got abuse report from vultr, how should I handle it?
I got following abuse report from vultr and not sure how to handle it. My instance is only one from the list they have mentioned which I am using to run private socks proxy for scraping and generating metadata (maximum 1-4 requests to one host within a day). The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else.
Dear Customer,
We have received the following report regarding malicious internet traffic originating from one of your active instances. The timestamp of attack and lifespan of your server's IP address match, meaning that there is a high likelihood the device is compromised and being used to attack other internet users.
Please investigate this issue immediately and provide an update once it is resolved.
-- Report begins --
Sir / Maam,
The NCCIC is requesting assistance in verifying possible malicious activity being hosted on a system registered to you that may be affecting visitors and we would greatly appreciate your assistance in investigating such activity. The following information was provided by a trusted third-party via the use of a DNS sinkhole to help resolve this issue. Please note that this is the extent of the information and USCERT does not have any additional information to provide:
please find attached information on IPs gelocated in your country which are most likely hosting a system infected with malware.
Next to the affected IP, each record includes a timestamp (UTC) and the name of the related malware family. If available, the record also includes the source port, destination IP, destination port and destination hostname for the connection most likely triggered by the malware to connect to a command-and-control server.
Most of the malware families reported here include functions for identity theft (harvesting of usernames and passwords) and/or online-banking fraud.
Please see the attached file for a list of associated IP addresses - Time Zone reflects UTC+1
The owner/operator of this IP may or may not be aware this host is performing this activity or that it has been possibly compromised. If your investigation confirms this activity, the NCCIC would greatly appreciate your assistance in suspending this host until corrective measures are taken.
The NCCIC incident number above has been assigned for future reference. Please refer to this number in the subject line of any email correspondences to ensure proper tracking. We greatly appreciate your assistance in resolving this matter and look forward to your continued cooperation.
If you need assistance in this matter or have any questions please contact the NCCIC Service Desk at [email protected]. You are neither required nor expected to provide further updates in regards to situational awareness. Contact information associated with the malicious IP was retrieved via ARIN. If you would like to have your contact information updated then please contact ARIN: https://www.arin.net/contact_us.html
To submit samples of malicious code for analysis, visit http://malware.us-cert.gov. Our information sharing portal for trusted partners is available at https://portal.us-cert.gov.
Respectfully,
National Cybersecurity & Communications Integration Center (NCCIC)
Department of Homeland Security
[email protected]
www.us-cert.gov
Twitter: @USCERT_gov
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
US-CERT uses ARIN to pull the WHOIS contact information assocated with the designate IP. If you would like to have your contact information updated then please contact ARIN directly (https://www.arin.net/contact_us.html).
CSV content follows:
CC,ip,Abuse Contact,SubNet,malware,timestamp,malware,src_port,dst_ip,dst_port,dst_host,proto
US,45.32.167.223,[email protected],45.32.166.0/23,andromeda,11/13/2019 16:01,andromeda,34435,184.105.192.2,80,upinflinstrix.org,tcp
US,45.32.114.59,[email protected],45.32.114.0/23,nymaim,11/13/2019 4:54,nymaim,41110,184.105.192.2,80,4yvj.dtqlj.com,tcp
US,45.63.40.196,[email protected],45.63.40.0/22,andromeda,11/13/2019 19:12,andromeda,52992,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.77.241.109,[email protected],45.77.240.0/23,andromeda,11/13/2019 13:43,andromeda,49265,184.105.192.2,80,disorderstatus.ru,tcp
US,104.207.159.148,[email protected],104.207.158.0/23,andromeda,11/13/2019 18:46,andromeda,43560,184.105.192.2,80,fragiez.org,tcp
US,149.28.149.246,[email protected],149.28.148.0/23,andromeda,11/13/2019 13:50,andromeda,49256,184.105.192.2,80,differentia.ru,tcp
