Help with VPS server logs

mrlinks

Hello @Sven

My VPS guys are telling me SER or maybe Proxy Scraper is sending malicious requests and BitNinja Server Security is giving them this information.

See below what I was sent?

Url: [nhadepdongphong.vn/301.php]
Remote connection: []
Headers: [array (
'Host' => 'nhadepdongphong.vn',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 OPR/52.0.2871.99',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'DNT' => '1',
'sec-ch-ua' => '" Not;A Brand";v="99", "Google Chrome";v="65", "Chromium";v="65"',
'sec-ch-ua-mobile' => '?0',
'sec-gpc' => '1',
)]
Get data: [Array
(
[url] => https://www.winnipegfreepress.com/s?action=editReg&rurl=
)
]

Url: [nhadepdongphong.vn/301.php]
Remote connection: []
Headers: [array (
'Host' => 'nhadepdongphong.vn',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 OPR/52.0.2871.99',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'DNT' => '1',
'sec-ch-ua' => '" Not;A Brand";v="99", "Google Chrome";v="65", "Chromium";v="65"',
'sec-ch-ua-mobile' => '?0',
'sec-gpc' => '1',
)]
Get data: [Array
(
[url] => https://www.winnipegfreepress.com/s?action=editReg&rurl=
)
]

Url: [scientists-farmers.com/]
Remote connection: []
Headers: [array (
'Host' => 'scientists-farmers.com',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'DNT' => '1',
'sec-ch-ua' => '" Not;A Brand";v="99", "Google Chrome";v="66", "Chromium";v="66"',
'sec-ch-ua-mobile' => '?0',
'sec-gpc' => '1',
)]
Get data: [Array
(
[goto] => https://www.winnipegfreepress.com/s?action=editReg&rurl=
)
]

sickseo

I recently received a similar abuse complaint from my vps provider. Also bitninja logging the complaint. It's likely it happened when my proxies stopped working, so they logged the abuse complaint against my server ip, which normally does not happen. Running GSA SER on this server. It was just an FYI for me, so no action was required.

Dear Provider,

I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 95.217.216.41 directed at our clients’ servers.

As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.

Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.

I've collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link.

http://bitninja.io/incidentReport.php?details=6174cc5f1a1c44d783?utm_source=incident&utm_content=publicpage. The timezone is UTC +1:00.

Url: [firstcity.edu.my/event/pdrm-e-poster-competition-2021/]
Remote connection: [95.217.216.41:33386]
Headers: [array (
  'Host' => 'firstcity.edu.my',
  'User-Agent' => 'Java/11.0.10',
  'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
  'BN-Frontend' => 'waf-https',
  'BN-Client-Port' => '53644',
  'X-Forwarded-For' => '95.217.216.41',
)]

Url: [www.adoriabridal.com/product-tag/veil-tunang/]
Remote connection: [95.217.216.41:50170]
Headers: [array (
  'Host' => 'www.adoriabridal.com',
  'User-Agent' => 'Java/11.0.10',
  'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
  'BN-Frontend' => 'captcha-https',
  'X-Forwarded-Port' => '443',
  'X-Forwarded-Proto' => 'https',
  'BN-Client-Port' => '56902',
  'X-Forwarded-For' => '95.217.216.41',
)]

Url: [www.adoriabridal.com/product/basic-shawl-navy-blue/]
Remote connection: [95.217.216.41:50292]
Headers: [array (
  'Host' => 'www.adoriabridal.com',
  'User-Agent' => 'Java/11.0.10',
  'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
  'BN-Frontend' => 'captcha-https',
  'X-Forwarded-Port' => '443',
  'X-Forwarded-Proto' => 'https',
  'BN-Client-Port' => '57374',
  'X-Forwarded-For' => '95.217.216.41',
)]

mrlinks

I use greencloud I keep telling them I'm using ANON ips from Proxy Scraper 

Thank you for replying @sickseo good to know its not just my VPS 

On another note are you still cranking hard with SER?

I was an old user way back 2013 haha now I'm trying again with a few projects 

sickseo

2013? That's around the time I first started using it I think, when I got banned on senuke forum for always saying how great GSA SER was lol

Yes, still cranking it hard and seeing great results from it. Literally every project I touch lol Even one word and two word phrases which I didn't think was possible until I tried lol

My local seo projects are going really well. Using it on ecommerce sites with amazon and ebay products. Have clients in different niches and so far every keyword a client gives me is ranking or on its way up to page 1.

So crack on is all I can say lol Give me a shout if you struggle with results. I'll see if I can set you on the right path.

As for greencloud, I was using them back in the day. I've switched now to Hetzner cloud and hetzner dedi. If you're based near europe, I'd definitely recommend them. Speeds are insane. I'm running over 60 installs of gsa ser, so I have a decent sized operation going on here lol

Sven

All the logs are probably from SER trying to register/login on some of these sites.

mrlinks

@sickseo mate you're quality can we do Telegram will PM you LOL