On Friday, February 26, 2016 at 10:57:19 AM UTC-5, Robin Manoli wrote: > > > So, is the above log entry from the *other* server (i.e., not the one you >> control)? I presume the "server.ip" value is the IP address of your server, >> hence the belief that this request is coming from your server, correct? If >> so, how did you get this log entry? Did the owner of the server contact you >> and provide it? Did they request any information from you? Can you trust >> that this is real (as opposed to a social engineering attempt)? >> > > Yes this was the entry from the other server. The report of the entry was > sent to the VPS provider by bitninja.io, and the VPS provider forwarded > it to me asking for a solution. Bitninja didn't ask for anything else than > those logs I posted here, and they said pretty much the same thing about > attempting proxy requests. They seem trustable to me, although I don't see > how these requests from my server keep happening on port 80 on that server > after I blocked it for outgoing traffic. >
Note, Bitninja sells server security services (i.e., they have an interest in convincing you that you've got a vulnerability so you will buy their services). A lot of folks seem to think they generate fake reports as a marketing scam -- see: https://www.lowendtalk.com/discussion/69911/hukot-net-and-bitninja-io https://www.lowendtalk.com/discussion/69248/bitninja-abuse-reports Also, on their home page <https://bitninja.io/>, both the counter and the "live" list of "attacks" are fake -- generated client-side via Javascript (no live updates from the server). I'm not sure if they sent you more details, but I notice the alleged server log record from them does not include the timestamp, and it does not appear they gave you the host name or IP address of the allegedly attacked server. This means there is no way for you to correlate their alleged records with your own logs (i.e., you cannot match the external host/ip nor the time of the request). They have sent you a very generic and common type of attack, so it may be likely that you would have a matching request in your logs just by chance. If you think they're for real, tell them you at least want to see timestamps -- if you don't see a matching request in your logs around the same time, I would highly doubt their reports are real. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
