All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hukot.net and BitNinja.IO
I've had a VPS from Hukot.net for a while now. I was originally attracted to their very cheap Windows XP offering, but quite soon after I set my XP vps up, I started to get emails from Hukot saying that they'd received emails from BitNinja.IO saying that my machine was attempting to attack known php vulnerabilities at one of their clients.
Now I realise that an XP system directly connected to the internet is at risk of being compromised, but I'd shut all methods of incoming communication except an ssh server within a few hours of imaging it. Ah well I decided, maybe the hackers are so adept at hacking XP that those few hours are enough. So I reimaged XP, this time with no outgoing network connection until I had set up ssh. Still the BitNinja reports kept coming.
So I gave up on XP, installed Ubuntu and hardened that to the best of my abilities. You guessed it, the BitNinja reports kept coming.
So a few weeks ago, I booted the machine to a GParted live CD, blew away all the partitions and shut the machine down.
Guess what - BitNinja still claim my machine is attacking their clients.
I can't get any technical help from Hukot on this subject and BitNinja have confirmed that they are still definitely seeing traffic from my IP address.
So either there is some very strange NAT hijacking (does that even exist) going on at Hukot or some sort of root kit that survives partition deletion has taken over my virtual hard drive or BitNinja are just telling tall stories. Either way, I have a VPS that I can't use because if I do I get threatened that Hukot will shut it down - even when it's shut down already.
Needless to say, I've moved on to another provider.
Comments
Did you get a refund?
Might be time to choose a provider that ignores bitninja? It's not like it's a major blacklist and it's only used by people who use the bitninja service.
http://www.lowendtalk.com/discussion/69248/bitninja-abuse-reports/p1
Bitninja is taking their fake attack reports too far nowadays and stupid providers fall for this shit.
See:
http://www.lowendtalk.com/discussions/tagged/bitninja/p1
http://www.lowendtalk.com/discussion/51621/alternatives-to-bitninja-io spam
http://www.lowendtalk.com/discussion/69248/bitninja-abuse-reports
These people at reddit actually believe bitninja is legit. https://www.reddit.com/r/sysadmin/comments/384q3b/my_server_was_just_suspended_because_of_a/
Personally, I'd give less than a shit about their reports when their business is selling "security" to people.
Well there you go. I searched to see if there were other reports of false positives - I suppose I didn't search hard enough. Thanks for those links.
So I think I've provided the ultimate proof that these people are making it up.
As for a refund, I can't get them to answer my emails. Truth be told, the cost of my time reinstalling and reconfiguring multiple times because I thought I'd done something wrong far outweighs the few dollars I dropped on the service. The lesson seems to be - buy cheap, buy twice.
I started blocking e-mails from Bitninja months ago because they keep erroneously reporting one of our clients (first report was in 2013, most recent report was today). I feel bad that our client went through the hassle of re-installing everything from scratch because I come to find out that some logs have timestamps where the client's VPS was offline meaning the IP is either being spoofed or their system is broke.
@glent1 I can confirm that Hukot doesn't have a protection against IP hijacking.
They've fixed and terminated customer who were responsible for that issue.
Ask them and they'll definetely will catch abuser and ban him.
Hello everyone! I'm Bogi from the BitNinja team and l'd like to clarify this situation.
We are quite a young company, so you might not find too many information about us and our reports on the net. But I'd like to assure you that BitNinja is completely legit and really established companies use our protection (for exapmle: http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security).
The reports we send out are to draw the attention to hidden vulnerabilities that are used for cyber attacks. The information in the reports are real and real time. Please, don't hesitate to contact us ([email protected]) when you get reports like these, we'll help you finding problem and analyze the attacks.
@BogiAngalet what's what? I couldn't hear you over the noise of false abuse reports
I think that for the client is better to see (or even not be aware) of the issues provider have. That is normal when provider try to solve their issue without notifying the client.
I believe that is a great approach
How far are you guys actually looking into these "hidden vulnerabilities"? But the sounds of it OP didn't have his machine compromised instead his IP was more than likely hijacked.
Why didn't bitninja pick this up? Or look into it further, but the sounds of it OP had the machine turned off at some point, are you still seeing traffic from his IP? Have you done a simple ping to see if it's online?
It sounds like Bitninja is completely automated and has no human intervention..
Sending fake reports is easier to make sales to naive people.
Couldn't agree more..
I doubt I'll get an answer..
Seems like they've bitbots running. or ninjabots to pick victims and send fake alerts. Also one to reply threads on LET with same reply.
Hey guys! If you believe that you got any fake reports, please contact us at [email protected], to discuss the specific case. We are always happy to help.
On ATHK's comment: it is true that unfortunately BitNinja has no tools at the moment to detect IP hijacking.
You are here now, why not respond to the masses in this forum. They already have their pitchforks out, and you are not helping yourself at all. Why should we bother wasting our time contacting you, I have never seen a valid complaint from you, and have RBL's bitnija so you stop wasting my time.
Can you share what sites your reports are coming from? All bitninja reports I've seen so far have the "affected" domains scratched out.
Hi everyone,
I am George the CEO of bitninja. Let me join the discussion and answer all you questions about bitninja and our reports.
First some theory
There are 6 steps of botnet infections:
We, at bitninja try to create a security system to cover all 6 major areas with different modules and if we find any malicious activity with any of the detecting modules we greylist the IP. Greylisting differs from blacklisting in many aspects (you can find detailed infos about greylisting at https://doc.bitninja.io )
So when we greylist an IP, we capture traffic about it, and later based on the captured infos we send out a report to the admin of the IP. The incident report page is a live thing, so you can always find the latest infos we have about that IP. If the domains are covered, we can send you uncovered logs too if you request it by mail. (If anyone has a better idea about it, please let me know, we would be happy to implement a more convenient and safer way)
The records of the incident report can contain different infos. We collect many different app logs like http transfer logs, auth logs, netstat records and get/post requests. What you see in the report depends on what interaction your server has made with a bitninja protected server.
