Your server 103.101.52.

43 has been registered as an attack source

Subject: Your server 103.101.52.43 has been registered as an a ack source

From: BitNinja <incident@bitninja.info>
Date: 05/02/2022, 10:18
To: abuse@semarangkota.go.id

Dear Provider,

I am Mark Bacsko, Incident Analyst at BitNinja Server Security. I’m writing to inform
you that we have detected malicious requests from the IP 103.101.52.43 directed at
our clients’ servers.

Timestamp (UTC): 2022-02-05 03:18:08

As a result of these attacks, we have added your IP to our greylist to prevent it from
attacking our clients’ servers.

Servers are increasingly exposed as the targets of botnet attacks and you might not be
aware that your server is being used as a “bot” to send malicious attacks over the
Internet.

I've collected the 3 earliest logs below, and you can find the freshest 100, that may
help you disinfect your server, under the link. The timezone is UTC +2:00.
http://bitninja.io/incidentReport.php?details=85b7858ba2be99bdde

Url: [thespringvalleyschool.com/xmlrpc.php]
Headers: [array (
'Host' => 'thespringvalleyschool.com',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '486',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
)]
Post: ['<?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data
Matched: [
ModSecurity id: [941100] revision [2]
msg [XSS Attack Detected via libinjection]
logdata [detected XSS using libinjection.]
severity [CRITICAL]

ModSecurity id: [942110] revision [4]

msg [SQL Injection Attack: Common Injection Testing Detected]
logdata [Matched "Operator `Rx' with parameter `(^["'`;]+|["'`]+$)' against variable `ARGS:<?xml version' (Value: `"

1 of 3 07/02/2022, 8:50
 Your server 103.101.52.43 has been registered as an attack source

severity [WARNING]

ModSecurity id: [942130] revision [2]

msg [SQL Injection Attack: SQL Tautology Detected.]
logdata [Matched "Operator `Rx' with parameter `(?i:([s'"`()]*?)([dw]++)([s'"`()]*?)(?:(?:=|<=>|r?like|soundss+like|
severity [CRITICAL]

ModSecurity id: [942370] revision [2]

msg [Detects classic SQL injection probings 2/2]
logdata [Matched "Operator `Rx' with parameter `(?i:(?:["'`]s*?*.+(?:x?or|div|like|between|and|id)W*?["'`]d)|(?:^["'
severity [CRITICAL]

ModSecurity id: [942430] revision [2]

msg [Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)]
logdata [Matched "Operator `Rx' with parameter `((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*
severity [WARNING]

Inbound Anomaly Score Exceeded (Total Inbound Score: 21 - SQLI=16,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Res

]

Url: [rdes.co.in/wp-login.php]
Remote connection: [103.101.52.43:57688]
Headers: [array (
'Host' => 'rdes.co.in',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '88',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '103.101.52.43',
)]
Post data: [Array
(
[log] => admin
[pwd] => 123
[wp-submit] => Log In
[redirect_to] => https://rdes.co.in/wp-admin/
[testcookie] => 1
)
]

Url: [rdes.co.in/xmlrpc.php]
Remote connection: [103.101.52.43:57691]
Headers: [array (
'Host' => 'rdes.co.in',
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Content-Length' => '471',
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '103.101.52.43',
)]
Post data: [Array
(
[<?xml version] => "1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><dat
)
]

Please keep in mind that after the first intrusion we log all traffic between your server
and the BitNinja-protected servers until the IP is removed from the greylist. This

2 of 3 07/02/2022, 8:50
 Your server 103.101.52.43 has been registered as an attack source

means you may see valid logs beside the malicious actions in the link above. If you
need help finding the malicious logs, please don’t hesitate to contact our incident
experts by replying to this e-mail.

For more information on analyzing and understanding outbound traffic, check out this:
https://docs.bitninja.io/wp-content/uploads/2020/08/bitninja-incident-report-
1-scaled-1.png

We’ve also dedicated an entire site help people prevent their server from sending
malicious attacks:

https://docs.bitninja.io/serverprotection/doc/

Our incident experts are also happy to help you and can provide detailed logs if
needed. Please, feel free to connect me with the administrator or technical team
responsible for managing your server.

Thank you for helping us make the Internet a safer place!

Regards,

Mark Bacsko
Incident Analyst

BitNinja @ GBHackers

BitNinja.io @ BusinessInsider UK

Partnered by:

© 2020 BitNinja Server Security

3 of 3 07/02/2022, 8:50