New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I believe in your case we received two abuse complaints from two different sources within a week or so of sign-up. Generally speaking, hosts must suspend a server after receiving multiple abuse reports so soon after initial sign-up. You'd be surprised just how much damage a server can cause in under 24 hours. I believe your service was re-activated fairly quickly after you got in touch with us.
>
It is absolutely free to contact us, and we also provide a 7 day trial of bitninja to help anyone detect the infections on their servers. There is some guideline how to investigate outbound attacks: https://doc.bitninja.io/investigations.html
We don't ask or accept any money for IP removal. We remove any IP for free. Just clean your server, stop the malicious activity and contact us. It's that easy.
Ignoring security reports is not something to be proud of I think. This makes the Internet to become the playground of hackers. I have made some research about your IPs in our database. I won't publish the results unless you give me permission to do so, but there are infections and malicious activities and we have sent the reports with good reason. I think it's better to clean them than ignoring the reports..
Anyway we put your IP range to ignore list as you required and haven't sent any further report since August.
We don't force anyone for anything. The removal is completely free and we even provide free help for those who decide not to use bitninja. We send the report to help DCs and their clients to investigate and find the infections and weak points of their servers. We have a large honeypot network of over 1500 servers from all over the world and we would like to contribute to the overall security of the Internet with these reports.
How do you think we should change our incident reporting system to be more helpful for you and your clients?
@bitninja_George
Just curious, in what language bitninja was written on server side?
PHP?
For some reason hitleap traffic triggers our DoS detection module threshold. We still investigate the reason, but basically they generate traffic from one single IP with more than 100 simultaneous http connections. That's something some DoS attack scripts do too.
Unfortunately we are not too familiar with the hitleap model. Why are there so many connections from a single IP? I thought the point of hitleap is people watching each others websites, but how can it generate 100 parallel connections from a single IP? I suspect there should be some extra robotic traffic involved.
Could you please contact me in private so we can go on with the discussion and share IPs, logs, etc. about it?
Yes it was written in PHP and we have good reasons for it:
Regarding speed or reliability the latest PHP interpreters are just a good as python or perl. A recent performance benchmark https://blog.famzah.net/2016/02/09/cpp-vs-python-vs-perl-vs-php-performance-benchmark-2016/
We need a high level language for so C is not an option. Also with C / C++ it is quite easy to do memory pointer errors, and they are very dangerous. We do a lot of string operations and PHP does a pretty good job with strings. In many cases we use the internal linux implementations like iptables, ipset, netstat, /proc, etc. and they are written in c and optimized for speed. Our agent only manage them.
PHP is a very popular language, anyone can understand the code, and we don't believe a program is more secure just because you can't read the code. The client source is available and anyone can read it and understand what it does if they want. We have some contributors too.
Most of our users are web hosting providers, so they know PHP, and they can easily integrate the different parts of bitninja in their systems.
I don't want to start a programming language war here, but I think not the programming language is the important part for a program, rather the programming best practices and design patterns you use for implementation, and other best practices like unit testing, code conventions, and continuous integration techniques.
We ship our own php interpreter by the way (called bitninja-dojo), so we don't rely on the server own interpreter, and don't interfere with it either.
That was a side step proving further you are full of shit.
When they come from criminals like you then yes it is something to be proud of. you generate bull shit reports, and request money to have IP's removed.
So your software is shit and finally you admit is generates false positives... progress.
Does that mean anyone can use this to send false reports?
No -at least hopefully not. :-) We only consider az IP as malicious if there are reports from more different users. So one user can not abuse the global greylist. We also monitor the false positive rate of the servers and build up a trust point regarding the false positive rate. It can tell us if a user tries to abuse the system with false incidents.
Yes, we have some false positives. Our current rate is 0.18%. We are constantly working on decreasing this rate. But I think this rate is already quite good and the rest is true positives. I'm sure, you consider security as a top priority in your datacenter, so probably it worth bothering with the rest 99.82% of the reports. :-)
We do FREE IP removal. Never requested and/or accepted any money for IP removal.
Our business model is based on our security system product called bitninja. We provide a free and a pro version of bitninja server security, which has helped 1500+ servers so far to avoid DoS attacks, WP, drupal, joomla hacks and patched many other vulnerabilities.
And you use abuse reports as an excuse to promote your crap, you guys live in an echo chamber, talking to you is pointless, there is a reason so many people hate and ignore you, not that you will ever grasp that.
