Cloudflare Fails To Stop Hacking

After all my website get hacked. WTH is this.

I am in trouble.

 

Cloudflare can only do so much to stop common attacks. But if you don't update your site or patch the holes, there are nothing Cloudflare can do.
Contact your Web hosting to see if there is any old backup around, do a clean install of your site w/ the latest version of your scripts and import old DB data from there. G'luck.

 

Are you looking for some sort of advice to fix or secure it? or are you just making a general statement? If you are looking for advice you have to bring in some more details.

 

CloudFlare is not a security system, only a reverse proxy. You may want to install mod_rpaf with mod_security and a decent ruleset on the backend to help protect your site.

 

Do you use a script like WordPress for your site?

 

My webhost is saying , please do not install your website here. Go anywhere, host is securesignup.net. Even they are not uploading my old backup to check the website with sucuri.

There DDOS protection is just for fun or whatever.

No, it is not like wordpress.

 

@humtuma,

Poorly configured, yes. It is just for fun. CloudFlare would need to be configured properly in order to effectively protect your site. They can handle quite a bit of traffic though. What script does your website use?

 

No, i have select the High security. They can control traffic but hacking they failed. I have ask this to cloudflare and they told ask your webhost.

 

Have you any stats on the attacks? Protocols, pps, etc? With Layer7 attacks it's best to use a cloud service. My company has been with vistnet for over a year now and these guys seem to be able to deal with anything that gets thrown at them so far. True, more expensive, but then you don't really expect to get real protection for free, do you?

 

So does anyone know what kind of "hack" it was? was it an intrusion, did they gain root, SQL injection, or did they exploit a vulnerability in a script? You can have all the boundary protection in the world, but if you have code with holes in it then you are an easy target.

OP, explain the attack - i.e. how do you know it was an attack, if you are running windows/Linux, php, etc. and give your site so we can see if it has know vulnerable code.

 

Cloudflare can't prevent the hack itself. What it does is:
1. block potential hackers by identifying them before they reach your site.
2. showing a cached copy of your site when it is down.

Also, you have to have your own backups, since your hosting provider may not have them updated.

 

I do not know more about hacking. According to my webhost , my hosting account get hacked and emails are sending through my email. My website get blacklisted and come in spamhaus. Below is my cloudflare message (unable to quote)...............

Hello cloudflare.com Abuse Desk,
This is an automated message from the Spamhaus Block List (SBL) database to advise you that the IP below has been added to sbl.spamhaus.org: IP/cidr: 108.162.198.96 Problem: spam redirectors at yourwebsite.com SBL Ref: SBL174400 The reason for listing the IP address(es) is explained at the url: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL174400 If you have already taken care of this problem and the spammer is no longer operating any domains/sites/servers in 108.162.198.96 you can send a removal request for record SBL174400 by emailing: <mailto:sbl-removals@spamhaus.org?subject=SBL174400_108.162.198.96_SR08> Note that your email must tell us how the spam problem has been terminated (we need to know exactly how the issue has been dealt with and that this spam problem is fully terminated) Please always include "SBL174400 SR08" in the Subject of any emails to sbl-removals@spamhaus.org regarding this listing. SBL System Robot The Spamhaus Project http://www.spamhaus.org ------------------------------------------------------------------------ You can review all current SBL listings concerning your network here: http://www.spamhaus.org/sbl/listings.lasso?isp=cloudflare.com ------------------------------------------------------------------------ You are receiving this notification because you are the designated abuse contact for your network. If you do not want to be alerted whenever IPs on your network are listed in the SBL, please advise us by contacting <mailto:sbl-autonotify@spamhaus.org?subject=STOP_Notify_cloudflare.com> ------------------------------------------------------------------------ ISP Abuse Desk Resources.....: http://www.spamhaus.org/isp Spamhaus Block List (SBL)....: http://www.spamhaus.org/sbl Exploits Block List (XBL)....: http://www.spamhaus.org/xbl Register Of Known Spammers...: http://www.spamhaus.org/rokso ------------------------------------------------------------------------ Please address this issue with your customer. Regards, CloudFlare Abuse

Code (markup):

 

Okay, that may not technically be a "hack". Someone is just using your SMTP connection to forward mail. Best thing to do right now is to check if your server is an open relay. here are some sites you can use.

http://www.mailradar.com/openrelay/
http://www.antispam-ufrj.pads.ufrj.br/
http://www.checkor.com/

These tools should shed light on the issue... if not then it could be the script or service you are using. Do you have to have mail enabled? What email server are you using i.e. sendmail, phpmail, hmailserver, etc.?

 

As i check, port is aborted. Than how it is open connection. And your other websites are not working.

 

Since port 25 and the alternate 587 are closed, then it could be a script you are using on your site. I assume you have a PHP script - if so use phpinfo() (how to use it is here: http://php.net/manual/en/function.phpinfo.php) to see what type of mail software is installed. You will want to look for the sendmail function and disable_functions for more information.

Do you have access to webmin or similar?

You should be able to look into your logs and see what IP is connection and forwarding mail.

 

What you want to ask, please ellaborate.

After hack. My account get suspend.

How to see log, when i am not able to login at that time. I have already ask them for IP address but they didn't.

 

@humtuma with your account suspended it is impossible to resolve the issue. You will have to get your account re-enabled and access to logs before your site can be protected.

 

I'm having issues with CloudFlare as well due to a matter of my very own. I've emailed CloudFlare to ask that they give up the host provider of Encyclopedia Dramatica in order to file an abuse complaint their way, so they emailed me "srsvps.com" as their host name. While that may indeed be their current host, I know that is run by the same people who run ED and therefore I've asked CloudFlare to tell me who hosts srsvps.com, as they too are hiding behind CloudFlare. I've had to write to CloudFlare so many times now telling them the same things over and over again as if I were a parrot, because they keep giving me crap about how they need a reason to give me the host name of srsvps.com, when I've just flipping gave them one, two, maybe even several logical reasons why I require the host name. The quicker I can get the host name of ED, the sooner I can have the necessary complaints sent off.

They seem unwilling to help me on this matter. Maybe there will be nothing I nor anyone else with a quarrel can do. Plus, if ED really are in Romania after all, it will be harder to get the matter dealt with due to their barring of DMCA notifications and the like.

CloudFlare better watch out, for they too could be breaking the law.

 

CloudFlare will not protect you well from things like MySQL injections - it just blocks DDoS until a certain degree. I recommend to always keep your server and CMS updated and use mod_security with a current ASL (AtomiCorp) rulset.

 

Hi,
Cloudflare is to boost your DNS/CDN and has some security features, You can connect to your servers real IP via direct.yourdomain.com, direct-connect.yourdomain.com, and all your mail servers details are out their meaning more then likely your servers IP, if your interested I can help you secure your website, pm me for details. Or I would suggest you A get a email server or email service so you dont use your own server, and setup cloudflare correctly to mask your real server ip and examine logs and your code.