althttpd and Cloudflare source IPs
(1) By sodface on 2020-08-30 13:42:01 [source]
I use althttpd and had my public site configured to serve content from the default.website directory. I noticed on a google search that my content was showing up in search results under a different domain name that I do not own. Browsing that domain was exactly like browsing my real domain. Updates I made to my site were instantly visible in the imposter domain.
I changed from default.website to the specific domain format and now browsing to the imposter domain results in a 404 being returned, as expected. So that was a quick mitigation.
In reviewing the server logs I determined that all the source IPs belonged to Cloudflare. Also, looking at the html source from the returned 404 page, there's a script tag in the head that references "CloudflareApps".
If I'm interpreting it correctly, it seems whoever owns the imposter domain has it configured to resolve to a Cloudflare proxy and is then somehow returning my domain content. It's not just a redirect so far as I can tell by looking at the developer's tools in Firefox.
Beyond changing from default.website, do you have any suggestions on additional action? Seems like I could drop all Cloudflare IP ranges at my firewall without blocking legitimate traffic?
(2) By sodface on 2020-08-30 14:58:21 in reply to 1 [link] [source]
I'm now thinking that maybe the imposter domain used the same hosting provider I do, was using cloudflare as a reverse proxy and then abandoned the domain / stopped paying the provider and I've received their old IP address. If they never updated their cloudflare account then I guess they could still be pointing at the server ip now assigned to me. I've submitted a ticket with cloudflare.