CloudFlare IP in cPanel log for non-CF domains
Hello,
I have identified multiple CloudFlare IPs in the cPanel log (/usr/local/cpanel/logs/access_log) for Webmail use but the respective domains don't have CloudFlare nameservers (they have our normal local nameservers) and they are not used over webmail subdomain.
The webmail is accessed in the 3 cases I have found:
- over normal webmail (unsecured) port: http://www.domain.tld:2095 (so not on subdomain)
- over secured server hostname: https://servername:2096
Are these email accounts compromised, is it a cPanel logging failure (I know that for a long time some time ago cPanel log contained various erroneous data but I don't know if it has been fixed or not or maybe some regressions occur) or something else entirely (how could normal users visit from CloudFlare IPs)?
Thanks!
-
Forgot to mention we are using LiteSpeed as a web server but I don't think this is relevant as all the suspicious use cases involve normal cPanel ports (2095 and 2096). Also these cases relate to domains hosted on 2 different cPanel servers.
0 -
I have found in the cPanel log a 4th email address that has in the same day webmail activity from CloudFlare and from the customer normal IP. The CF access is on the secured webmail port, 2096 (so again not on subdomain). And this domain also has no relation to CloudFlare.
Generally speaking we don't find so many email compromises in such a short time so this seems like a cPanel log problem. Or maybe there's a 3rd explanation that I know nothing about.
0 -
Hey there! Just so I'm clear about what is happening here, you see IP addresses from Cloudflare accessing the Webmail ports on the server, but they aren't any IPs you recognize AND the domains they are connected to are not themselves behind Cloudflare? Does that all sound right?
0 -
I am seeing webmail use from CloudFlare IPs on domains that are not behind CloudFlare.
0 -
I'm really not sure - this sounds like it would be a good question for Cloudflare. They do have a VPN product:
https://www.cloudflare.com/products/zero-trust/vpn-replacement/
which would explain a user accessing something from a Cloudflare IP. Even if the domain itself was behind Cloudflare, I wouldn't expect traffic *to* webmail to show as that network.
0 -
What about something like this?
0
Please sign in to leave a comment.
Comments
6 comments