嘟嘟社区

[美国VPS] AWS发给我滥用报告


今天收到了两封aws发给我的滥用报告 邮件。说是可能被入侵进行了ddos活动。让我整 改并回报。
好怪,也就是aws轻量开了台日本机子用来xrayR 了下,再就是安了个nginx,和其它机子没什么不同呀,也是用的密钥登陆,不知道怎么回事,就这台通知异常。
所以来问下这情况怎么办更好。
我的默认方案是删除重建一台。
回复的话是直接回复这封邮件吗?我的理解是这样的,不知道是不是误解,所以问下。
,,,,
** SECOND NOTIFICATION **

Hello,

We have not received a response regarding the abuse report implicating resources on your account. Failure to respond could lead to possible mitigation against the implicated resources.

In order to resolve this report please reply to this email within 24 hours with the corrective action taken to cease the activity.

Required Actions: investigate root cause

AWS Account ID: 042656151160
Implicated Resource(s): 172.x.x.1×7 Public IP: 13.x.x.2x
Lightsail Instance Name: Debian-1Reported Activity: Botnet
Abuse Time: 8 Aug 2022 09:09:12 GMT

If you require further assistance with resolving this abuse report/complaint please see: https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/

If you do not consider the activity abusive, please reply to this email detailing the reasons why.

Regards,
AWS Trust & Safety

Case Number: 170775x

— Original Report —

Hello,

Please review this important message regarding the security of your AWS account and take action as requested. We have received one or more reports that the following AWS resources:

AWS ID: 0426561x    Region: ap-northeast-1    Lightsail Instance Name: Debian-1 Private IP : 172.2x.x.x Public IP: 13.2x.x.x

have been implicated in activity that indicates that it may be infected with malware and may be part of a botnet. We have appended the original report(s) to the end of this email for your review.

Please be aware, operating a host that is a part of a malicious network, or “botnet”, is forbidden per the AWS Acceptable Use Policy (https://aws.amazon.com/aup/).

It is important that you A) stop the reported activity and B) reply directly to this email with details of the corrective actions you have taken.

We recommend you investigate the specified instance(s) for malware and remove any identified malware to stop the reported abusive behavior. Please refer to the AWS Marketplace for partner products that may help identify and remove malware:

https://aws.amazon.com/marketplace/search/results?searchTerms=antivirus&page=1&ref_=nav_search_box

If you are unaware of the source of the reported activity it is likely that your Lightsail instance may have been compromised by an external actor.

The best recourse in this case is to create a new Lightsail instance from a snapshot taken well before this abuse notice was first received, for instructions on creating a new instance from a snapshot see: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-create-instance-from-snapshot

If you do not have a such snapshot, please consider creating a new Lightsail instance from scratch.

To prevent further abuse from your new Lightsail resource(s), AWS Trust & Safety has the following recommendations:

• Review Lightsail documentations on Security best practices: https://lightsail.aws.amazon.com/ls/docs/en_us/search?s=Security%20best%20practice&c=overview

• Ensure that you use strong and complex passwords for administrative access.

• Ensure that you are taking your Lightsail snapshots on a regular basis. Also consider utilizing Automatic Snapshots feature to automate this process: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-configuring-automatic-snapshots

• Ensure latest OS patches and security updates have been applied. If your Lightsail is running a content management platform such as WordPress, also ensure their applications and plugins are kept up to date as much as possible. Any unnecessary applications and plugins should be removed.

• Consider moving administrative access ports, such as TCP 22 or 3389, to non-default ports. Also consider turning off ports assigned for administrative access entirely and turn them back on as needed: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail

• Ensure you are monitoring Average CPU Utilization, Incoming Network Traffic, and Outgoing Network Traffic regularly and look for any abnormalities, such as unusual spikes.

Kindly note that security is a shared responsibility between AWS and you. For more information on shared responsibility model, you may go through the below link:

https://aws.amazon.com/compliance/shared-responsibility-model/

Regards,
AWS Trust & Safety

Case Number: 17077580193-1

—Beginning of forwarded report(s)—

* Log Extract:
<<<
Please see the below details of the reported AWS IP talking with a C&C or general use of Botnet Application detection.

Risk Type Infection IP address Source Port Destination Port Server Name C&C IP C&C Domain Last Seen

Botnet Infections    Wapomi    13.231.x.x    37006    799    ddos.dnsnb8.net    XXX.251.106.25        2022-08-04 09:20:44
How can I contact a member of the AWS abuse team or the reporter?
Reply to this email with the original subject line.
Amazon Web Services

Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210

我都不鸟他
安装东西尽量手动,脚本并不好,就算没有木马,系统也会有残留,生产环境时间长了很不好