US,68.195.207.234,[email protected],68.195.192.0/20,andromeda,11/13/2019 15:36,andromeda,49177,184.105.192.2,443,egpjjdxis.ru,tcp
US,136.244.100.202,[email protected],136.244.100.0/23,andromeda,11/13/2019 4:41,andromeda,49998,184.105.192.2,443,befatd8jx.ru,tcp
US,136.244.103.13,[email protected],136.244.102.0/23,andromeda,11/13/2019 18:52,andromeda,56084,184.105.192.2,443,rbsv02kv.ru,tcp
US,45.77.60.81,[email protected],45.77.60.0/23,andromeda,11/13/2019 12:08,andromeda,42692,184.105.192.2,443,befatd8jx.ru,tcp
US,173.199.71.204,[email protected],173.199.70.0/23,andromeda,11/13/2019 8:08,andromeda,56076,184.105.192.2,443,befatd8jx.ru,tcp
US,45.77.45.32,[email protected],45.77.44.0/23,andromeda,11/13/2019 17:00,andromeda,50135,184.105.192.2,80,differentia.ru,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,tinba,11/13/2019 23:52,tinba,52028,216.218.185.162,80,bbjyjuepxjnq.pw,tcp
US,136.244.86.123,[email protected],136.244.86.0/23,andromeda,11/13/2019 6:17,andromeda,43808,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.76.30.26,[email protected],45.76.30.0/23,teslacrypt,11/13/2019 15:12,teslacrypt,40878,216.218.135.114,80,hotchunman.com,tcp
US,45.32.186.221,[email protected],45.32.186.0/23,andromeda,11/13/2019 18:29,andromeda,36388,184.105.192.2,443,befatd8jx.ru,tcp
US,45.32.157.93,[email protected],45.32.156.0/22,andromeda,11/13/2019 21:05,andromeda,60424,184.105.192.2,443,befatd8jx.ru,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,andromeda,11/13/2019 22:15,andromeda,58792,184.105.192.2,80,durylruth.net,tcp
US,45.32.145.28,[email protected],45.32.144.0/23,andromeda,11/13/2019 20:37,andromeda,36552,184.105.192.2,443,egpjjdxis.ru,tcp
US,149.248.6.174,[email protected],149.248.6.0/23,nymaim,11/13/2019 22:56,nymaim,38006,216.218.185.162,80,uggnzy.info,tcp
US,149.28.176.142,[email protected],149.28.176.0/23,andromeda,11/13/2019 17:10,andromeda,55180,184.105.192.2,80,downloadkxr.hi2wlllz3mtltuqn.ru,tcp
US,104.156.230.231,[email protected],104.156.230.0/23,tinba,11/13/2019 17:16,tinba,56612,216.218.185.162,80,rwdkdqqvgggg.com,tcp
US,45.77.137.146,[email protected],45.77.136.0/23,andromeda,11/13/2019 7:59,andromeda,45304,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.32.87.106,[email protected],45.32.84.0/22,matsnu,11/13/2019 17:57,matsnu,53170,216.218.185.162,80,materialsolve.com,tcp
US,45.77.115.76,[email protected],45.77.114.0/23,matsnu,11/13/2019 2:07,matsnu,56565,216.218.185.162,80,www.plantmaterial.com,tcp
US,45.32.117.242,[email protected],45.32.116.0/23,andromeda,11/13/2019 17:10,andromeda,45556,184.105.192.2,80,differentia.ru,tcp
US,45.32.128.51,[email protected],45.32.128.0/23,zeus,11/13/2019 4:09,zeus,35488,216.218.135.114,80,tooyjjdjmdansnnsjwji.net,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,nymaim,11/13/2019 22:59,nymaim,56292,184.105.192.2,80,tyyni.in,tcp
US,144.202.105.194,[email protected],144.202.104.0/23,nymaim,11/13/2019 20:07,nymaim,53651,216.218.185.162,80,www.hnmrw.net,tcp
US,136.244.80.94,[email protected],136.244.80.0/23,andromeda,11/13/2019 6:59,andromeda,39094,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.76.222.72,[email protected],45.76.222.0/23,andromeda,11/13/2019 9:58,andromeda,49278,184.105.192.2,443,egpjjdxis.ru,tcp
US,104.207.132.222,[email protected],104.207.132.0/22,andromeda,11/13/2019 17:20,andromeda,34640,184.105.192.2,80,cachingcdn24hour.biz,tcp
US,45.32.168.121,[email protected],45.32.168.0/23,andromeda,11/13/2019 15:20,andromeda,58652,184.105.192.2,80,wwbs.info,tcp
US,104.37.0.38,[email protected],104.37.0.0/21,andromeda,11/13/2019 23:01,andromeda,55960,184.105.192.2,80,atomictrivia.ru,tcp
US,140.82.8.198,[email protected],140.82.8.0/23,andromeda,11/13/2019 23:55,andromeda,63474,184.105.192.2,80,xjpakmdcfuqe.com,tcp
US,149.28.150.106,[email protected],149.28.150.0/23,andromeda,11/13/2019 1:06,andromeda,56366,184.105.192.2,80,atomictrivia.ru,tcp
US,45.32.87.106,[email protected],45.32.84.0/22,nymaim,11/13/2019 22:22,nymaim,46032,216.218.185.162,80,armghduugj.net,tcp
US,149.28.28.218,[email protected],149.28.28.0/23,nymaim,11/13/2019 23:47,nymaim,46184,216.218.185.162,80,www.vanph.com,tcp
US,104.207.151.3,[email protected],104.207.150.0/23,andromeda,11/13/2019 13:27,andromeda,42349,184.105.192.2,443,dynamicns2.info,tcp
US,45.32.237.119,[email protected],45.32.236.0/23,andromeda,11/13/2019 7:04,andromeda,40722,184.105.192.2,443,befatd8jx.ru,tcp
US,45.63.77.239,[email protected],45.63.76.0/22,andromeda,11/13/2019 14:48,andromeda,55947,184.105.192.2,443,poppin32.info,tcp-- Report ends --
Thank you for your cooperation!
