By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

email abuse report

0

Hello!

I am using AWS for the first time ever and got this email. I have an EC2 instance and using Amazon SES for transactional emails for my website. Not sure what exactly I need to do. Any help/direction would be much appreciated. I searched on re:Post but couldn't find a similar post.

We've received a report(s) that your AWS resource(s) AWS ID: XXXX XXXXXX Region: us-west-2 EC2 Instance Id: XXXXXXXXXXXX AWS ID: XXXX XXXXXX Region: us-west-2 Network Interface Id: XXXXXXXXXXXXXXXXXX has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization.

If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

  • Log Extract: <<< This is an email abuse report about the IP address XX.XX.XX.XX generated at Mar 10 19:32:53 You get this email because you are listed as the official abuse contact for this IP address.

**The following intrusion attempts were detected: Mar 10 19:32:53 arwen fail2ban.filter[4731]: INFO [proftpd] Found XX.XX.XX.XX - 2023-03-10 19:32:53 Mar 10 19:32:54 arwen fail2ban.filter[4731]: INFO [proftpd] Found XX.XX.XX.XX - 2023-03-10 19:32:54 Mar 10 19:32:55 arwen fail2ban.filter[4731]: INFO [proftpd] Found XX.XX.XX.XX - 2023-03-10 19:32:55 Mar 10 19:32:55 arwen fail2ban.actions[4731]: NOTICE [proftpd] Ban XX.XX.XX.XX **

Topics
ComputeAWS Well-Architected Framework
Tags
Amazon EC2Security
Language
English
ksthira
asked 9 days ago20 views
1 Answer
1

(Have you opened an AWS Abuse case?)

It appears that your EC2 instance has been flagged for potentially attempting to access remote hosts on the internet without authorization. This could be due to unauthorized access by an external attacker or a vulnerability that is allowing your machine to be used in an unintended way.

The log extract you received shows that there have been multiple intrusion attempts detected from the IP address XX.XX.XX.XX, which has triggered a fail2ban filter that has banned that IP address. This suggests that your instance may have been compromised, and it is important to investigate this further to ensure the security of your AWS environment.

To address this issue, you should take the following steps:

Review your EC2 instance logs: Start by reviewing the logs for your EC2 instance to identify any unusual or suspicious activity. This can help you determine if your instance has been compromised and what steps you need to take to address the issue. You can access the logs from the EC2 console or via SSH.

Scan your instance for malware and vulnerabilities: Use a tool like AWS Inspector or a third-party vulnerability scanner to scan your instance for malware and vulnerabilities. This can help you identify any security risks that need to be addressed.

Secure your instance: Once you have identified any vulnerabilities or malware on your instance, take steps to secure it. This may involve updating software and patching vulnerabilities, implementing access controls, and disabling unused services and ports.

Contact Amazon SES support: If you are using Amazon SES for transactional emails, you should contact Amazon SES support to report the abuse complaint and investigate any potential unauthorized use of your account.

Report the abuse complaint: Finally, you should report the abuse complaint to the appropriate authorities, including AWS abuse and your internet service provider (ISP), if applicable.

By taking these steps, you can address the issue and ensure the security of your AWS environment.

AWS_Guy
answered 8 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content