API tools faq
paste
Guest User

Untitled

a guest
Aug 3rd, 2020
76
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.68 KB | None | 0 0
raw download clone embed print report
  1. Dear Provider,
  2.  
  3.  
  4. I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 137.74.157.84 directed at our clients’ servers.
  5.  
  6.  
  7. As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.
  8.  
  9.  
  10. Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.
  11.  
  12.  
  13. I've collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link.
  14. http://bitninja.io/incidentReport.php?details=c4dc16324f60e54112?utm_source=incident&utm_content=publicpage. The timezone is UTC +1:00.
  15.  
  16. <pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>Url: [hamidaapc.com/web.config.txt]
  17. Headers: [array (
  18. 'BN-Client-Port' =&gt; '50959',
  19. 'Accept-Language' =&gt; 'en-US,en;q=0.5',
  20. 'Origin' =&gt; 'http://hamidaapc.com',
  21. 'DNT' =&gt; '1',
  22. 'Referer' =&gt; 'http://hamidaapc.com',
  23. 'BN-X-Forwarded-Port' =&gt; '',
  24. 'X-Forwarded-Port' =&gt; '80',
  25. 'Accept-Encoding' =&gt; 'gzip, deflate',
  26. 'BN-Frontend' =&gt; 'waf-http',
  27. 'Accept' =&gt; 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  28. 'User-Agent' =&gt; 'Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.0',
  29. 'BN-X-Forwarded-Proto' =&gt; '',
  30. 'X-Forwarded-Proto' =&gt; 'http',
  31. 'Host' =&gt; 'hamidaapc.com',
  32. 'BN-TP-Proto' =&gt; 'http',
  33. 'BN-TP-Clientip' =&gt; '137.74.157.84',
  34. 'BN-TP-Dstip' =&gt; '88.198.62.98',
  35. 'BN-TP-Dstport' =&gt; '80',
  36. 'BN-X-Forwarded-For' =&gt; '',
  37. 'X-Forwarded-For' =&gt; '137.74.157.84',
  38. )]
  39. Matched: [
  40. ModSecurity id: [930130] revision [1]
  41. msg [Restricted File Access Attempt]
  42. match [Matched &quot;Operator `PmFromFile' with parameter `restricted-files.data' against variable `REQUEST_FILENAME' (Value: `/web.config.txt' )]
  43. logdata [Matched Data: /Web.config found within REQUEST_FILENAME: /web.config.txt]
  44. severity [CRITICAL]
  45.  
  46. Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt
  47. ]</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>Url: [endommc.com/?p=291]
  48. Remote connection: [137.74.157.84:50195]
  49. Headers: [array (
  50. 'Host' =&gt; 'endommc.com',
  51. 'Connection' =&gt; 'Keep-Alive',
  52. 'User-Agent' =&gt; 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2834.76 Safari/537.36',
  53. 'Accept' =&gt; 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  54. 'Accept-Language' =&gt; 'en-US,en;q=0.5',
  55. 'Accept-Encoding' =&gt; 'gzip, deflate',
  56. 'DNT' =&gt; '1',
  57. 'Referer' =&gt; 'http://endommc.com/',
  58. 'Origin' =&gt; 'http://endommc.com',
  59. )]
  60. Get data: [Array
  61. (
  62. [p] =&gt; 291
  63. )
  64. ]</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>Url: [airwaysoffice.com/airasia-bangladesh-sales-office/]
  65. Remote connection: [137.74.157.84:48284]
  66. Headers: [array (
  67. 'Host' =&gt; 'airwaysoffice.com',
  68. 'User-Agent' =&gt; 'Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.2',
  69. 'Accept' =&gt; 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  70. 'Accept-Language' =&gt; 'en-US,en;q=0.5',
  71. 'Accept-Encoding' =&gt; 'gzip, deflate',
  72. 'DNT' =&gt; '1',
  73. 'Referer' =&gt; 'https://airwaysoffice.com/',
  74. 'Origin' =&gt; 'https://airwaysoffice.com',
  75. 'BN-Frontend' =&gt; 'captcha-https',
  76. 'X-Forwarded-Port' =&gt; '443',
  77. 'X-Forwarded-Proto' =&gt; 'https',
  78. 'BN-Client-Port' =&gt; '53049',
  79. 'X-Forwarded-For' =&gt; '137.74.157.84',
  80. )]</pre>
  81.  
  82. Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail.
  83.  
  84. For more information on analyzing and understanding outbound traffic, check out this:
  85. https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image
  86.  
  87. We’ve also dedicated an entire site help people prevent their server from sending malicious attacks:
  88. https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation
  89.  
  90.  
  91. Thank you for helping us make the Internet a safer place!
  92.  
  93.  
  94. Regards,
  95.  
  96.  
  97. George Egri
  98. CEO at BitNinja.io
  99.  
  100. BitNinja.io @ BusinessInsider UK
  101.  
  102. BitNinja.io hits the WHIR.com
  103. BitNinja @ CodeMash conference
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!