Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Bitninja Abuse Reports
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Bitninja Abuse Reports

agoldenbergagoldenberg Member, Provider

Has anyone ever received any of these?

I keep getting these against the main IP of one of my shared hosting servers. The IP in question is only used for the root domain and I have had several techs look through the logs for any traffic to where they are claiming to be receiving malicious packets.

Does anyone have any experience with these people?

I'd like to have someone take a look through my server who has experience with this garbage and nip it in the bud.

Thanks guys!

«1345

Comments

  • I get them quite a bit, something about google maps API abuse and it's normally someone scanning for exploits on an IP range

    Thanked by 1doghouch
  • agoldenbergagoldenberg Member, Provider

    Thing is there is 0 outbound or inbound to any of their servers! We've checked all the logs countless times and yet still nothing.

  • What logs have you checked? Do you have full packet / netflow logs?

    -

  • They're not credible. I've seen a bunch of people's providers taking those clowns seriously.

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • linuxthefishlinuxthefish Member
    edited November 2015

    What does it say you are listed for?

    The worst that happens if you stay listed is your IP gets blocked on other peoples's servers who use bitninja, so it's not the end of the world.

  • agoldenbergagoldenberg Member, Provider

    @linuxthefish They are saying their honeypot has detected malicious packets.

  • zafouharzafouhar Member
    edited November 2015

    @agoldenberg said:
    linuxthefish They are saying their honeypot has detected malicious packets.

    their honeypot has usually no idea what its detecting, i've experienced loads of false positives.

  • Used to get them all the time when working [email protected] for a past provider. Folks are in the "third party alert" / blacklist business.

    How to clean up a questionable reputation: throw the kids some BF/CM offers.

  • agoldenbergagoldenberg Member, Provider

    Kinda what I figured... They're based in Hungary...

  • GM2015GM2015 Member
    edited November 2015

    Yeah, but that doesn't mean Hungarians live off blackmailing others.

    What can they do to you? No sane person take them seriously.

    agoldenberg said: They're based in Hungary...

    Send them some "packets" of these http://dicksbymail.com/

    linuxthefish said: Could be anything or even spoofed traffic I guess, bit of a silly detection thing for just "packets" :/

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • @agoldenberg said:
    linuxthefish They are saying their honeypot has detected malicious packets.

    Could be anything or even spoofed traffic I guess, bit of a silly detection thing for just "packets" :/

  • They are selling "server security as a service". They only want you to buy their shit.

  • Well i have received several reports in the past about some IP trying to bruteforce other people's wordpress installs and it turned out to be true - there was some malware uploaded on that server via some compromised site. So you need to check all the websites you host, there is a high chance there is some insecure wordpress / joomla / whatever.

    -

  • I've also received them .

  • agoldenbergagoldenberg Member, Provider

    @rds100 we've run clamav and rootkit checker and have manually checked all hosted WordPress files. They all are 100% pure WordPress. Definitely nothing out of the ordinary.

  • What did you receive yours for? Connecting to the internet?

    inthecloudblog said: I've also received them .

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • DennisdeWitDennisdeWit Member
    edited November 2015

    Swiftway passed an Abuse Report of BitNinja to me about a month ago. The only way to solve your problem, is to buy their product. You don't have to take these clowns seriously. It's just a new way of spamming sys-admins.

    However, since you are hosting Wordpress, I can give you 2 more advises

    Thanked by 1GM2015
  • DennisdeWit said: However, since you are hosting Wordpress, I can give you 2 more advises - Use Maldet - Download Web Shell Detector (http://www.shelldetector.com). I found it a very useful tool!

    Uhh...are you really running that webshelldetector? Did you checkout the github's comments? https://github.com/emposha/PHP-Shell-Detector/issues/24

    It looks pretty shady

  • I can recommend Aibolit. More informatio is here: https://www.revisium.com/aibo/

    Trying to be positive and friendly :)

  • Hello everyone! :) I'm Bogi from the BitNinja team. And I'd just like to confirm that the reports we send out are to draw the attention or server/site owners to hidden vulnerabilities that are used for cyber attacks secretly.

    The information in the reports are real and real time. Please, don't hesitate to contact us ([email protected]) when you get reports like these, we'll help you finding problem and analyze the attacks.

    And for the sceptical minds: we are not clowns at all. We are ninjas who fight to make the internet a safer place. ;)

  • image

    https://en.wikipedia.org/wiki/Ninja

    The functions of the ninja included: espionage, sabotage, infiltration, assassination and guerrilla warfare.[1] Their covert methods of waging irregular warfare were deemed "dishonorable" and "beneath" the samurai-caste, who observed strict rules about honor and combat.

    https://bitninja.io/pricing/

    I see nothing else than your reports drawing attention to your pricing.

    Spamvertising.

    BogiAngalet said: we are not clowns at all

    BogiAngalet said: We are ninjas

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • @BogiAngalet said:
    And for the sceptical minds: we are not clowns at all.

    Clowns. I can confirm that bitninja program is written only in PHP. Anyone can check the source and use it in a bad way. For instance false abuse reports.

