According to my CloudFlare firewall logs, somebody went through each of my subdomains. My website is not advertised, it doesn't even show on Google unless typing the exact domain name into it. I think I know where they found it listed, though.
Fortunately, the connections were refused by CloudFlare due to the client using Tor, I had already blocked it. It would appear that they gave up at this point as no further log entries appeared. They were apparently using Curl, according to the user agent supplied in the logs.
The person went through each of my valid subdomains, starting with the database. Excluding cPanel, Webmail and my FTP; I assume the reason for this is because they knew full well that the login for those services would be secure. So they were looking for an insecure vector.
I have since taken measures to stealth the restricted services, including the default ones provided by the web host.
Can somebody please explain to me how exactly this unscrupulous fella found my CNAMES? And does it thus qualify that he also knows the A Records?
Thanks!