New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is This Response from DigitalOcean Abuse Sane?
raindog308
Administrator, Veteran
in General
I have a server which saw a bunch of scans...I'm sure you see them the same in your web logs.
I looked up the IP and saw it was DigitalOcean, so I raised an abuse report.
They replied:
Thank you for your report. We've determined that this activity is originating from a customer that provides Internet scanning or cybersecurity reporting services. No further action has been taken from our side and this ticket will be closed.
I x'd out the originating IPs but they're DO.
x.x.x.x - - [25/Feb/2026:21:15:53 -0800] "\x16\x03\x01\x05\xE0\x01\x00\x05\xDC\x03\x03\xF6\xD2\xA6\xF3+\xB7O3\xD9\xD9}\xB9\xBC\xA6\x04g\xD2*xd\x04\xEA\xCB\xF2\xF4H" 400 150 "-" "-" x.x.x.x - - [25/Feb/2026:21:15:53 -0800] "LEAKIX" 400 150 "-" "-" x.x.x.x - - [25/Feb/2026:21:15:53 -0800] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:15:54 -0800] "GET /server HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:15:55 -0800] "GET /server-status HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:15:57 -0800] "GET /about HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:15:58 -0800] "GET /login.action HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:15:59 -0800] "GET /v2/_catalog HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:00 -0800] "GET /.DS_Store HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:01 -0800] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:03 -0800] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:05 -0800] "GET /.git/config HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:06 -0800] "POST /graphql HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:06 -0800] "POST /api HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:07 -0800] "POST /api/graphql HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:07 -0800] "POST /graphql/api HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:08 -0800] "POST /api/gql HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:08 -0800] "GET /s/4353e28363e28373e253/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:09 -0800] "GET /config.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:11 -0800] "GET /telescope/requests HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:11 -0800] "GET /info.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:12 -0800] "GET /.well-known/security.txt HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:13 -0800] "GET /actuator/env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:15 -0800] "GET /swagger-ui.html HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:16 -0800] "GET /swagger/index.html HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:17 -0800] "GET /swagger/swagger-ui.html HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:18 -0800] "GET /webjars/swagger-ui/index.html HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:19 -0800] "GET /swagger.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:20 -0800] "GET /swagger/v1/swagger.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:21 -0800] "GET /v2/api-docs HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:22 -0800] "GET /v3/api-docs HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:23 -0800] "GET /api-docs/swagger.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:24 -0800] "GET /api/swagger.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:25 -0800] "GET /@vite/env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:26 -0800] "GET /.vscode/sftp.json HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:27 -0800] "OPTIONS / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:28 -0800] "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)" x.x.x.x - - [25/Feb/2026:21:16:29 -0800] "GET /debug/default/view?panel=config HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e28363e28373e253; +https://leakix.net)"
Thanked by 1nghialele
Comments
Money speaks
I also did a similar abuse report when the react exploit happened and they replied within 3 days after the complain:
"Thank you for submitting your abuse complaint.We have reviewed the details and actioned the associated account. The issue has been resolved to the best of our knowledge.We appreciate your efforts in helping to clean up the internet!. Please continue to report any abuse you come across so that we can create a better and safer online space together."
I reported the IP as malware btw
Well, this is the customer: https://leakix.net/
I don't find the DO response unreasonable, they host lots of crap but this is not that bad.
I reported them even to Hetzner, as I can see they are still up and running.
Can be considered annoying but at least it isn't scanning with "malicious" intentions in mind, shodan, censys also do the same thing.
@Netralex probing networks is still illegal by law, and in a case you didn't check that website, you may try now by adding /reports on that URL.
Depends on the jurisdiction. Also don't see anything wrong with the /reports page, all outdated fixed issues.
/reports/1fe0780b-bb88-4c23-96a1-b40733126942Yes, outdated. Then why they tried to exploit German banks?
Blacklist needed.
It would be unreasonable for DigitalOcean to actually do something about it. They're #1 scanning/bruteforcing traffic. They don't give a shit so long as the customer pays.
Check https://knock-knock.net/ 😉
Did you explain to them you were raindog308 of LET/LEB fame? Might make a difference.
Yes, censys also scanned me.
