got abuse report from vultr, how should I handle it?
I got following abuse report from vultr and not sure how to handle it. My instance is only one from the list they have mentioned which I am using to run private socks proxy for scraping and generating metadata (maximum 1-4 requests to one host within a day). The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else.
We have received the following report regarding malicious internet traffic originating from one of your active instances. The timestamp of attack and lifespan of your server's IP address match, meaning that there is a high likelihood the device is compromised and being used to attack other internet users.
Please investigate this issue immediately and provide an update once it is resolved.
-- Report begins --
Sir / Maam,
The NCCIC is requesting assistance in verifying possible malicious activity being hosted on a system registered to you that may be affecting visitors and we would greatly appreciate your assistance in investigating such activity. The following information was provided by a trusted third-party via the use of a DNS sinkhole to help resolve this issue. Please note that this is the extent of the information and USCERT does not have any additional information to provide:
please find attached information on IPs gelocated in your country which are most likely hosting a system infected with malware.
Next to the affected IP, each record includes a timestamp (UTC) and the name of the related malware family. If available, the record also includes the source port, destination IP, destination port and destination hostname for the connection most likely triggered by the malware to connect to a command-and-control server.
Most of the malware families reported here include functions for identity theft (harvesting of usernames and passwords) and/or online-banking fraud.
Please see the attached file for a list of associated IP addresses - Time Zone reflects UTC+1
The owner/operator of this IP may or may not be aware this host is performing this activity or that it has been possibly compromised. If your investigation confirms this activity, the NCCIC would greatly appreciate your assistance in suspending this host until corrective measures are taken.
The NCCIC incident number above has been assigned for future reference. Please refer to this number in the subject line of any email correspondences to ensure proper tracking. We greatly appreciate your assistance in resolving this matter and look forward to your continued cooperation.
If you need assistance in this matter or have any questions please contact the NCCIC Service Desk at [email protected] You are neither required nor expected to provide further updates in regards to situational awareness. Contact information associated with the malicious IP was retrieved via ARIN. If you would like to have your contact information updated then please contact ARIN: https://www.arin.net/contact_us.html
To submit samples of malicious code for analysis, visit http://malware.us-cert.gov. Our information sharing portal for trusted partners is available at https://portal.us-cert.gov.
National Cybersecurity & Communications Integration Center (NCCIC)
Department of Homeland Security
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
US-CERT uses ARIN to pull the WHOIS contact information assocated with the designate IP. If you would like to have your contact information updated then please contact ARIN directly (https://www.arin.net/contact_us.html).
CSV content follows:
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 16:01,andromeda,34435,220.127.116.11,80,upinflinstrix.org,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,nymaim,11/13/2019 4:54,nymaim,41110,126.96.36.199,80,4yvj.dtqlj.com,tcp
US,188.8.131.52,[email protected],184.108.40.206/22,andromeda,11/13/2019 19:12,andromeda,52992,220.127.116.11,443,egpjjdxis.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 13:43,andromeda,49265,126.96.36.199,80,disorderstatus.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 18:46,andromeda,43560,220.127.116.11,80,fragiez.org,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 13:50,andromeda,49256,126.96.36.199,80,differentia.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/20,andromeda,11/13/2019 15:36,andromeda,49177,220.127.116.11,443,egpjjdxis.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 4:41,andromeda,49998,126.96.36.199,443,befatd8jx.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 18:52,andromeda,56084,220.127.116.11,443,rbsv02kv.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 12:08,andromeda,42692,126.96.36.199,443,befatd8jx.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 8:08,andromeda,56076,220.127.116.11,443,befatd8jx.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 17:00,andromeda,50135,126.96.36.199,80,differentia.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,tinba,11/13/2019 23:52,tinba,52028,220.127.116.11,80,bbjyjuepxjnq.pw,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 6:17,andromeda,43808,126.96.36.199,443,egpjjdxis.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,teslacrypt,11/13/2019 15:12,teslacrypt,40878,220.127.116.11,80,hotchunman.com,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 18:29,andromeda,36388,126.96.36.199,443,befatd8jx.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/22,andromeda,11/13/2019 21:05,andromeda,60424,220.127.116.11,443,befatd8jx.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 22:15,andromeda,58792,126.96.36.199,80,durylruth.net,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 20:37,andromeda,36552,220.127.116.11,443,egpjjdxis.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,nymaim,11/13/2019 22:56,nymaim,38006,126.96.36.199,80,uggnzy.info,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 17:10,andromeda,55180,220.127.116.11,80,downloadkxr.hi2wlllz3mtltuqn.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,tinba,11/13/2019 17:16,tinba,56612,126.96.36.199,80,rwdkdqqvgggg.com,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 7:59,andromeda,45304,220.127.116.11,443,egpjjdxis.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/22,matsnu,11/13/2019 17:57,matsnu,53170,126.96.36.199,80,materialsolve.com,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,matsnu,11/13/2019 2:07,matsnu,56565,220.127.116.11,80,www.plantmaterial.com,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 17:10,andromeda,45556,126.96.36.199,80,differentia.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,zeus,11/13/2019 4:09,zeus,35488,220.127.116.11,80,tooyjjdjmdansnnsjwji.net,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,nymaim,11/13/2019 22:59,nymaim,56292,126.96.36.199,80,tyyni.in,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,nymaim,11/13/2019 20:07,nymaim,53651,220.127.116.11,80,www.hnmrw.net,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 6:59,andromeda,39094,126.96.36.199,443,egpjjdxis.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 9:58,andromeda,49278,220.127.116.11,443,egpjjdxis.ru,tcp
US,18.104.22.168,[email protected],22.214.171.124/22,andromeda,11/13/2019 17:20,andromeda,34640,126.96.36.199,80,cachingcdn24hour.biz,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 15:20,andromeda,58652,220.127.116.11,80,wwbs.info,tcp
US,18.104.22.168,[email protected],22.214.171.124/21,andromeda,11/13/2019 23:01,andromeda,55960,126.96.36.199,80,atomictrivia.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 23:55,andromeda,63474,220.127.116.11,80,xjpakmdcfuqe.com,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 1:06,andromeda,56366,126.96.36.199,80,atomictrivia.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/22,nymaim,11/13/2019 22:22,nymaim,46032,220.127.116.11,80,armghduugj.net,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,nymaim,11/13/2019 23:47,nymaim,46184,126.96.36.199,80,www.vanph.com,tcp
US,188.8.131.52,[email protected],184.108.40.206/23,andromeda,11/13/2019 13:27,andromeda,42349,220.127.116.11,443,dynamicns2.info,tcp
US,18.104.22.168,[email protected],22.214.171.124/23,andromeda,11/13/2019 7:04,andromeda,40722,126.96.36.199,443,befatd8jx.ru,tcp
US,188.8.131.52,[email protected],184.108.40.206/22,andromeda,11/13/2019 14:48,andromeda,55947,220.127.116.11,443,poppin32.info,tcp
-- Report ends --
Thank you for your cooperation!
-- Complaint Response Team --