Unusual Activity

Describe the issue you are having:
We have unusual activity in our account. Someone added domains to our site thru API.
Upon checking they added the domain thru API and using digitalocean IP.
Only a few people have access to this account and have confirmed that these domains were not added by them.
Another thing is that we don’t have any API created.

Please attach a screenshot of the error:*

Audit Log of one of the domain.

IP: 104.248.116.87

Please rotate your Global API Key immediately and delete/rotate any API Tokens you’ve created. Once you’ve done that, come back and we can help investigate how/why this happened.

1 Like

Yes, we already changed the password and Global API Key

Good. Could you please send API requests to the following endpoints? This will return information about any “View API Key” or “API Token creation” actions in the last 18 months. You should check whether any of these actions were made by an unknown IP address.

https://api.cloudflare.com/client/v4/accounts/<account_tag>/audit_logs?action.type=API_key_view&export=true
https://api.cloudflare.com/client/v4/accounts/<account_tag>/audit_logs?action.type=token_create&export=true

1 Like

How to do it?

Are you familiar with the command line and using cURL to send HTTP requests?

Yes I’m familiar with it.
How can I do it via command line and where I can get the <account_tag> ?

You can copy the account tag from a zone overview page.

Then reveal your Global API Key and send the requests using the following command:

curl -H 'X-Auth-Email: YOUR ACCOUNT EMAIL' -H 'X-Auth-Key: YOUR GLOBAL API KEY' \
    'https://api.cloudflare.com/client/v4/accounts/<account_tag>/audit_logs?action.type=API_key_view&export=true' \
    'https://api.cloudflare.com/client/v4/accounts/<account_tag>/audit_logs?action.type=token_create&export=true'

I found no unusual IP addresses in the logs.

How about the actions, are u able to spot the weird ones?

None… It’s only view
Logs

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.