OK, so what is their purpose?
If they discovered that I have some vulnerable software or setup...what do they do? I'm not a customer of theirs. I'm not asking me to scan me.
If they're a legitimate company, then presumably they're not going to say "aha, this server has a vulnerability we can exploit, let's hack it".
What do they do if they find something exploitable?
Are they going to contact me and say "we wish to offer you our services"? If so...how?
In this case, I hadn't turned off the nginx default server, which is where all this shows up. The only other site on the box is https basic auth'd. I think the only info they could get would be my IP.
@raindog308 censys can be blocked easly or you can request to be delisted. Others just ignore you.
https://docs.censys.com/docs/opt-out-of-data-collection
It's a financially sane response, there's not much one can do to punish them.
Bad publicity on LET/LEB will not hurt them, they can live with it.
I personally block their AS numbers. I noticed most traffic from DO is bruteforce, scanbot, vpn, etc.
I dont know which one your using, but this keep those suckers out of your iddlers;
Nginix:
if ($http_user_agent ~* (l9scan|leakix|nuclei|zgrab)) {
return 444; # "444 Connection Closed Without Response" - very efficient
}
Apache:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.(l9scan|leakix|nuclei). [NC]
RewriteRule ^(.*)$ - [F,L]
Thanks gemini not me
i remember my old old server being scanned from leakix and censys but il just ignore them since it's background noise. maybe i should also drop censys IP ranges from the firewall level
Just return them 1G of file. Be evil.
So they're researching vulnerabilities, fine.
But how does it help them to know that I'm vulnerable if I am?
Unless out of the kindness of their hearts they're going to look up my IP and contact my provider...skeptical.
Just put some reasonably looking content in one of the files they scan for, and see what happens?
They sell your data for $$$.
https://account.shodan.io/billing
It isn't.
I just started blocking DO in both my Firewall and CloudFlare since there not going to stop this possibly themself.
Knowing what percentage of those sampled have the issue is research.
The benefit they get doesn't need to benefit you, directly, in their eyes.
Thank you for saving me some time, I try to achieve similar goal (report their IP addresses to them). And they are asking me to send them log files and shit, then I saw this post, I should have give up instead.
I mean, I shouldn't waste my time reporting to them, seems like no action are going to be taken against their own.
As for LeakIX, I am pretty sure they send abuse complaints to network operators about severe vulnerabilities. I remember seeing their name pop up before. If so, I think this is good because it's better for the customer to know before their service gets compromised.
I have read a little bit about Censys. Their primary objective is to map all services on the Internet, much like Shodan, and in doing so, they may also identify vulnerabilities.
The data is used as part of research projects: https://zakird.com/papers/censys-2025.pdf
It can be used in academia to identify potential impacts of new CVEs, track software adoption by geographic region, and find potential attack vectors that botnets have used, among other uses. Vulnerabilities are just one of many data points these tools usually collect.
If it is proven to be operated by a legitimate company, I do not think they should be taken down. You can assume that attackers with less-than-good intentions already have their own databases and access to the same data as these legitimate companies. There are also likely a multitude of private companies that do the same thing and run their own databases, publishing no data (unlike Censys, LeakIX, Shodan, or GreyNoise) and being far more secretive; it is not that hard to do with ZMap. At least some companies are using the data for academic research or responsible disclosure, and simple Internet scanning is not against US law.
The difference between these companies and attackers is that attackers attempt to exploit vulnerabilities, while legitimate companies use metadata to infer the possibility of a vulnerability.
They are researchers. They aren't scanning you personally because they care about your website, but because they want to map security-related events on the internet. That information is then given to researchers who write papers whose results are used by policy makers, threat attribution companies, etc.
You can usually opt-out if you want.
You may benefit from it indirectly. By mapping the same internet the same way the blackhats map it, they can head them off. No human is going to directly look at the result of the scan of your website. It's just going to be used for statistics so a researcher can quickly look up stuff like "what AS hosts the most WP sites older than version X?".
Just from the URLs themselves, most of them don't seem to be likely targets for attacking, just endpoints that are likely to uniquely identify particular software and versions.
Probably it's enough to know whether endpoints exist without any attempt at authentication to distinguish between different software.