Listen to this Post

Introduction:
Lookup servers – often used by Discord and Telegram bots, gaming services, or even malware command‑and‑control (C2) infrastructures – can hide behind Cloudflare’s reverse proxy to obscure their true origin IP. However, as demonstrated by a recent OSINT investigation, “hiding behind Cloudflare doesn’t strictly prevent identifying your servers’ IPs.” This article walks through the technical methods to discover, verify, and report such hidden lookup servers, while also teaching defensive measures to protect your own cloud assets.
Learning Objectives:
- Identify and bypass Cloudflare’s reverse proxy using passive reconnaissance, certificate transparency logs, and historical DNS records.
- Apply Linux/Windows commands and OSINT tools to locate origin IPs of servers used in Discord/Telegram bot ecosystems.
- Implement cloud hardening techniques to prevent your own origin IPs from being exposed, even when using CDNs like Cloudflare.
You Should Know:
1. Understanding Lookup Servers in Discord/Telegram Ecosystems
Lookup servers are backend endpoints that handle bot commands, user authentication, or data retrieval for messaging platforms. Threat actors often deploy them on compromised VPS or cloud instances, then route traffic through Cloudflare to evade IP‑based blocking. These servers can be abused for credential harvesting, DDoS booters, or spam campaigns.
Step‑by‑step guide to detect if a domain is behind Cloudflare:
On Linux/macOS:
Check DNS records for Cloudflare nameservers dig example.com NS Look for Cloudflare-specific HTTP headers curl -sI https://example.com | grep -i "cf-"
On Windows (PowerShell):
Resolve-DnsName example.com -Type NS Invoke-WebRequest -Uri https://example.com -Method Head | Select-Object -ExpandProperty Headers
If you see `Server: cloudflare` or headers like CF-Ray, the domain is proxied.
- Passive DNS & Certificate Transparency: The Origin IP Leak
Cloudflare only hides IPs if all traffic goes through its proxy. But many administrators forget to remove old A/AAAA records or expose their server via SSL certificate logs.
Step‑by‑step guide to discover origin IPs using crt.sh and Censys:
1. Query certificate transparency logs:
Using crt.sh (Linux) curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
- Extract IPs from historical DNS (use SecurityTrails or DNSdumpster):
Using dnsrecon (install via apt or pip) dnsrecon -d example.com -t brt -D subdomains.txt
3. On Windows, use PowerShell to query crt.sh:
$url = "https://crt.sh/?q=%.example.com&output=json" Invoke-RestMethod -Uri $url | ConvertFrom-Json | Select-Object -ExpandProperty name_value -Unique
4. Cross‑reference discovered IPs against Cloudflare IP ranges:
curl -s https://www.cloudflare.com/ips-v4 | grep -F -f - <(echo "your_discovered_ip")
If the IP is not in Cloudflare’s published ranges, it is likely the origin server.
3. Exploiting Misconfigured Origin Pulls and Direct Access
Many origin servers still accept HTTP/HTTPS requests directly on ports 80/443, bypassing Cloudflare’s proxy if the attacker knows the IP.
Step‑by‑step guide to verify direct origin access:
- Use `curl` with the `–resolve` flag to force a specific IP:
curl -H "Host: example.com" --resolve example.com:443:192.0.2.10 https://example.com
-
If you receive a valid response (especially a 200 OK or a non‑Cloudflare error page), the origin IP is exposed.
-
For Windows, use `curl.exe` (built‑in in Windows 10/11):
curl.exe -H "Host: example.com" --resolve example.com:443:192.0.2.10 https://example.com
Mitigation for defenders: Configure your web server to reject traffic that does not come from Cloudflare’s IP ranges. Example for Nginx:
server {
listen 80;
listen 443 ssl;
allow 173.245.48.0/20;
allow 103.21.244.0/22;
… add all Cloudflare IPv4/IPv6 ranges
deny all;
}
- Using Shodan and Censys to Hunt for Exposed Lookup Servers
Attackers often leave default banners or specific API endpoints that can be fingerprinted. For Discord/Telegram lookup servers, common signatures include/api/lookup,/bot/token, or specific User‑Agent strings.
Step‑by‑step guide to search for origin IPs of known Telegram/Discord bot servers:
- Register a free API key for Shodan or Censys.
2. Use Shodan CLI (Linux):
shodan search "http.Discord Bot" --fields ip_str shodan search "telegram bot api server" --fields ip_str,port
3. On Windows, use Python with Shodan library:
import shodan
api = shodan.Shodan('YOUR_API_KEY')
results = api.search('org:Cloudflare "Discord"')
for result in results['matches']:
print(result['ip_str'])
(Note: this finds services behind Cloudflare, but cross‑reference with historical DNS to find old IPs.)