Based on my own experience it looks like your business model was to send extortion mail to my host's abuse email "suggesting" that I'll buy the plan. After nothing was heard from me (or my credit card), you sent another "reminder" to the hosting provider which almost caused them to suspend my services. Luckily they were not as trigger happy as you were.
That is everyone's experience, they 'bitninja' simply don't see a problem with this or the fact that the 'abuse' report almost always contains absolutely no actionable information.
Yes we send another report if there are new attacks and incidents against our customer's servers. This is what abuse report for, am I wrong? Just no one else does it. No one else report these incidents automatically, and this is one of the reasons people believe their servers has nothing to do with security.
Have you investigated the case? Or do you still host the malicious content/backdoor/proxy script on your server? Please contact us via email, and we are happy to provide all the logs we have or delist the IP in case of a false positive.
Anthony, how do you think we should report the incidents? I am happy to discuss any alternative way. We do obfuscation on the IPs and domains to protect our users logs, but we always provide the full logs upon request via email.
I know this is not an optimal system, if you have any idea on how we can improve it, please tell me your ideas!
Our latest plan is to implement a web based management interface or extend the bitninja online dashboard with a feature to manage the reports and incidents. It is on our backlog as a high priority story, but it takes at least 2 month to do the implementation.
If anyone has a better idea, how you would implement such a system with the logs remaining confidential enough but accessible and useable for the server owners, please share your ideas.
Here is the content of a bitninja 'abuse' report once clicking through the link:
Url: [it###us.com/index.php?do=/music/] Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36] Get data: [Array ( [do] => /music/ ) ] Server id: [263] (n)Right... so someone tried to access a URL... how dare they do that!
There is no option to de-list on the page at all, no option to delist on the top menu, only an offer of a 7 day free trial.
So I go to the "For hosting providers" link, where I am offered nothing but the chance to use one of your logo's....
Also during this I have been annoyed by a popup offering me an ebook twice.
I have looked all over, no delist option, the free tier only offers VERY basic protection and your marketing email disguised as an abuse report reads:
So you do not offer free delisting, you don't respond or monitor the info@ email address and you keep records for about 2 years it seems.
Absolute garbage.
That is not my place to tell you, there are some great examples of organisations that do it right to begin with, if your asking this then just close.
Then stop providing the service, the idea is go none commercial, you cant be trusted until then.
If it is a genuine abuse report then you need to send all the info, like literally everyone else does, not a 2 year long basic record of everything that has ever been associated with an IP address.
I don't really want to offer any advice as I see you as a complete parasite in the industry, there is a reason this attitude towards you is common and that many DC's simply ignore you now or take very little convincing to do so.
I checked and we sent you at least 8 reply mails and delisted your IPs too for free.
Regarding the log record you sent:
Do you use Macs to provide hosting? Because unless you do have a mac as a server using the IP in question there is a proxy script or a bot on your server that generated this traffic.
Regarding other incidents, what is this if not an evidence of malicious activity?
Url: [www.#####an.org/wp-login.php?action=register] Agent: [Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17] Get data: [Array ( [action] => register ) ]Why the hell a server would like to register on a blog, and faking the user agent too...
We will consider the possibility in our next leadership meeting to move the reporting to non commercial.
So you propose to set up automated delisting? This is also something we can implement I think, but I'm afraid ppl will just delist the IPs without doing anything, so their servers will keep attacking others and it helps nothing.
What if there are confidential information in the logs? How can we make sure, the report won't land to bad people? I think implementing the incident management portal could be a solution for this.
You don't offer any de-listing except via email? ridiculous, you ignore most emails that are sent.
You have not provided any meaningful evidence to show this is not just completely bogus to begin with, yes mac servers are in use via VPN.
Why not, people like to have some anonymity, what has that got to do with you and why do you consider accessing a page that is available on the internet 'abuse' and if you do, no one else does, so feel free to blacklist, but do not generate an abuse report?
I doubt it.
Works fine for every legitimate blacklisting service.
That's your problem.
I think you either need to provide protection or a blacklist, you are mixing the 2 things up completely, if someone wants to access a page and fake a user agent that has absolutely no business being reported as 'abuse'.
I understand if people want to be shielded from that, but you cant report a single incident of this as abuse, that is so completely mid mindbogglingly stupid I cant even fathom why I am having to point it out, and that in itself is the big issue I have with you, you absolutely have to know this so there must me another agenda.... profit.
