:

{ "authority": "google", "brand_id": null, "bundle_method": "ubiquitous", "certificates": [ { "expires_on": "2024-05-13T09:42:02Z", "fingerprint_sha256": "e41be43003b7967f84f61d236396ff3a61*****20382aec7c311d46a8", "id": "171a6dfb-557e-4159-b777-6a47427e788c", "issued_on": "2024-02-13T09:42:03Z", "issuer": "GoogleTrustServicesLLC", "serial_number": "501151410014838692*********** "signature": "SHA256WithRSA" } ], "dedicated_ips": false, "hosts": [ "o-wiltshire.workers.dev", "*.o-wiltshire.workers.dev" ], "id": "05ec95ba-2d81-416b-84d6-0570cb889003", "modified_on": "2024-02-13T10:38:33.222389Z", "priority": 0, "qs_mode": 0, "qs_mode_changed_at": null, "qs_mode_desired": null, "sans": [ "o-wiltshire.workers.dev", "*.o-wiltshire.workers.dev" ], "status": "pending_deployment", "type": "universal", "validation_method": "txt", "validation_type": "dv", "validity_days": 90, "zone_id": "e256fd8b298d37ab******1a" }

Those entries are standard with the provisioning of a worker.dev zone. Just how it works on the backend

Okay thanks for the reply on this.

Any thoughts about what could a worker could do if a hacker created one, probably via API from a hacked website (oops), and also added the worker domain of my-name.worker.dev as an exception to https dns requests in my browser?

It’s the part that I see related activity in both my browser and in the cloudflare worker backend that i think its nefarious. If any cluudflare techs are around they are more then welcome to look at the now deleted workers and see what they might have done?

There is another post with the same issue actually somewhere on here from a few months ago. I’d say its an attack of some sort.

Or a feature that i didnt understand would alter my firefox settings without any notice or confirmation…

If any cloudflare staff can identify the worker created and help report on it, it is very important. I am writing about the Julian Assange case, and I believe I have been targeted with an attempt to literally plant evidence on computers/servers in a really awful setup. Sincerely…

I wish I could see what code was running on that worker!! If you can help, it will make a difference.

If I go to police could they ask you to dig it up?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.