Professional Documents
Culture Documents
Dear Provider,
I am Mark Bacsko, Incident Analyst at BitNinja Server Security. I’m writing to inform
you that we have detected malicious requests from the IP 103.101.52.43 directed at
our clients’ servers.
As a result of these attacks, we have added your IP to our greylist to prevent it from
attacking our clients’ servers.
Servers are increasingly exposed as the targets of botnet attacks and you might not be
aware that your server is being used as a “bot” to send malicious attacks over the
Internet.
I've collected the 3 earliest logs below, and you can find the freshest 100, that may
help you disinfect your server, under the link. The timezone is UTC +2:00.
http://bitninja.io/incidentReport.php?details=85b7858ba2be99bdde
Url: [thespringvalleyschool.com/xmlrpc.php]
Headers: [array (
'Host' => 'thespringvalleyschool.com',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '486',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
)]
Post: ['<?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data
Matched: [
ModSecurity id: [941100] revision [2]
msg [XSS Attack Detected via libinjection]
logdata [detected XSS using libinjection.]
severity [CRITICAL]
1 of 3 07/02/2022, 8:50
Your server 103.101.52.43 has been registered as an attack source
severity [WARNING]
Url: [rdes.co.in/wp-login.php]
Remote connection: [103.101.52.43:57688]
Headers: [array (
'Host' => 'rdes.co.in',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '88',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '103.101.52.43',
)]
Post data: [Array
(
[log] => admin
[pwd] => 123
[wp-submit] => Log In
[redirect_to] => https://rdes.co.in/wp-admin/
[testcookie] => 1
)
]
Url: [rdes.co.in/xmlrpc.php]
Remote connection: [103.101.52.43:57691]
Headers: [array (
'Host' => 'rdes.co.in',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '471',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '103.101.52.43',
)]
Post data: [Array
(
[<?xml version] => "1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><dat
)
]
Please keep in mind that after the first intrusion we log all traffic between your server
and the BitNinja-protected servers until the IP is removed from the greylist. This
2 of 3 07/02/2022, 8:50
Your server 103.101.52.43 has been registered as an attack source
means you may see valid logs beside the malicious actions in the link above. If you
need help finding the malicious logs, please don’t hesitate to contact our incident
experts by replying to this e-mail.
For more information on analyzing and understanding outbound traffic, check out this:
https://docs.bitninja.io/wp-content/uploads/2020/08/bitninja-incident-report-
1-scaled-1.png
We’ve also dedicated an entire site help people prevent their server from sending
malicious attacks:
https://docs.bitninja.io/serverprotection/doc/
Our incident experts are also happy to help you and can provide detailed logs if
needed. Please, feel free to connect me with the administrator or technical team
responsible for managing your server.
Regards,
Mark Bacsko
Incident Analyst
BitNinja @ GBHackers
BitNinja.io @ BusinessInsider UK
Partnered by:
3 of 3 07/02/2022, 8:50