Are the IP addresses 65.154.226.100 and 65.154.226.220 anything to do with PayPal? My reason for asking is that these addresses have been invoking my PayPal IPN script. My script detects that the request did not originate with PayPal and takes no action other than to notify me. I first thought someone had simply guessed the name of my IPN script, so I renamed it. Curiously, these IP addresses somehow managed to invoke the script with the new name immediately, with no further attempts to invoke it via the old name. They knew the new name of the IPN script somehow. Mostly, but not always, the script seems to be invoked sometime after it has processed an order. In the list below are the times of orders (yes, low volume), and also the times the suspect IP address invoked my IPN script. Not every order is followed by the suspect IP, but most are. 2020 Jun 19 16:21 Order 2020 Jun 19 21:41 invoked from 65.154.226.100 2020 Jun 19 21:42 invoked from 65.154.226.100 2020 Ju[Removed. Phone #s not permitted]Ju[Removed. Phone #s not permitted]Jun 24 08:58 invoked from 65.154.226.100 2020 Jun 24 08:58 invoked from 65.154.226.100 2020 Ju[Removed. Phone #s not permitted]Jun 26 10:17 invoked from 65.154.226.100 2020 Jun 26 10:17 invoked from 65.154.226.100 2020 Jun 28 14:40 renamed the IPN script 2020 Ju[Removed. Phone #s not permitted]Jun 30 15:03 invoked from 65.15[Removed. Phone #s not permitted]Jun 30 15:03 invoked from 65.15[Removed. Phone #s not permitted]Jul 03 1[Removed. Phone #s not permitted]0 Jul 03 18:46 invoked from 65.15[Removed. Phone #s not permitted]Jul 04 18:56 Order 2020 Jul 11 12:38 Order 2020 Jul 11 12:47 invoked from 65.154.226.100 2020 Jul 11 12:47 invoked from 65.154.226.100 Of course, this isn't much of a pattern, and could just be a coincidence. The script is always invoked twice, about four seconds apart. The first from a Windows machine, then from a Linux machine. These are the log entries for the first and latest occurrences. I also noticed that they're GETs and not POSTs that PayPal would use. 65.154.226.100 - - [19/Jun/2020:21:41:28 +0100] "GET /paypalipn.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom[Removed. Phone #s not permitted]Safari/537.36" 65.154.226.100 - - [19/Jun/2020:21:41:32 +0100] "GET /paypalipn.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3904.70 Safari/537.36" 65.154.226.100 - - [11/Jul/2020:12:47:23 +0100] "GET /paypalipnSMS.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom[Removed. Phone #s not permitted]Safari/537.36" 65.154.226.100 - - [11/Jul/2020:12:47:27 +0100] "GET /paypalipnSMS.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3904.70 Safari/537.36" Any ideas what's going on?
... View more