New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
ROFLMAO
https://bitninja.io/wp-login.php?redirect_to=https://bitninja.io/wp-admin/&reauth=1
CAN SOMEONE GIVE THEM A ROUND OF APPLAUSE?
They probably sent pingdom an email too for making a speed test.
plz dont abdullkarem attack me
abulla pigi pogi karem. you're done
From our perspective as both a network operator and datacentre owner, we just delete everything coming from bitninja.io.
We receive dozens of 'complaints' from them about 'attacks' but each time I have seen one, I've pull the netflow data for that IP to try to corroborate the complaint. Looking at the alleged time of attack, I see no outbound port 80 traffic directed anywhere. Even if I look at the full 24 hours before and after the alleged attack still no port 80 traffic.
So if the attack was alleged to be against a webserver on port 80, then I absolutely should be able to see the same traffic on our netflow data.
Additionally, making someone click a link to go to their website to see the report is bad form, no-one is going to click around and spend their time to get the data. Most of us automate complaint handling.
In my opinion Bitninja has zero credibility and should be disregarded until such time as it can be proven to provide reliable reports.
I am afraid I will get an abuse notice if I click it
But, but they sell popcorn!
You don't like popcorn. We'll remember that.
I clicked it with no referrer. We might lose internet tomorrow!
Not if you pay for bitninja
That's exactly what we need.
Hi all,
I have returned so I had the time to analyze. So far I only got 1 IP from agoldenberg.
Thank you for the IP. He did not allowed me to publish the IP or the report here, so I can not share it, but here is the details I have found about that IP:
Originally the IP was greylisted because of these logs:
*******.hu ..214.10 - - [ +0100] "GET /wp-admin/network/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3924 "-" "-"
*******.hu ..214.10 - - [ +0100] "GET /wp-content/uploads/2015/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3931 "-" "-"
*******.hu ..214.10 - - [ +0100] "GET /wp-includes/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3923 "-" "-"
*******.hu ..214.10 - - [ +0100] "GET /wp-includes/images/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3931 "-" "-"
*******.hu ..214.10 - - [ +0100] "GET /wp-includes/simplepie/parse/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3923 "-" "-"
*******.hu ..214.10 - - [ +0100] "GET /wp-includes/images/smilies/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3924 "-" "-"
Then we received more than 350 malicious requests from 2015-10-27 11:24:11 to 2015-10-30 11:24:26 on 18 different servers from different customers. Geographically totally different places like Canada, USA, Greece, Hungary, Netherlands, etc. It is impossible and also makes no sense to forge this traffic. Many of the incidents were collected from apache logs on customers servers, not even by our honeypot system. We have sent 2 incident reports about this IP.
Regarding their website agoldenberg provide wordpress hosting. I have found their twitter feed this posts: 'We are aware of an ongoing attack against our servers. We are working to resolve it.' Oct 2. I don't know if this has any relationship with the requests we captured, but one thing is sure, bitninja protected servers has no such problems, and the abdullkarem attack can cause traffic overwhelm problems like this.
..214.10 - - [ -0400] "GET /wp-includes/simplepie/net/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 508 7287 "-" "-"
..214.10 - - [ -0700] "GET /wp-admin/network/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 20854 "-" "-"
..214.10 - - [ -0400] "GET /wp-content/uploads/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 - "-" "-"
****.com/wp-includes/simplepie/content/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1
*Url: [***.gr/wp-content/themes/yakimabait/download.php?file=./wp-config.php]
***.gr/wp-content/force-download.php?file=../wp-config.php
***.org/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
***.gr/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php
***.gr/wp-content/themes/markant/download.php?file=../../wp-config.php
***.biz/wp-admin/
Do you guys really can't see the value about this report? This helps a lot to trace down the infection and clean the infected wp-s. We even plan to enhance the free version of bitninja with a module to auto trace such infections.
Your broken English is such a worry.
I don't understand, why you can't understand this..
It is your responsibility to delete the reports we send you to forward to your clients.
Please send me one such IP, and let's find out why you can not see the same traffic. Why would we send fake incidents? It just makes no sense! And of course there are cases, when you can not see the traffic with netflow, like in case of https. In our incident reports we include many kind of incidents. There are not only incidents about port 80, so be careful about it.
The incident report page is a live view of the incoming incidents. So if there are new request captured, you can see it within 2 seconds. This helps one to trace the attacks.
We are also ready to integrate. Please contact me in private about the details.
I admit, this is an interesting situation, so I would like to find out what has happened. Please send me the IP anyway!
We provide server security for more than 500 servers, and there are about 3000 IP-s. If you send us a mail, we can send you the uncovered reports, and the IP-s too. But it makes no sense, to publish our users IP-s..
If you have a report you believe is a false positive, send it to me, and I can help you find out what happened. Blaming us for false reports without sending an IP is useless I think.
Can you answer this please. @bitninja_george
Hi
The last request we received from that IP was this:
Url: [****.com/2014/10/101-recipes-leftover-turkey/]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)]
It is interesting receiving such a request from a server.. The user agent says:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1
I guess the IP have been rearranged or you used a browser when you reinstalled your server, opened websites and one was actually on a server hosted by one of our clients. Do you run Windows on that server? When did you get back the server online exactly?
Come on man, my grandma could find your site. http://foodconstrued.com/2014/10/101-recipes-leftover-turkey/
Are you going to look at what crap that site's loading? http://tools.pingdom.com/fpt/#!/d7hQnx/http://foodconstrued.com/2014/10/101-recipes-leftover-turkey/
I guess pingdom got their emails now too.
Carry on.
When you say "you" are you referring to me or @agoldenburg
I only ask because what you said makes no sense if you're referring to me, once again proving my point that you don't read, don't understand simple questions and can't understand simple English..
Not sure if you're trolling or not, one would hope not for the sake of professionalism..
http://www.useragentstring.com/Internet Explorer9.0_id_16282.php
https://user-agents.me/browser/mozilla50-compatible-msie-90-windows-nt-61-wow64-trident50-visasoe
Something as simple as a user agent string should not confuse you..
Sorry, I mean agoldenburg..
You (ATHK) have not sent me an IP, so I can not help answering your question.
It is not working like this. If an IP is on the global greylist, we capture requests from it for a while. In case of pingdom, they are on a special system whitelist, so don't worry, they won't get abuse report.
There you go.
I taught agoldenberg asked me this: 'I just got a report on one of my ips this morning. The server that has the IP assigned has been offline for 2 days'...
Of course we do not trust user agent.
I see many confusion about our reports, so I decided, to create a detailed documentation about it soon.
I am not native as you probably guessed. :-)
Me and my team will spend 3 month in London as we have been invited to the CylonLab accelerator program. (https://cylonlab.com/) I hope it will help improve my English too :-)
I've told you multiple times now, that I'm not having an issue with false reports from Bitninja.. Why do I have to repeat myself over and over.. Do you not understand this?
What is your primary tounge? I'll translate it for you..
@bitninja_george I don't run any Windows servers at all. Not a single one. You said the last incident you saw on that IP was in october yet you sent me a report in december on the same ip? Still bull shit.
@bitninja_george the incident you are referencing from twitter was a DDoS attack against our main shared hosting server. Had nothing to do with infiltration of the server itself.
I mean, all they know in their little world is apache and wordpress, what do you expect from such a company?
Then 90% of what they do with their application can be done with fail2ban and some rulesets.
Exactly...the "attack" logs he posted...I easily block those every day with a simple fail2ban filter.