By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Abuse Email

0

We've received a report(s) that your AWS resource(s) has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.

**---Beginning of forwarded report(s)--- **

  • Log Extract: <<< From: Time: Mar 23 21:02:32 Message: AAA user authentication Rejected : reason = User was not found : local database : user = james : user IP = Source IP (Server IP)

Continuously To until I blocked the IP ranges: Time: Mar 23 21:12:50 Message: AAA user authentication Rejected : reason = User was not found : local database : user = james : user IP = Source IP (Server IP)

Source IP xxxxx Destination IP 209.34.142.141 UDP port 500 Time: Mar 23 21:02:32 PT And several minutes prior.

I have searched Security Group inbound rules and my servers setting but haven't located UDP port 500. Source IP is our server's but not destination IP. Can anyone help me solve this matter.

Topics
ComputeManagement & GovernanceAWS Well-Architected FrameworkSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Linux ProvisioningAWS Management ConsoleSecurityIAM PoliciesSecurity Group
Language
English
Bilal
asked a month ago253 views
2 Answers
0
Accepted Answer

Hi

This is outgoing connection from your server, so you need to look on your servers and check there. Port 500/UDP looks like some scanning from your side for IPSec connection. If you not sure, please maybe collect Flow logs and check which server/device that you manage on AWS is trying to make this connection. By default all outgoing connection from servers to Internet are open by SG or NACL, maybe it's worth to do some hardening there? Many people focus on incoming connection to be secure, but also important is what do we allow as outgoing connection.

Thanks,

profile picture
Marcin Gondek
answered a month ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Bilal
    a month ago

    Thanks for the reply, I will look for outgoing connection on my server. Its our cPanel instance on AWS.

  • Marcin Gondek
    a month ago

    It is possible that someone is exploiting a vulnerability in cPanel or code uploaded via cPanel.

  • Bilal
    a month ago

    Yes, our Linux server is infected with {MD5}PHP.Spammer.cookie_email_send_id_gen_md5_4640, {SA-MD5}PHP.Backdoor.orvxshell_v2, {SA-SNIPPET} PHP.Backdoor.wpincl, and {SA-MD5}PHP.Backdoor.FXTHRHqgMI. Our security plugin removes it but it comes back

  • Bilal
    a month ago

    Thanks for solving our issue

0

In addition to what Marcin has said, please engage with that e-mail that you have received. You need to actively reply to the email and indicate that you are looking into the issue, else they may take steps to isolate your account under the AUP violation.

AWS
EXPERT
Max Clements
answered a month ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Bilal
    a month ago

    We have replied to that email and closed all the outgoing connections.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content