[**VPS] AWS发给我滥用报告

网友 chen0 说：

今天收到了两封aws发给我的滥用报告 邮件。说是可能被入侵进行了ddos活动。让我整 改并回报。
好怪，也就是aws轻量开了台**机子用来xrayR 了下，再就是安了个nginx，和其它机子没什么不同呀，也是用的密钥登陆，不知道怎么回事，就这台**异常。
所以来问下这情况怎么办更好。
我的默认方案是删除重建一台。
回复的话是直接回复这封邮件吗？我的理解是这样的，不知道是不是误解，所以问下。
,,,,
** SECOND NOTIFICATION **

Hello,

We have not received a response regarding the abuse report implicating reso**ces on yo** account. Fail**e to respond could lead to po**ible mitigation against the implicated reso**ces.

In order to resolve this report please reply to this email within 24 ho**s with the corrective action taken to cease the activity.

Re*uired Actions: investigate **ot c**se

AWS Account ID: 042656151160
Implicated Reso**ce(s): 172.x.x.1×7 Public IP: 13.x.x.2x
Lightsail Instance Name: Debian-1Reported Activity: Botnet
Abuse Time: 8 Aug 2022 09:09:12 **T

If yo***e*uire f**ther a**istance with resolving this abuse report/complaint please see: https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/

If you do not consider the activity abusive, please reply to this email detailing the reasons why.

Regards,
AWS Trust & Safety

Case Number: 170775x

— O**ginal Report —

Hello,

Please review this important me**age regarding the sec**ity of yo** AWS account and take action as re*uested. We have received one or **** reports that the following AWS reso**ces:

AWS ID: 0426561x    Region: ap-northeast-1    Lightsail Instance Name: Debian-1 P**vate IP : 172.2x.x.x Public IP: 13.2x.x.x

have been implicated in activity that indicates that it may be infected with malware and may be part of a botnet. We have appended the o**ginal report(s) to the end of this email for yo** review.

Please be aware, operating a host that is a part of a malicious ne**ork, or “botnet”, is forbidden per the AWS Acceptable Use Policy (https://aws.amazon.com/**p/).

It is important that you A) stop the reported activity and B) reply directly to this email with details of the corrective actions you have taken.

We recommend you investigate the specified instance(s) for malware and remove any identified malware to stop the reported abusive behavior. Please refer to the AWS Marketplace for partner p**ducts that may **** identify and remove malware:

https://aws.amazon.com/******place/search/results?searchTerms=antivirus&page=1&ref_=nav_search_box

If you are unaware of the so**ce of the reported activity it is likely that yo** Lightsail instance may have been comp**mised by an external actor.

The best reco**se in this case is to ****** a new Lightsail instance f**m a snapshot taken well before this abuse notice was first received, for instructions on creating a new instance f**m a snapshot see: https://lightsail.aws.amazon.com/ls/do**/en_us/articles/lightsail-how-to-******-instance-f**m-snapshot

If you do not have a such snapshot, please consider creating a new Lightsail instance f**m scratch.

To pr***nt f**ther abuse f**m yo** new Lightsail reso**ce(s), AWS Trust & Safety has the following recommendations:

• Review Lightsail documentations on Sec**ity best practices: https://lightsail.aws.amazon.com/ls/do**/en_us/search?s=Sec**ity%20best%20practice&c=overview

• Ens**e that you use st**ng and complex pa**words for *****istrative acce**.

• Ens**e that you are taking yo** Lightsail snapshots on a regular basis. Also consider utilizing Automatic Snapshots feat**e to **tomate this p**ce**: https://lightsail.aws.amazon.com/ls/do**/en_us/articles/amazon-lightsail-config**ing-**tomatic-snapshots

• Ens**e la**** OS patches and sec**ity updates have been applied. If yo** Lightsail is running a content ma****ment platform such as Wordpre**, also ens**e their applications and plugins are kept up to date as much as po**ible. Any unnece**ary applications and plugins should be removed.

• Consider moving *****istrative acce** ports, such as TCP 22 or 3389, to non-def**lt ports. Also consider t**ning off ports a**i**ed for *****istrative acce** entirely and t**n them back on as needed: https://lightsail.aws.amazon.com/ls/do**/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail

• Ens**e you are monito**ng Average CPU Utilization, Incoming Ne**ork Traffic, and Outgoing Ne**ork Traffic regularly and look for any abnormalities, such as unusual spikes.

Kindly note that sec**ity is a shared responsibility be**een AWS and you. For **** information on shared responsibility model, you may go th**ugh the below link:

https://aws.amazon.com/compliance/shared-responsibility-model/

Regards,
AWS Trust & Safety

Case Number: 17077580193-1

—Beginning of forwarded report(s)—

* Log Extract:
<<<
Please see the below details of the reported AWS IP talking with a C&C or general use of Botnet Application detection.

Risk Type Infection IP addre** So**ce Port Destination Port Server Name C&C IP C&C Domain Last Seen

Botnet Infections    Wapomi    13.231.x.x    37006    799    ddos.dnsnb8.net    XXX.251.106.25        2022-08-04 09:20:44
How can I contact a member of the AWS abuse team or the reporter?
Reply to this email with the o**ginal subject line.
Amazon Web Services

Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This me**age p**duced and dist**buted by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210

网友 toot 说：

安装东西尽量手动，脚*并不好，就算没有木马，**也会有残留，生产环境时间长了很不好

网友 北极之大 说：

我都不鸟他

网友 mmedici 说：

**一下吧。建议删机重建。

网友 叼爆小朋友 说：

使劲跑流量就行了，别管他，反正月抛

网友 sunkeinfo 说：

我是aws 专家， 我来回答这个问题 。

首先你要马上删除被警告灯机器。
其次 你千万不要回复这封信
24小时后你会收到一封信 “ 问题已解决 ”

===================================
千万不要试图沟通，  千万不要置之不理。 后果是你不敢想象的可怕。

网友 CARY. 说：