IPN being invoked from non PayPal IP

Simes
Contributor
Contributor
Posted on
‎Jul-11-2020 02:32 PM

Are the IP addresses 65.154.226.100 and 65.154.226.220 anything to do with PayPal? My reason for asking is that these addresses have been invoking my PayPal IPN script. My script detects that the request did not originate with PayPal and takes no action other than to notify me.

 

I first thought someone had simply guessed the name of my IPN script, so I renamed it. Curiously, these IP addresses somehow managed to invoke the script with the new name immediately, with no further attempts to invoke it via the old name. They knew the new name of the IPN script somehow.

 

Mostly, but not always, the script seems to be invoked sometime after it has processed an order. In the list below are the times of orders (yes, low volume), and also the times the suspect IP address invoked my IPN script. Not every order is followed by the suspect IP, but most are.

 

2020 Jun 19 16:21 Order
2020 Jun 19 21:41 invoked from 65.154.226.100
2020 Jun 19 21:42 invoked from 65.154.226.100
2020 Ju[Removed. Phone #s not permitted]Ju[Removed. Phone #s not permitted]Jun 24 08:58 invoked from 65.154.226.100
2020 Jun 24 08:58 invoked from 65.154.226.100
2020 Ju[Removed. Phone #s not permitted]Jun 26 10:17 invoked from 65.154.226.100
2020 Jun 26 10:17 invoked from 65.154.226.100

 

2020 Jun 28 14:40 renamed the IPN script

 

2020 Ju[Removed. Phone #s not permitted]Jun 30 15:03 invoked from 65.15[Removed. Phone #s not permitted]Jun 30 15:03 invoked from 65.15[Removed. Phone #s not permitted]Jul 03 1[Removed. Phone #s not permitted]0 Jul 03 18:46 invoked from 65.15[Removed. Phone #s not permitted]Jul 04 18:56 Order
2020 Jul 11 12:38 Order
2020 Jul 11 12:47 invoked from 65.154.226.100
2020 Jul 11 12:47 invoked from 65.154.226.100

Of course, this isn't much of a pattern, and could just be a coincidence.


The script is always invoked twice, about four seconds apart. The first from a Windows machine, then from a Linux machine. These are the log entries for the first and latest occurrences. I also noticed that they're GETs and not POSTs that PayPal would use.

 

65.154.226.100 - - [19/Jun/2020:21:41:28 +0100] "GET /paypalipn.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom[Removed. Phone #s not permitted]Safari/537.36"
65.154.226.100 - - [19/Jun/2020:21:41:32 +0100] "GET /paypalipn.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3904.70 Safari/537.36"

 

65.154.226.100 - - [11/Jul/2020:12:47:23 +0100] "GET /paypalipnSMS.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom[Removed. Phone #s not permitted]Safari/537.36"
65.154.226.100 - - [11/Jul/2020:12:47:27 +0100] "GET /paypalipnSMS.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3904.70 Safari/537.36"

 

Any ideas what's going on?

Labels:
Login to Me Too
Login to Reply or Kudo
5 REPLIES 5

fabien93
Contributor
Contributor
‎Aug-15-2020 01:54 AM

Hello,

 

I have the same problem, looking on google, it seem it's an hacker ip:

 

<removed>

 

Apparently, he is sniffing the request and send it back, trying to hack the paypal ipn.

 

But very strange, also sending "get" instead "post", without information, not working.

 

The I read your message, I hope the hacker is not in the server, just listening the api request.

 

Login to Me Too
Login to Reply or Kudo

Simes
Contributor
Contributor
‎Aug-17-2020 05:22 AM

Yeah, I found a similar page via Google, but it didn't seem conclusive. And I couldn't see how a hacker could find the new name of the IPN script. (Directory browsing is disabled on my site of course.) Anyway, I've renamed the IPN script again, so let's see what happens. I may resort to blocking those two IP addresses. How similar are your experiences to mine? Do you always get the two GETs, one from each IP address? Do they occur after the scripts process orders? Is your IPN script name guessable?

Login to Me Too
Login to Reply or Kudo

Simes
Contributor
Contributor
‎Aug-17-2020 05:30 AM

Now that's curious...

 

Moments after changing the name of my IPN and updating it in PayPal, I received an email from PayPal that my old IPN was unreachable. How would they know unless they'd tried to GET it? Could this whole issue simply be PayPal validating the configured IPN script exists? 

 

 

Hi <my name removed>,

Please check your server that handles PayPal Instant Payment Notification (IPN) messages. Messages sent to the following URL(s) aren't being received:

<url removed>

 

If you don't recognise this URL, you may be using a service provider that is using IPN on your behalf. Please contact your service provider with the above information.

 

Once you or your service provider fix this problem, you or your service provider can resend the failed messages from the IPN History page. If this problem continues, PayPal may disable the IPN feature for your account.

 

 

Login to Me Too
Login to Reply or Kudo

fabien93
Contributor
Contributor
‎Aug-20-2020 11:48 AM

yes the same IP an twice called from unix and windows , and "get" instead "post" for the request.

 

I banned the ip on my server. If you don't have root access, ban ip with htaccess file, search on google how to do it "ban ip htaccess" .

 

 

Login to Me Too
Login to Reply or Kudo

Simes
Contributor
Contributor
‎Sep-02-2020 06:52 AM

There have been no further occurrences since 11 August. Perhaps he's lost interest, or PayPal have sorted out whatever was doing it.

 

Login to Me Too
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.