- For Censys, query SSL certificates that contain Discord/Telegram subdomains:
curl -s "https://search.censys.io/api/v2/certificates/search?q=names: discord.com OR names: telegram.org" -H "Accept: application/json" -u "YOUR_API_ID:YOUR_API_SECRET"
5. Linux/Windows Commands for Live Lookup Server Verification
Once you have candidate IPs, verify if they act as lookup servers for messaging platforms.
Step‑by‑step guide to test an IP for common lookup endpoints:
On Linux:
Test for Discord webhook endpoint
curl -X POST https://<ORIGIN_IP>/api/webhooks -d '{"content":"test"}'
Test for Telegram bot API
curl https://<ORIGIN_IP>/bot<TOKEN>/getMe
Use netcat to grab banner
nc -zv <ORIGIN_IP> 443
On Windows (PowerShell):
$ip = "192.0.2.10" Test-NetConnection $ip -Port 443 Invoke-WebRequest -Uri "https://$ip/api/health" -Method Get -SkipCertificateCheck
If any endpoint returns valid JSON or bot confirmation, the server is active and should be reported.
6. Reporting Malicious Lookup Servers: A Step‑by‑Step Workflow
The original post mentioned “9 servers identified and signaled.” Proper reporting removes web pollution.
Steps to report:
- Gather evidence: IP address, timestamps, captured requests/responses, and proof that the server hides behind Cloudflare (e.g., Cloudflare headers on the domain but not on the direct IP).
2. Submit abuse report to:
- Cloudflare Abuse: https://www.cloudflare.com/abuse/ (include the domain and the origin IP)
- Hosting provider: Use whois lookup (
whois <IP>) to find abuse contact - Discord/Telegram: For bot‑related servers, use their trust & safety channels
- Use automated reporting tools like `abuseipdb` (CLI or web) to share the IP:
AbuseIPDB report (Linux) curl -H "Key: YOUR_API_KEY" -H "Accept: application/json" -d "ip=192.0.2.10&categories=14,21" https://api.abuseipdb.com/api/v2/report
-
Monitor for takedown – re‑check the IP weekly using the same techniques.
-
Practical Lab: Simulate a Hidden Lookup Server and Find Its IP
Objective: Set up a dummy lookup server behind Cloudflare, then use OSINT to expose its origin IP.
Step‑by‑step (defender/red team exercise):
-
Launch a cheap VPS (e.g., DigitalOcean, Linode). Note its public IP:
203.0.113.99. -
Install a simple Flask app that mimics a Discord lookup endpoint:
app.py from flask import Flask, request app = Flask(<strong>name</strong>) @app.route('/lookup') def lookup(): return {"user": "test", "ip": request.remote_addr} if <strong>name</strong> == '<strong>main</strong>': app.run(host='0.0.0.0', port=8080) -
Configure Cloudflare to proxy `lookup.yourdomain.com` to
203.0.113.99:8080. Enable proxying (orange cloud).
4. Now act as an attacker:
- Use crt.sh to find `lookup.yourdomain.com` (certificate logs may record the subdomain).
- Use SecurityTrails historical DNS: old A records might still show
203.0.113.99. - Use Shodan search `”X-Powered-By: Flask” port:8080` – because Cloudflare only proxies port 443/80, but the origin might still listen on 8080 directly.
- Once discovered, attempt direct connection:
curl -H "Host: lookup.yourdomain.com" http://203.0.113.99:8080/lookup
- Document the leak and apply mitigation (firewall rules to allow only Cloudflare IPs).
What Undercode Say:
- Cloudflare is not an invisibility cloak – Origin IPs can be recovered through passive DNS, certificate transparency, and misconfigured direct access.
- Proactive OSINT reduces web pollution – Regularly scanning for and reporting malicious lookup servers disrupts botnets, spam, and credential theft operations.
Analysis: The post’s author, a threat analyst, emphasizes that even free Cloudflare plans do not guarantee true IP obfuscation if the administrator leaves historical records or allows non‑proxy traffic. This aligns with real‑world red team findings: over 60% of “hidden” servers have at least one leak in public logs. For defenders, implementing strict origin access controls (e.g., Cloudflare Authenticated Origin Pulls) and regularly auditing DNS/historical data is essential. For researchers, the combination of crt.sh, Censys, and direct `curl` probes remains a cheap yet powerful toolkit to unmask malicious infrastructure.
Prediction:
As AI‑driven OSINT tools evolve, we will see fully automated pipelines that continuously scan certificate logs and DNS databases to map every Cloudflare‑shielded server’s origin IP in near real‑time. Attackers will respond by shifting to ephemeral IPs, fast‑flux networks, and zero‑trust proxies, but that will increase operational costs. Meanwhile, cloud providers will harden default configurations – possibly making Authenticated Origin Pulls mandatory for all CDN customers. For blue teams, investing in proactive IP discovery and automated abuse reporting will become as critical as traditional intrusion detection.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Eosiadev Insomnie – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


