今天收到了两封aws发给我的滥用报告 邮件。说是可能被入侵进行了ddos活动。让我整 改并回报。
好怪,也就是aws轻量开了台日本机子用来xrayR 了下,再就是安了个nginx,和其它机子没什么不同呀,也是用的密钥登陆,不知道怎么回事,就这台通知异常。
所以来问下这情况怎么办更好。
我的默认方案是删除重建一台。
回复的话是直接回复这封邮件吗?我的理解是这样的,不知道是不是误解,所以问下。
,,,,
** SECOND NOTIFICATION **
Hello,
We have not received a response regarding the abuse report implicating resources on your account. Failure to respond could lead to possible mitigation against the implicated resources.
In order to resolve this report please reply to this email within 24 hours with the corrective action taken to cease the activity.
Required Actions: investigate root cause
AWS Account ID: 042656151160
Implicated Resource(s): 172.x.x.1x7 Public IP: 13.x.x.2x
Lightsail Instance Name: Debian-1Reported Activity: Botnet
Abuse Time: 8 Aug 2022 09:09:12 GMT
If you require further assistance with resolving this abuse report/complaint please see: https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/
If you do not consider the activity abusive, please reply to this email detailing the reasons why.
Regards,
AWS Trust & Safety
Case Number: 170775x
--- Original Report ---
Hello,
Please review this important message regarding the security of your AWS account and take action as requested. We have received one or more reports that the following AWS resources:
AWS ID: 0426561x Region: ap-northeast-1 Lightsail Instance Name: Debian-1 Private IP : 172.2x.x.x Public IP: 13.2x.x.x
have been implicated in activity that indicates that it may be infected with malware and may be part of a botnet. We have appended the original report(s) to the end of this email for your review.
Please be aware, operating a host that is a part of a malicious network, or “botnet”, is forbidden per the AWS Acceptable Use Policy (https://aws.amazon.com/aup/).
It is important that you A) stop the reported activity and B) reply directly to this email with details of the corrective actions you have taken.
We recommend you investigate the specified instance(s) for malware and remove any identified malware to stop the reported abusive behavior. Please refer to the AWS Marketplace for partner products that may help identify and remove malware:
https://aws.amazon.com/marketplace/search/results?searchTerms=antivirus&page=1&ref_=nav_search_box
If you are unaware of the source of the reported activity it is likely that your Lightsail instance may have been compromised by an external actor.
The best recourse in this case is to create a new Lightsail instance from a snapshot taken well before this abuse notice was first received, for instructions on creating a new instance from a snapshot see: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-create-instance-from-snapshot
If you do not have a such snapshot, please consider creating a new Lightsail instance from scratch.
To prevent further abuse from your new Lightsail resource(s), AWS Trust & Safety has the following recommendations:
• Review Lightsail documentations on Security best practices: https://lightsail.aws.amazon.com/ls/docs/en_us/search?s=Security%20best%20practice&c=overview
• Ensure that you use strong and complex passwords for administrative access.
• Ensure that you are taking your Lightsail snapshots on a regular basis. Also consider utilizing Automatic Snapshots feature to automate this process: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-configuring-automatic-snapshots
• Ensure latest OS patches and security updates have been applied. If your Lightsail is running a content management platform such as WordPress, also ensure their applications and plugins are kept up to date as much as possible. Any unnecessary applications and plugins should be removed.
• Consider moving administrative access ports, such as TCP 22 or 3389, to non-default ports. Also consider turning off ports assigned for administrative access entirely and turn them back on as needed: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail
• Ensure you are monitoring Average CPU Utilization, Incoming Network Traffic, and Outgoing Network Traffic regularly and look for any abnormalities, such as unusual spikes.
Kindly note that security is a shared responsibility between AWS and you. For more information on shared responsibility model, you may go through the below link:
https://aws.amazon.com/compliance/shared-responsibility-model/
Regards,
AWS Trust & Safety
Case Number: 17077580193-1
---Beginning of forwarded report(s)---
* Log Extract:
<<<
Please see the below details of the reported AWS IP talking with a C&C or general use of Botnet Application detection.
Risk Type Infection IP address Source Port Destination Port Server Name C&C IP C&C Domain Last Seen
Botnet Infections Wapomi 13.231.x.x 37006 799 ddos.dnsnb8.net XXX.251.106.25 2022-08-04 09:20:44
How can I contact a member of the AWS abuse team or the reporter?
Reply to this email with the original subject line.
Amazon Web Services
Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210
热议
推荐楼 toot 2022-8-9 23:33:22
安装东西尽量手动,脚本并不好,就算没有木马,系统也会有残留,生产环境时间长了很不好
推荐楼 北极之大 2022-8-9 23:32:38
我都不鸟他
4楼 mmedici 2022-8-10 08:10:20
检查一下吧。建议删机重建。
5楼 叼爆小朋友 2022-8-10 08:59:43
使劲跑流量就行了,别管他,反正月抛
6楼 sunkeinfo 2022-8-10 09:10:16
我是aws 专家, 我来回答这个问题 。
首先你要马上删除被警告灯机器。
其次 你千万不要回复这封信
24小时后你会收到一封信 “ 问题已解决 ”
===================================
千万不要试图沟通,千万不要置之不理。 后果是你不敢想象的可怕。
7楼 CARY. 2022-8-10 10:31:44
我是aws 专家, 我来回答这个问题 。
首先你要马上删除被警告灯机器。
Why?为啥不能回复?
8楼 花开花败 2022-8-10 10:52:19
我是aws 专家, 我来回答这个问题 。
首先你要马上删除被警告灯机器。
Why?不理会怎样?
9楼 chen0 15分钟前
恩。上次看了此处回复后,我就处理了,回复了,
用英文说准备删除。
对方来了邮件,让我删除后回复通知下他,我就删除了给他通知了。
然后,对方感谢并说处理完了。
我是轻量,所以可不能月抛。
10楼 lnx 6分钟前
删除,重装就ok
申明:本文内容由网友收集分享,仅供学习参考使用。如文中内容侵犯到您的利益,请在文章下方留言,本站会第一时间进行处理。
评论前必须登录!
立即登录 注册