I've been using an AWS Linux machine for a couple of years now, and recently I ran into some issues accessing it—everything was just really slow. Then I received a message that looked like it was from Cloudflare, mentioning some unusual traffic from my IP. I've never even signed up for Cloudflare, since I'm using Route 53 for DNS. The message prompted me to enter a strange command into the terminal, which was piping some weird string into a base64 decoder and then into bash. A window popped up asking for my password to install a helper application—I definitely wasn't going to do that! After that, I rebooted my Mac to get rid of the popup. I also rebooted my Linux machine, and now everything seems fine. So what was going on?
5 Answers
This sounds like one of those fake captcha scams going around. If your server is serving that kind of traffic, there's a chance it could be compromised. Plus, if you ran that command, your local machine might not be safe either.
I've heard of scams where fake Cloudflare messages trick users into running commands to 'validate' their systems. The real Cloudflare doesn’t ask for anything like that. Your server might have been compromised, especially if you got that message while trying to access your own site.
It seems like a phishing scam impersonating Cloudflare. Check your security logs and recent access records just in case your server's been compromised. Consider beefing up your security with a Web Application Firewall (WAF) and keep your system updated to fend off threats like this.
It sounds like something really sketchy is going on. If you haven't installed anything unusual, that message could be a sign that someone's trying to steal your credentials or hijack your services. I'd suggest you terminate that instance and start fresh for safety's sake.
This definitely feels like a malware attempt. If you're getting Cloudflare notifications without even using them, that's a huge red flag. Plus, asking you to enter terminal commands? You should always be suspicious in those situations!
The only thing I updated was "sudo yum update". I found out that this removed the PHP module from Apache, but I reinstalled it and things seem okay now. Still, the whole Cloudflare message is concerning.