Skip to main content

CloudFlare IP in cPanel log for non-CF domains

Comments

6 comments

  • AndyB

    Forgot to mention we are using LiteSpeed as a web server but I don't think this is relevant as all the suspicious use cases involve normal cPanel ports (2095 and 2096). Also these cases relate to domains hosted on 2 different cPanel servers.

    0
  • AndyB

    I have found in the cPanel log a 4th email address that has in the same day webmail activity from CloudFlare and from the customer normal IP. The CF access is on the secured webmail port, 2096 (so again not on subdomain). And this domain also has no relation to CloudFlare.

    Generally speaking we don't find so many email compromises in such a short time so this seems like a cPanel log problem. Or maybe there's a 3rd explanation that I know nothing about.

    0
  • cPRex Jurassic Moderator

    Hey there!  Just so I'm clear about what is happening here, you see IP addresses from Cloudflare accessing the Webmail ports on the server, but they aren't any IPs you recognize AND the domains they are connected to are not themselves behind Cloudflare?  Does that all sound right?

    0
  • AndyB

    I am seeing webmail use from CloudFlare IPs on domains that are not behind CloudFlare.

    0
  • cPRex Jurassic Moderator

    I'm really not sure - this sounds like it would be a good question for Cloudflare.  They do have a VPN product:

    https://www.cloudflare.com/products/zero-trust/vpn-replacement/

    which would explain a user accessing something from a Cloudflare IP.  Even if the domain itself was behind Cloudflare, I wouldn't expect traffic *to* webmail to show as that network.

    0
  • cPRex Jurassic Moderator

    What about something like this?

    https://cybersecuritynews.com/cloudflare-warp-hijack/

    0

Please sign in to leave a comment.