Why CF's IP connect my FTP?

pls check abuse report #4472965 , thanks

and the is scanning my other server now !
hacked ?

The Community does not have access to your abuse reports. Is your domain using Cloudflare?

yes , but this ip connect port is 21 , is FTP server port

and the 245.75 has no site on cloudflare

That’s certainly a mystery. There’s always the chance the IP address is being spoofed. You’re certainly welcome to open a ticket.

As for the 245.75 site, those are HTTPS connections, so it’s possible someone mistakenly put those IP addresses in their DNS here, or that’s a recycled IP address from someone else who used to use Cloudflare. Or maybe the two are related.

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

What @sdayman said. Plus - close your FTP server off to the internet and only allow your intranet to access it. Also, use SFTP. Using FTP from the internet is essentially like using TELNET from the internet.

interesting the IP does show up in abuseipdb database | CloudFlare Inc. | AbuseIPDB but if that is netstat output then cloudflare is listed as foreign address remote outbound connection not inbound (means you server is connecting to remote cloudflare IP which would be normal if your server/site is behind Cloudflare proxy) https://www.quora.com/What-does-local-address-and-foreign-address-mean-in-the-netstat-command-result

right , cut the net or power of server , is BiiiG secure . :slight_smile:

if (245.74 OR 245.75) { MAYBE the fault is my server}
else { if (245.74 AND 245.75) { is NOT my server’s fault } };

the FTP is same as SFTP/FTP over SSL , and the HTTP is same as HTTPS .
the “S” can anti “mid man” and sniffer ONLY .
but I have dedicated vlan and subnet/gateway . so ftp=ftps of my server

Judging from the port numbers and the connection state this does appear like an inbound request.

Are you suggesting Argo?

One thing that does stand out is that all requests are in SYN_RECV, which should mean there is no active connection and the machine either never responded to it or the other party never acknowledged it.

Ignoring this issue for second, the second screenshot could be explained by someone having pointed a record to that IP address (as @sdayman mentioned). That wouldnt explain the first screenshot, with the FTP port, however (unless we are talking Spectrum).

The IP address in question does fall into the category of the proxy addresses listed at https://www.cloudflare.com/ips/ however right now my best guess would be it is also part of Cloudflare’s VPN service and someone is having fun over there.

@purse, you have a ticket already open anyhow. That will be the best course of action. Have they already responded?

1 Like

Indeed, @purse get Cloudflare support to also dig into Cloudflare logs as well

For instance I can see SYN_RECV on my server to Cloudflare and they seem to be just regular requests from my Cloudflare log inspection of the IP

netstat -tuna | grep SYN_RECV
tcp        0      0 xxx.xxx.xxx.xxx:443            SYN_RECV  

From Russian visitor with ASN = 15582 when I filter Cloudflare logs for CF EdgeServerIP =

find . -mmin +15 -exec pzcat {} \; | jq -r 'select(.ClientRequestHost == "domain.com" and .EdgeServerIP == "") | "\(.ClientCountry) \(.EdgeResponseStatus) \(.CacheResponseStatus) \(.ClientASN) \(.ClientRequestMethod) \(.ClientRequestPath) \(.EdgePathingOp)-\(.EdgePathingSrc)-\(.EdgePathingStatus)-\(.EdgeRateLimitAction) \(.FirewallMatchesActions)-\(.FirewallMatchesRuleIDs)-\(.FirewallMatchesSources) \(.WAFAction)-\(.WAFRuleID) \(.WorkerStatus) \(.WorkerSubrequest) \(.WorkerSubrequestCount) \(.ClientRequestUserAgent)"' | sort -n | uniq -c | sort -rn | head -n50

      1 ru 200 200 15582 GET /data/avatars/m/0/1.jpg wl-macro-nr- []-[]-[] unknown- unknown true 0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:75.0) Gecko/20100101 Firefox/75.0

no . the abuse ticket has no response .

thanks every friend . my question is why port 21 , not syn_recv .
I think the cdn connect port 80/443 only . so I think connect port 21 is wrong

You need to talk to support.

thanks . I blocked this ip

Probably if it’s to FTP port

1 Like

I am not really familiar with the VPN service, so I am not sure if they handle FTP too, but if they do and if that address is part of the VPN too, then that would be the most likely explanation.

If a user uses VPN to connect to FTP, then should show the VPN IP