Hello,
An abusive behaviour (Spam) originating from your dedicated server ns3062297.ip-91-121-86.eu has been reported to or noticed by our Abuse Team.
Technical details showing the aforementioned problem follow :
— start of the technical details —
Dear Provider,
I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 91.121.86.61 directed at our clients’ servers.
As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.
Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.
I’ve collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link.
http://bitninja.io/incidentReport.php?details=4458a34b3841d64848?utm_source=incident&utm;_content=publicpage.The timezone is UTC +1:00.
Url: [indezz.co/xmlrpc.php]
Headers: [array (
‘X-Forwarded-Proto’ => ‘https’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Connection’ => ‘close’,
‘Accept-Encoding’ => ‘gzip’,
‘BN-Frontend’ => ‘waf-https’,
‘X-Forwarded-Port’ => ‘443’,
‘BN-Client-Port’ => ‘33094’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Content-Length’ => ‘475’,
‘Host’ => ‘indezz.co’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post: [‘system.multicallmethodNamewp.getUsersBlogsparams<data>[login]</array>’]
Matched: [
ModSecurity id: [941100] revision [2]
msg [XSS Attack Detected via libinjection]
match [detected XSS using libinjection.]
logdata [Matched Data:
Url: [www.thebhoidesigns.com/wp-login.php]
Remote connection: [91.121.86.61:55092]
Headers: [array (
‘Host’ => ‘www.thebhoidesigns.com’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Content-Length’ => ‘104’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’,
‘Connection’ => ‘close’,
‘BN-Frontend’ => ‘captcha-https’,
‘X-Forwarded-Port’ => ‘443’,
‘X-Forwarded-Proto’ => ‘https’,
‘BN-Client-Port’ => ‘33384’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post data: [Array
(
[log] => admin
[pwd] => blogger
[wp-submit] => Log In
[redirect_to] => https://www.thebhoidesigns.com/wp-admin/
[testcookie] => 1
)
]
Url: [www.thebhoidesigns.com/xmlrpc.php]
Remote connection: [91.121.86.61:55134]
Headers: [array (
‘Host’ => ‘www.thebhoidesigns.com’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Content-Length’ => ‘475’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’,
‘Connection’ => ‘close’,
‘BN-Frontend’ => ‘captcha-https’,
‘X-Forwarded-Port’ => ‘443’,
‘X-Forwarded-Proto’ => ‘https’,
‘BN-Client-Port’ => ‘33800’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post data: [Array
(
[ «1.0»?>system.multicall;methodName<value>wp.getUsersBlogs</member>params<array>[login]
)
]
Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail.
For more information on analyzing and understanding outbound traffic, check out this:
https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm;_campaign=investigation&utm;_content=image
We’ve also dedicated an entire site help people prevent their server from sending malicious attacks:
https://doc.bitninja.io/investigations.html?utm_source=incident&utm;_campaign=investigation&utm;_content=documentation
Thank you for helping us make the Internet a safer place!
Regards,
George Egri
CEO at BitNinja.io
BitNinja.io @ BusinessInsider UK
BitNinja.io hits the WHIR.com
BitNinja @ CodeMash conference \— mail_boundary —
Incident report — BitNinja.io
![](cid:part1.6af6d9518894aae1d19b7c794ab98496)
—
|
|
Dear Provider,
I am Mark Bacsko, Incident Analystat [BitNinja Server Security](https://bitninja.io?). I’m writing to inform you that we have detected malicious requests from the IP 91.121.86.61 directed at our clients’ servers.
Timestamp (UTC): 2022-07-07 13:33:48
As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.
Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.
I’ve collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link. The timezone is UTC +2:00.
[http://bitninja.io/incidentReport.php?details=4458a34b3841d64848](http://bitninja.io/incidentReport.php?details=4458a34b3841d64848?utm_source=incident&utm_content=publicpage)[](http://bitninja.io/incidentReport.php?details=4458a34b3841d64848)
Url: [indezz.co/xmlrpc.php]
Headers: [array (
‘X-Forwarded-Proto’ => ‘https’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Connection’ => ‘close’,
‘Accept-Encoding’ => ‘gzip’,
‘BN-Frontend’ => ‘waf-https’,
‘X-Forwarded-Port’ => ‘443’,
‘BN-Client-Port’ => ‘33094’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Content-Length’ => ‘475’,
‘Host’ => ‘indezz.co’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post: [‘system.multicall<name>methodNamewp.getUsersBlogsparams[login]</array>’]
Matched: [
ModSecurity id: [941100] revision [2]
msg [XSS Attack Detected via libinjection]
match [detected XSS using libinjection.]
logdata [Matched Data:
Url: [www.thebhoidesigns.com/wp-login.php]
Remote connection: [91.121.86.61:55092]
Headers: [array (
‘Host’ => ‘www.thebhoidesigns.com’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Content-Length’ => ‘104’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’,
‘Connection’ => ‘close’,
‘BN-Frontend’ => ‘captcha-https’,
‘X-Forwarded-Port’ => ‘443’,
‘X-Forwarded-Proto’ => ‘https’,
‘BN-Client-Port’ => ‘33384’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post data: [Array
(
[log] => admin
[pwd] => blogger
[wp-submit] => Log In
[redirect_to] => https://www.thebhoidesigns.com/wp-admin/
[testcookie] => 1
)
]
Url: [www.thebhoidesigns.com/xmlrpc.php]
Remote connection: [91.121.86.61:55134]
Headers: [array (
‘Host’ => ‘www.thebhoidesigns.com’,
‘User-Agent’ => ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0’,
‘Content-Length’ => ‘475’,
‘Content-Type’ => ‘application/x-www-form-urlencoded’,
‘Accept-Encoding’ => ‘gzip’,
‘Connection’ => ‘close’,
‘BN-Frontend’ => ‘captcha-https’,
‘X-Forwarded-Port’ => ‘443’,
‘X-Forwarded-Proto’ => ‘https’,
‘BN-Client-Port’ => ‘33800’,
‘X-Forwarded-For’ => ‘91.121.86.61’,
)]
Post data: [Array
(
[ «1.0»?>system.multicall<value>methodNamewp.getUsersBlogs;params[login]<;/member>
)
]
Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail.
For more information on analyzing and understanding outbound traffic, check out this:
[](https://docs.bitninja.io/wp-content/uploads/2020/08/bitninja-incident-report-1-scaled.jpg)<https://docs.bitninja.io/wp-content/uploads/2020/08/bitninja-incident-report-1-scaled-1.png>
[](https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg)We’ve also dedicated an entire site help people prevent their server from sending malicious attacks:
<https://docs.bitninja.io/serverprotection/doc/>[
](https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation)
Our incident experts are also happy to help you and can provide detailed logs if needed. Please, feel free to connect me with the administrator or technical team responsible for managing your server.
Thank you for helping us make the Internet a safer place!
Regards,
**Mark Bacsko**
Incident Analyst
BitNinja @[GBHackers](https://gbhackers.com/how-to-detect-obfuscated-malware-on-your-server/)
BitNinja.io @ [BusinessInsider UK](http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12)
|
—|—|—
Partnered by:
![](cid:part2.6f89c33ce80bc628f8e202d170b170e3)
© 2020 BitNinja Server Security
\— Forwarded email(s) —
— end of the technical details —
Your should investigate and fix this problem, as it constitutes a violation to our terms of service.
Please answer to this e-mail indicating which measures you’ve taken to stop the abusive behaviour.
Cordially,
The OVHcloud Abuse team.