    Thanked by 2GM2015 doughmanes

    Trying to be positive and friendly :)

  • @BogiAngalet clown much

    Thanked by 1GM2015

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • VirpusVirpus Member, Provider

    Up selling.

    SSD-Cache | Pure SSD | Bare Metal Cloud - Xen - Seattle

  • BogiAngalet said: hidden vulnerabilities that are used for cyber attacks secretly

    The only problem here are clueless providers taking you seriously and acting based on your bullshit.

  • doghouchdoghouch Member
    edited December 2015

    @linuxthefish said:
    I get them quite a bit, something about google maps API abuse and it's normally someone scanning for exploits on an IP range

    For me, they said that my shared server was infected with a "PUP" that was "backdooring" one of their servers... thank goodness I was on CC at the time or else their fake reports would get me pulled offline. (again, if this is offensive to CC, @jbiloh can remove this)

  • GM2015GM2015 Member
    edited December 2015

    You don't have pups on your servers?
    image

    Our pup comes in the front door, no need for backdoors. Quite the reverse actually, the dog's not allowed to go out the front door and can only go outside via the backdoor.

    Our dog is a bitnija.

    doghouch said: For me, they said that my shared server was infected with a "PUP" that was "backdooring" one of their servers... thank goodness I was on CC at the time or else their fake reports would get me pulled offline.

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • doghouchdoghouch Member
    edited December 2015

    @GM2015 said:
    You don't have pups on your servers?
    image

    Our pup comes in the front door, no need for backdoors. Quite the reverse actually, the dog's not allowed to go out the front door and can only go outside via the backdoor.

    Our dog is a bitnija.

    Aw... that "PUP" is cute :)

  • yeah, it probably uses backdoors if you leave the doors open.

    https://duckduckgo.com/?q=pup&iax=1&ia=images

    doghouch said: that "PUP" is cute :)

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • The pup's cute, that's true. :D

    " I can confirm that bitninja program is written only in PHP. Anyone can check the source and use it in a bad way. For instance false abuse reports." - We think that there's no unhackable system, no matter what language was used to create it. For the mentioned case, we have server side tools against compromising the PHP code to use it for sending out fake reports.

    Just please keep in mind that we are always happy to help. If you feel you got any false positive reports, just contact us ([email protected]) so as we can provide more details about the incidents we received.

  • @BogiAngalet said:
    The pup's cute, that's true. :D

    " I can confirm that bitninja program is written only in PHP. Anyone can check the source and use it in a bad way. For instance false abuse reports." - We think that there's no unhackable system, no matter what language was used to create it. For the mentioned case, we have server side tools against compromising the PHP code to use it for sending out fake reports.

    Just please keep in mind that we are always happy to help. If you feel you got any false positive reports, just contact us ([email protected]) so as we can provide more details about the incidents we received.

    Honestly what the fuck did you just write.. I'm really considering the fact that you're either not part of Bitninja or you are and you're stupid as fuck.

    Thanked by 1k0nsl
  • alexvolk said: Clowns. I can confirm that bitninja program is written only in PHP. Anyone can check the source and use it in a bad way. For instance false abuse reports.

    Do you think it would be more secure to use any other programming language? Of course not. We do not trust the incidents sent by the servers, but we trust in the power of the community. We only send out a report if there are incidents about an IP from different users, different servers, different IP subnets.

    Anyway if you received a report you believe is false positive, please feel free to send it to me or my colleague.

  • AnthonySmithAnthonySmith Top Provider
    edited December 2015

    I don't respond to bitninja abuse reports, their whole business model is to report a load of bollocks to get big DC's to sign up with them, they even spamvertise in their own abuse reports.

    And the only way to whitelist is with paid membership, this is a blacklist setup with nothing but commercial gain in mind, absolute clowns.

    Ignore them.

  • agoldenbergagoldenberg Member, Provider

    I still have received no detailed report from @bitninja_george for those interested but yup pretty much 100% bull shit.

  • Hi all,

    @agoldenberg pmed one of his IP. I have sent him all the reports with full domain and IP details. So here is what we have found regarding @agoldenberg without any details.
    Originally the IP was greylisted because of these logs:


    *******.hu ..214.10 - - [ +0100] "GET /wp-admin/network/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3924 "-" "-"
    *******.hu ..214.10 - - [ +0100] "GET /wp-content/uploads/2015/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3931 "-" "-"
    *******.hu ..214.10 - - [ +0100] "GET /wp-includes/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3923 "-" "-"
    *******.hu ..214.10 - - [ +0100] "GET /wp-includes/images/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3931 "-" "-"
    *******.hu ..214.10 - - [ +0100] "GET /wp-includes/simplepie/parse/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3923 "-" "-"
    *******.hu ..214.10 - - [ +0100] "GET /wp-includes/images/smilies/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 3924 "-" "-"

    Then we received more than 350 malicious requests from 2015-10-27 11:24:11 to 2015-10-30 11:24:26 on 18 different servers from different customers. Geographically totally different places like Canada, USA, Greece, Hungary, Netherlands, etc. It is impossible and also makes no sense to forge this traffic. Many of the incidents were collected from apache logs on customers servers, not even by our honeypot system. We have sent 3 incident reports about this IP.


