Checking #Lastpass saved sites for #Cloudflare with #Powershell. #Cloudbleed #Infosec

So as everyone already knows there was a huge leak of data for months for websites who use Cloudflare services. To make my changing of passwords a bit easier, and more focused / targeted I put together a little setup to check all of my Lastpass saved sites for Cloudflare name servers.

First I exported my Lastpass information to a .txt format from their website export feature.

Then I used a quick and dirty parsing -replace feature of powershell to clean it up:

$newdata = (gc last_pass_sites.txt) -replace '^.*?https?://(.*?)/.*', '$1'
$newdata >> new_sites.txt

This wasn't perfect and i had to manually clean up about 4 or 5 sites that did not contain the trailing "/" on their website. But wasn't enough to make me want to tweak the code above. This is a quick method to check all these sites so I just manually fixed about 5 entries.

Next I performed a Whois against each of the sites, and spit out which sites that matched the word "CLOUDFLARE" in the whois data. Here is the code below:

function check-cloudflare{
$web = New-WebServiceProxy ‘http://www.webservicex.net/whois.asmx?WSDL’
$sites = get-content C:\users\forgo\Desktop\newsites.txt
foreach ($site in $sites){
	$sitewhois = $web.GetWhoIs("$($site)")
	if ($sitewhois -match "CLOUDFLARE"){
		write-host "!!!!!! $($site) Uses Cloudflare !!!!!!"
	}
}
}

The output looks like:

PS C:\users\forgo\Desktop> check-cloudflare
!!!!!! wallhaven.cc Uses Cloudflare !!!!!!
!!!!!! leenk.me Uses Cloudflare !!!!!!
!!!!!! nostarch.com Uses Cloudflare !!!!!!
!!!!!! experts-exchange.com Uses Cloudflare !!!!!!
!!!!!! pocketnow.com Uses Cloudflare !!!!!!

This allowed me to focus on websites that I know for a fact I have used, and have a saved password for in Lastpass. Obviously this is not a fix all solution but definitely helped me get these site passwords changed FIRST.

Cheers!