Some of you are complaining about not finding the vulnerabilities. Well, as you can see above there are 6 layers you have to protect against botnet threats, not mentioning targeted attacks.. If you host wp or other php based website, there are a lot of vulnearbilities, you can not solve by keeping your linux and wps updated. There are tons of other aspecrs. Themes, plugins, ftp logins, 0 day vulnerabilities, bruteforfe, etc. There are a lot of unknown vulnerabilityes and hackers are one step behind in may cases as the only have to focus on 1 kind of attack but you have to defend against a lot. An average server have to dace more tha. 1000 different scans and attack every day.
Pattern matching malware detectors like maldet and antivirus like clamav can only do so much. They are trying to protect you in the 3. th stage, the infection period, when the attcker already has a way to upload files to your server... Maldet is based on pattern matching so if the attacker use any mechanism to alter the malware before uploading, no antivirus can stop it.
Bitninja has tools to catch the attack in the early stage when they only scan your server for vulnerabilitues, but also has modules for ither stages. We constantly implement detection modules to cover all 6 stages.
If you need more info about this topic, I have written a book about botnet protection, you can read more about it. (I ll post the link tomorrow as I m out of office and writing from my mobile)
Yes, every bitninja user can set how much information they whant to share with other bitninja users or with enyone else. If a bitninja user choose not to share domain names from the logs we collec,t we can not publish them in the incide t relort., If you ask us for mlre info vja e-mail to teace the vulnerability, then we can send it to you incovered.
@sdglhm
Of course we do not send any fake reports. There are a lot of cases when our reports help sysadmins to trace different threats on their servers. Also, if you write us not to send any more reports to a specific IP, we can ignore list thet IP.
As for the original question, I will investigate the case, but it is hard to imagine that the IP have been sloofed, unless the provider use some wired technique... One can not make complete http POST requests with spoofed sender b/c of the nature of the TCP protocoll and the 3 way handshake. Udp packert senders or syc packets senders can be spoofed but not whole tcp sessions, unless a man in the middle. What I think may have happened is hosting he same infected files with different operating systems.. at lease it makes sense to survive the multiple system reinstalls. There ara a lot of infected wp themes for example.
I hope I was able to cover most of the questions, but I am here and ready to answer any of your questions. Currently I m out of office until Saturday, but I can further investigate this issue in Monday. (Ps. Sorry for any typos)
@bitninja_george Well you do send fake reports. The company I work for received reports from your service for a group of 10 ips out of a block we don't even announce. So yea we just automatically shit can your emails in /dev/null.
Well, I am sure we do not send. Please send me those IPs so we can investigate the case. I am sure there is an explanation for that and I am eager to know.
Look guys, why would we send fake reports when we collect tens of thousands of incidens every day? We send these report to help you guys fight against our common enemy. Those hackers who build their botnets from your servers, and use your and your clients' resources for cybercrime. I am sure you are also against any of them, as I see you all hate spams and dos attacks. We fight against the same, and we are happy to help you for in this battle for free as we can only win this game if we fight together against hackers (and not against each others :-) )
If you send me those IPs I will investigate why we sent the reports as soon as I return from Bangkok. Maybe we have a bug? Yes, it is possible.. Or there is something misconfigured on your side? Also possible..
Bests
George
It's possible that you guys have some bug in your system. Most of the times, I only see bitninja goes with Fake reports.
@bitninja_George if I wanted a 3rd party to port scan my servers and email me vulnerabilities, I'd hire an IT firm. Im certainly not going to pay some random stranger who shot my provider an email making it look as though I or my hardware are doing something sketchy.
The truth is you send reports for a bunch of bull shit as stated above and hope people will use your product as a result. You're like an SEO spammer. Broken English and everything.
Just stop....
Hi,
There must be some misunderstanding in the way our system works. We send the reports to you to stop attacking our clients' servers. It is that easy. Our clients could do it themseves, but we cut the line and make it easier. So as soon as we do not receive incidents, no more reports will be sent.
I think times are over when ppl not taking responsibility for the traffic their devices make. Send us your IPs so we can simply ignore list them. It is that easy if you don t want to face with our reports.
Hi,
Please send me an IP so we can check it! I have not received any IP so far...
You can't even gauge if the IP is being spoofed or if it has been hijacked.
In the cases of false reports, all you're doing is harassing and potentially causing innocent people to lose money.
In my eyes, you're almost like a modern day thief.
If you do not send an IP I surely can not help you..
Hijacking complete TCP sessions is not that easy as it sounds :-) Anyway if your IP is hijacked or spoofed, you do not care about it? Please send an IP to at least check our side. We send tons of Indicent reports every day and the reaction is always positive and helpful. Most people want to solve their issues and in many cases the reports help them to trace the problem. Do you want to solve this problem, or not? Honestly so far I have not met a case when the traffic was spoofed let me see that IP!
Modern day thiefs are the hackers using the resources of you and your users! We are fighting against them, and BitNinja is an excellent and easy solution for this problem.
Believe me guys, we also have a hosting company with 50+ servers and we created bitninja b/c of the many problems we had with hackers and botnets. Since we use this system no more high load, no more spam, no more hacked wp, drupal, joomla, etc. and no more incoming and outgoing dos attacks. They are all the sympthomes of botnet activity.
link?
Just stop. Your entire company consists of trying to get people to sign up for a service, and we've seen evidence of multiple occasions where false abuse reports have resulted in clients getting terminated.
Furthermore, keep the advertising rubbish out of your posts, CEO (SEO), it doesn't work here.