    ..214.10 - - [ -0400] "GET /wp-includes/simplepie/net/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 508 7287 "-" "-"
    ..214.10 - - [ -0700] "GET /wp-admin/network/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 20854 "-" "-"
    ..214.10 - - [ -0400] "GET /wp-content/uploads/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 - "-" "-"
    ****.com/wp-includes/simplepie/content/system.php?450699=1&babaraba=vb&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1
    *Url: [***.gr/wp-content/themes/yakimabait/download.php?file=./wp-config.php]
    ***.gr/wp-content/force-download.php?file=../wp-config.php
    ***.org/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
    ***.gr/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php
    ***.gr/wp-content/themes/markant/download.php?file=../../wp-config.php
    ***.biz/wp-admin/

    Do you guys really can't see the value about this report? This helps a lot to trace down the infection and clean the infected wp-s. We even plan to enhance the free version of bitninja with a module to auto trace such infections in the near future.

  • Your report is about as valuable as your scam company, which is worthless.

    Thanked by 2ATHK Scottsman
  • I was getting bitninja abuse reports every once or twice a month when I was hosting with my old provider. I had no idea what was going on. The server provider also failed to enlighten me about it. All he could tell me was that "something is happening which needs fixing". Server load was normal and there was nothing I could find in csf firewall. The server provider would direct me to bitninja logs page where I could see my IP but nothing else. Then I became suspicious that maybe the server provider want's me to sign up to something because he would always direct me to bitninja logs page(maybe it was his affiliate link) He didn't suspend my service but I was getting fed up with these reports so I changed the server and ever since I moved to my new provider never got any such reports. Its been almost 3 months. Which means there was no malicious activity going on my server.

    Thanked by 2GM2015 Scottsman
  • stallion said: Which means there was no malicious activity going on my server.

    Or it could mean that the new provider just deletes all bitninja reports instead of forwarding those to you :)

    -

  • I wonder if the honeypots are putting the IP from X-Forwarded-For in the logs?

  • The bottom line is you have to pay $20 to be able to de-list or view actual logs, the value of which is absolutely zero anyway, only a matter of time before they get hacked for running this scam and peoples info gets dumped then they lose the lot, including the credibility they seem to think they have.

    Thanked by 2GM2015 Pwner
  • dig bitninja.io a

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;bitninja.io.           IN  A
    
    ;; ANSWER SECTION:
    bitninja.io.        11763   IN  A   80.249.163.184
    

    Anyone want to send Alba Internet Ltd. abuse reports about spam mail coming from bitninja?

    Thanked by 1AlwaysSkint

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • Someone spamhaus them ^^ as soon as they delist spamhaus them again if you get another report.

    Is it in your favor @GM2015?

    Thanked by 1AlwaysSkint

    I'm on vacation in Belize.

  • What? I've never heard of spamhaus or bitninja.

    Hidden_Refuge said: Is it in your favor @GM2015?

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • @linuxthefish said:
    I wonder if the honeypots are putting the IP from X-Forwarded-For in the logs?

    Currently if there is a request from a proxy, we simply let the traffic in (for example traffic from CloudFlare, Incapsula, etc. ) or use the restrictions for the proxy server IP. With our WAF module it will change in the near future as we can use the X-Forwarded-For or similar header info and make decision and incidents based on the real IP. In case of log analysis if the http server is well configured (in case of apache you can use the RPAF module or clones) then you can see the real IP in the logs.

  • AnthonySmith said: The bottom line is you have to pay $20 to be able to de-list or view actual logs, the value of which is absolutely zero anyway

    You don't have to pay. We provide logs and delisting for free to anyone.

  • localidiotlocalidiot Member
    edited March 2016

    vnt

  • FoulFoul Member

    localidiot said: Do you not know how ignorant you are?

    Nice Necro.....

    @jarland pls close

  • jarjar Provider

    localidiot said: Do yourself a favor and check yourself

    Before he wrecks himself?

    Thanked by 3KuJoe linuxthefish GCat
  • Lol I like his username, at least he knows he is an idiot

  • @BogiAngalet said:
    The pup's cute, that's true. :D

    " I can confirm that bitninja program is written only in PHP. Anyone can check the source and use it in a bad way. For instance false abuse reports." - We think that there's no unhackable system, no matter what language was used to create it. For the mentioned case, we have server side tools against compromising the PHP code to use it for sending out fake reports.

    Just please keep in mind that we are always happy to help. If you feel you got any false positive reports, just contact us ([email protected]) so as we can provide more details about the incidents we received.

    Contact ? Seriously ?
    Do you guys even reply ?

    PS : The best way to tackle bitninja is to get ur provider talk on behalf of you. Or get a Paid Plan from bitninja.

    Hosts I Recommend >> [ XiNiX | CloudCone | HostUs | BuyVM | Backovia ( 25 TB VPS ) ]

Sign In or Register to comment.