-- Complaint Response Team --
Comments
If you host websites, hunt for malicious PHP scripts. I'd wager 9 out of 10 times that's all it is. If I want to blanket cover a whole bunch I'd say look for strange files in Wordpress installations. This is really good at finding those types of scripts:
https://www.configserver.com/cp/cxs.html
Truth is these complaints don't have enough info to go off of, and if you truly determine that you cannot find a single thing wrong, Vultr may not be upset about you freely admitting so.
I'd confirm infection and then remove or delete and recreate. What is your OS? Googling for Andromeda malware removal implied Windows Trojan.
https://malwaretips.com/blogs/remove-backdoor-andromeda-virus/
The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else. The machine is probably not infected. What I believe is that all the host/website listed in abuse report are sinkhole or honeypot websites.
Presumably you mean web scraping, in which case you deserve to get banned! IMO.
Stop your abusive activities.
I would suggest that the question goes beyond what is running on the server and also encompasses what is running on the SOCKS client endpoint. If your client endpoint is abusive then you are responsible for that too. You can't just say "my server is only running Ubuntu and a SOCKS server" and get out of it that easily.
actually its not for content scraping, its for meta data scraping to gather and present different metrics to user like html markup errors, compressions enabled or not, seo optimization suggestions etc...
wow so much better
you've so far: 1) told us that you scrape shit; then 2) tell us that you don't scrape but still somehow scan the whole web for 'html markup errors, gzip or whatever, SEO trash'
Either way, running Dante proxy? Even if OP has a legitimate use, a dozen bots probably got past lax authentication.
isn't all those search engines doing the same? like google, bing, duckduckgo?
of course I follow some standards, like robots.txt etc...
Someone better tell Google their spiders scraping the Internet are malicious!
tl;tr
LET bullies: U scrap! U sux!
OP: I do NOT scrap!
OP: I do scrap but I don't!
I'd suggest turning off your bots for a moment, and determining if you still have traffic going through it. It is very possible you are acting as open proxy for others.
The proxy is not open, it is restricted with both username authentication and a firewall that only allow selected IP. At the moment others do not have access to the proxy.
Not sure what you are using to scrape but clearly your bot activities have triggered suspicions. I am also not sure if the bot you are using is written by yourself or gotten from somewhere on the web where you don't know what is going on under the hood.
scrape
Actually, they can be! Ignoring robots.txt is de rigueur for them, along with ignoring requests to not crawl parameters.
.. and worse. WTF
Just buy proxy instead of setting up proxy on vultr. There are many proxy providers who dont care.
This. This is a common use case for proxies, unfortunately.
We are in 2009 and we use Orkut, you millennials !!! On Orkut we scrap.
Your machine is compromised, or your private proxy security is not well enough.
There is alot of hackershit out there hunts for free proxy, scanning every single new installation of proxy softwares. If you careless, you'll get fucked hard. Exactly like you just did with Vultr machine.
My suggestion, stop your activity. Respond to Homeland Sec (afaik they provide form for this), copy your respond to Vultr and say you will not using Vultr machine again to install proxy. Move to another provider who didn't care about abuse report, or just buy proxy somewhere and do your scrape thing.
(I've been there, but with another provider.)
Switch to an offshore host and continue.
You should own your network before doing such. Scrapping is not just respecting robots but respecting networks too. Before you grab the content, it is better to verify who you are scrapping. Who is the network, who is the website. Do they allow it?
Buy over vultr.
This
Delete your vm
You may be using the wrong tool for the job. I've had good luck with the following scrapers:
Price?
About tree fiddy.
3 x $7
(Hey, they're quality scrapers compatible with every firewall -- I guarantee that Vultr will never complain again!)