Agent: [Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17]
Get data: [Array
(
[action] => register
)
]
Why the hell a server would like to register on a blog, and faking the user agent too...
Lol I take your never herd of someone hosting a Vpn on there server.
I agrees with @AnthonySmith your a joke of a abuse detector i got a number of abuse report forwarded from my provider for just loading a page of a website from you guy, lucky the provider i use don't take your report that creditable.
Ok, so here is a partial report about Anthony:
2016-08-14 01:47:04 | Url: [######################.###/index.php/sr/component/k2/itemlist/user/4368] 2016-08-14 01:47:04 | Url: [######################.###/wp-login.php?action=register] 2016-08-14 01:47:04 | Url: [######################.###/index.php/sr/component/k2/itemlist/user/4368] 2016-08-14 01:47:04 | Url: [######################.###/wp-login.php?action=register] 2016-08-14 01:47:04 | Url: [######################.###/index.php?option=com_easyblog&view=dashboard&layout=write] 2016-08-14 01:40:35 | Url: [###.pl###le.com/wp-login.php?action=register] 2016-08-14 01:40:35 | Url: [###.pl###le.com/o6eryu/fmmol.php?various58=6655-3ax_tmp/7visits/wrv-812] 2016-08-14 01:40:35 | Url: [###.pl###le.com/index.php?option=com_easyblog&view=dashboard&layout=write] 2016-08-14 01:40:34 | Url: [###.pl###le.com/o6eryu/fmmol.php?various58=6655-3ax_tmp/7visits/wrv-812] 2016-08-14 01:40:34 | Url: [###.pl###le.com/wp-login.php?action=register] 2016-08-14 01:32:22 | Url: [ci###40.um###gs.org/wp-login.php]So you really want me to believe this is legit traffic with a real human using a server as a VPN gateway? And a human being have run these requests? Login attempts, forum registrations, etc. all within 10 minutes, without any other requests? When we show up a captcha after every request? Straight trying to log in/register etc? I doubt it.
A few years ago my server was bitninja'd as well. My hosting provider demanded me to reinstall everything and send proof that I in matter or fact did so. That was also the only way for BN to delist me.
I once had an exploit in VestaCP, ending up at AbuseAt. BN on the other hand is holding your IP hostage till you either reinstall or pay them their damn 7 dollars.
Dont see any brute-force attack here either, wouldn't consider this blacklist-able. Blockable, yes, but not blacklist-able. And surely not abuse-report-able.
That's with the issue most of Bitninja reports the shit they detect of as abuse should just be blocked at server and be done with it.
The logs was collected from 3 different servers. I suppose, the source is part of a botnet doing distributed attacks. BitNinja users are safe against the attack, but the rest of the Internet not and on servers the greylist shield does not protect, the script probably do real registrations, forum spams, wp login bruteforce attacks.
The good old fashioned bruteforce attacks are gone. New botnets use a distributed version of bruteforce. With a shared database the c&c server can schedule a portion of jobs to all bots so only a limited number of requests are done by the same IP on the victim server to evade fail2ban like protection mechanisms.
?? 7 dollar?
We don't charge for IP removal! It is completely free! You can requested it via email and now we plan to implement a self removal tool too as it seems to be confusing for most people.
It was someone using a web crawler from memory, either way, you are once again missing the point, there is no actionable information, you are blurring the line between a filtering and protection service and a blacklist.
And either way, that particular one was from Aug 2016, by which point you were very much on the ignore list so it was not even looked at until I needed an example for this post.
Maybe I will start a service called ignore-ninjas.org that specifically blacklists all your IP's and client IP's and auto generates an abuse report for using bitninja, a known botnet for extorting money from hosts.
Sounds like a plan.
Could you please tell me more about this web crawler? A good crawler first of all downloads the /robots.txt and we deny all robot activity on all of our honeypot sites with robots.txt. So if the crawler doesn't respect it, it is a buggy crawler or worse. Crawling for forum registrations and wp-login pages is a suspicious activity I think, and something the host owner/network owner should deny.
We do filtration for our users, but what about the rest of the Internet? They are not protected, so we warn the host owners to stop the malware on their hosts. You really can't see any value in it? What is actionable if it isn't?
This is what most server owners/DC owners does to prevent infections:
As a server owner you should:
As a DC owner you can:
Sorry but, you demanded to put your range to ignore list. If you wish, I can send you more details about any IP-s you have, or remove from ignore list.
As you wish.