- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi
This is outgoing connection from your server, so you need to look on your servers and check there. Port 500/UDP looks like some scanning from your side for IPSec connection. If you not sure, please maybe collect Flow logs and check which server/device that you manage on AWS is trying to make this connection. By default all outgoing connection from servers to Internet are open by SG or NACL, maybe it's worth to do some hardening there? Many people focus on incoming connection to be secure, but also important is what do we allow as outgoing connection.
Thanks,
In addition to what Marcin has said, please engage with that e-mail that you have received. You need to actively reply to the email and indicate that you are looking into the issue, else they may take steps to isolate your account under the AUP violation.
We have replied to that email and closed all the outgoing connections.
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
Thanks for the reply, I will look for outgoing connection on my server. Its our cPanel instance on AWS.
It is possible that someone is exploiting a vulnerability in cPanel or code uploaded via cPanel.
Yes, our Linux server is infected with {MD5}PHP.Spammer.cookie_email_send_id_gen_md5_4640, {SA-MD5}PHP.Backdoor.orvxshell_v2, {SA-SNIPPET} PHP.Backdoor.wpincl, and {SA-MD5}PHP.Backdoor.FXTHRHqgMI. Our security plugin removes it but it comes back
Thanks for solving our issue