By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Investigate Reported Abuse-Related Portscan/Malware/Intrusion Attempts(?)

0

Good morning,

We have just received the below from AWS regarding one of our Amazon Linux-based webservers. Upon connecting to the host we can't find and evidence of GET command to the Netherlands (.nl) hosts shown in the log from AWS below.

  • How can we best check for evidence that this specific activity was outgoing from this server?

  • How can we validate whether this host has been rooted or if it was accessed via webshell or injection?

  • Thank you in advance to any willing to help!

AWS Notice below:

Source IP / Targeted host / Issue processed @ / Log entry

  • [AWS SERVER IP-REDACTED] tpc-043.mach3builders.nl 2024-02-25T17:45:11+01:00 [AWS SERVER IP-REDACTED] - - [25/Feb/2024:17:45:02 +0100] "GET /wp-admin/includes/plugins.php HTTP/1.1" 301 539 "modice.nl" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" [VirtualHost: www[.]modice[.]nl]
  • Comments: <<< Date: 2024-02-25T17:45:11+01:00 Source: [AWS SERVER IP-REDACTED] Type of Abuse: Portscan/Malware/Intrusion Attempts Logs: [AWS SERVER IP-REDACTED] - - [25/Feb/2024:17:45:02 +0100] "GET /wp-admin/includes/plugins.php HTTP/1.1" 301 539 "modice.nl" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" [VirtualHost: www[.]modice[.]nl]

To whom it may concern, ** [AWS SERVER IP-REDACTED] is reported to you for performing unwanted activities toward our server(s).**

Topics
ComputeNetworking & Content DeliveryAWS Well-Architected FrameworkManagement & Governance
Tags
Amazon EC2Networking & Content DeliverySecurityAmazon CloudWatch LogsLinux
Language
English
MrJ
asked 2 months ago489 views
1 Answer
0

Hello,

Q. How can we best check for evidence that this specific activity was outgoing from this server? How can we validate whether this host has been rooted or if it was accessed via webshell or injection? => You will need to check application and OS level logs for this, only logs can help here. Also if you have VPC flow logs enabled you can check those as well.

Additionally, I would like to inform you that AWS takes the security and privacy of its customers very seriously, due to which issues of security and abuse are handled directly by our abuse team. Thus, requesting you to reach-out to abuse team by replying the abuse report you have received or else you can contact AWS Trust & Safety at abuse@amazonaws.com. As they will in better position to help you regarding abuse.

NOTE - Please make sure you will share abuse related data on abuse mail only, as this post is public and sharing data here can cause security issue.

AWS
SUPPORT ENGINEER
AWS-User-3805941
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content