Suspicious Certificate Activity during Brute Force Attack

Website, Application, Performance Security
1

What is the domain name?
cyberauto dot com

Have you searched for an answer?
Yes

Please share your search results url:
I would gladly do so but this create topic tool keeps telling me that I can’t post links (despite the fact that I’m following the instructions to do so with preformatted text.)

When you tested your domain using the [Cloudflare Diagnostic Center], what were the results?
I’m sorry, I can’t find this at this moment. Am working on it and will post shortly but wanted to get this topic out there.

Describe the issue you are having:
We are fighting off what appears to be a brute force attack on a couple of different levels. LFD is constantly rejecting failed logins (at several orders of magnitude higher than normal) and cPHulk is showing a barrage of failed logins from 127.0.0.1 / ZZ / mail / dovecot, That has been happening for 2-3 days. Today, I received three Certificate Transparency Notifications from Cloudflare that I don’t recall receiving before. I suppose that it is possible that something normal is happening that might initiate new certificates but that seems to be too much of a coincidence. Cloudflare’s instructions are to report this if they are suspicious–they are. Certificates are as follows:

Log date: 2023-05-06 17:05:58 UTC
Issuer: CN=E1,O=Let’s Encrypt,C=US
Validity: 2023-05-06 16:05:58 UTC - 2023-08-04 16:05:57 UTC
DNS Names: * dot cyberauto dot com, cyberauto dot com

Log date: 2023-05-06 06:04:55 UTC
Issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US
Validity: 2023-05-06 05:04:54 UTC - 2023-08-04 05:04:53 UTC
DNS Names: cyberauto dot com, * dot cyberauto dot com

Log date: 2023-05-06 06:03:25 UTC
Issuer: CN=Cloudflare Inc ECC CA-3,O=Cloudflare, Inc.,C=US
Validity: 2023-05-06 00:00:00 UTC - 2024-05-04 23:59:59 UTC
DNS Names: cyberauto dot com sni dot cloudflaressl dot com, * dot cyberauto dot com```

What error message or number are you receiving?
None

What steps have you taken to resolve the issue?

  1. Early on (before these certificates) I involved our hosting company in this and they’ve double-checked our security and have run three different malware programs, not finding anything.
  2. I’m doubling back to the hosting company with this news about the certificates (next).

Was the site working with SSL prior to adding it to Cloudflare?
This is not a new addition. We’ve been on Cloudflare for many years.

What are the steps to reproduce the error:

  1. As indicated above.

Have you tried from another browser and/or incognito mode?
N/A

Please attach a screenshot of the error:
Again, failing in every effort to include anything that looks like a link…

4

Cloudflare does use Let’s Encrypt certificates, so it might be normal behaviour.

Images should work directly.

1 Like
5

Here’s another effort to post a screen shot…

emailScreenshot
emailScreenshot1786×627 90 KB

Only one allowed at a time for newbies. :slight_smile:

6

cPHulkScreenshot
cPHulkScreenshot1997×847 91.2 KB

7

Unless you use Cloudflare Tunnel to reach your server, Cloudflare would never hit with a 127.0.0.1, unless under weird setups… this, personally, looks like either a breach of the server itself or some normal website behaviour that looks weird due to the IPs for some configuration reason.

8

My suspicion is that it is a normal website behavior that has been circumvented for malicious purposes. But that, in conjunction with the barrage of TCP connections from apparently randomized IP addresses. Plus the certificate issuances. Someone is trying all avenues very diligently.

9

Yeah, that to me means you have not really blocked non-Cloudflare IPs…

This means they control your DNS or server, but I’m pretty sure those are Cloudflare’s. GTS and LE are the two CAs Cloudflare uses. You should see them in your dashboard :slight_smile:

10

Could you point me to instruction on how to block non-Cloudfare IPs in WHM? And any other direction? Sorry, I’m adequate to the very most basic unix system administration that we normally perform but I lack experience in this sort of thing.

11

Yeah, Cloudflare provides the list of IPs to allow, which is at IP Ranges.

Regarding instructions I believe they might exist online.

1 Like
12

Thanks so much for your insight–much appreciated!

13

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.