Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


got abuse report from vultr, how should I handle it?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

got abuse report from vultr, how should I handle it?

deepikadeepika Member
edited November 2019 in General

I got following abuse report from vultr and not sure how to handle it. My instance is only one from the list they have mentioned which I am using to run private socks proxy for scraping and generating metadata (maximum 1-4 requests to one host within a day). The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else.

Dear Customer,

We have received the following report regarding malicious internet traffic originating from one of your active instances. The timestamp of attack and lifespan of your server's IP address match, meaning that there is a high likelihood the device is compromised and being used to attack other internet users.

Please investigate this issue immediately and provide an update once it is resolved.

-- Report begins --

Sir / Maam,
The NCCIC is requesting assistance in verifying possible malicious activity being hosted on a system registered to you that may be affecting visitors and we would greatly appreciate your assistance in investigating such activity. The following information was provided by a trusted third-party via the use of a DNS sinkhole to help resolve this issue. Please note that this is the extent of the information and USCERT does not have any additional information to provide:
please find attached information on IPs gelocated in your country which are most likely hosting a system infected with malware.
Next to the affected IP, each record includes a timestamp (UTC) and the name of the related malware family. If available, the record also includes the source port, destination IP, destination port and destination hostname for the connection most likely triggered by the malware to connect to a command-and-control server.
Most of the malware families reported here include functions for identity theft (harvesting of usernames and passwords) and/or online-banking fraud.
Please see the attached file for a list of associated IP addresses - Time Zone reflects UTC+1
The owner/operator of this IP may or may not be aware this host is performing this activity or that it has been possibly compromised. If your investigation confirms this activity, the NCCIC would greatly appreciate your assistance in suspending this host until corrective measures are taken.
The NCCIC incident number above has been assigned for future reference. Please refer to this number in the subject line of any email correspondences to ensure proper tracking. We greatly appreciate your assistance in resolving this matter and look forward to your continued cooperation.
If you need assistance in this matter or have any questions please contact the NCCIC Service Desk at [email protected]. You are neither required nor expected to provide further updates in regards to situational awareness. Contact information associated with the malicious IP was retrieved via ARIN. If you would like to have your contact information updated then please contact ARIN: https://www.arin.net/contact_us.html
To submit samples of malicious code for analysis, visit http://malware.us-cert.gov. Our information sharing portal for trusted partners is available at https://portal.us-cert.gov.
Respectfully,
National Cybersecurity & Communications Integration Center (NCCIC)
Department of Homeland Security
[email protected]
www.us-cert.gov
Twitter: @USCERT_gov
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
US-CERT uses ARIN to pull the WHOIS contact information assocated with the designate IP. If you would like to have your contact information updated then please contact ARIN directly (https://www.arin.net/contact_us.html).
CSV content follows:
CC,ip,Abuse Contact,SubNet,malware,timestamp,malware,src_port,dst_ip,dst_port,dst_host,proto
US,45.32.167.223,[email protected],45.32.166.0/23,andromeda,11/13/2019 16:01,andromeda,34435,184.105.192.2,80,upinflinstrix.org,tcp
US,45.32.114.59,[email protected],45.32.114.0/23,nymaim,11/13/2019 4:54,nymaim,41110,184.105.192.2,80,4yvj.dtqlj.com,tcp
US,45.63.40.196,[email protected],45.63.40.0/22,andromeda,11/13/2019 19:12,andromeda,52992,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.77.241.109,[email protected],45.77.240.0/23,andromeda,11/13/2019 13:43,andromeda,49265,184.105.192.2,80,disorderstatus.ru,tcp
US,104.207.159.148,[email protected],104.207.158.0/23,andromeda,11/13/2019 18:46,andromeda,43560,184.105.192.2,80,fragiez.org,tcp
US,149.28.149.246,[email protected],149.28.148.0/23,andromeda,11/13/2019 13:50,andromeda,49256,184.105.192.2,80,differentia.ru,tcp
US,68.195.207.234,[email protected],68.195.192.0/20,andromeda,11/13/2019 15:36,andromeda,49177,184.105.192.2,443,egpjjdxis.ru,tcp
US,136.244.100.202,[email protected],136.244.100.0/23,andromeda,11/13/2019 4:41,andromeda,49998,184.105.192.2,443,befatd8jx.ru,tcp
US,136.244.103.13,[email protected],136.244.102.0/23,andromeda,11/13/2019 18:52,andromeda,56084,184.105.192.2,443,rbsv02kv.ru,tcp
US,45.77.60.81,[email protected],45.77.60.0/23,andromeda,11/13/2019 12:08,andromeda,42692,184.105.192.2,443,befatd8jx.ru,tcp
US,173.199.71.204,[email protected],173.199.70.0/23,andromeda,11/13/2019 8:08,andromeda,56076,184.105.192.2,443,befatd8jx.ru,tcp
US,45.77.45.32,[email protected],45.77.44.0/23,andromeda,11/13/2019 17:00,andromeda,50135,184.105.192.2,80,differentia.ru,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,tinba,11/13/2019 23:52,tinba,52028,216.218.185.162,80,bbjyjuepxjnq.pw,tcp
US,136.244.86.123,[email protected],136.244.86.0/23,andromeda,11/13/2019 6:17,andromeda,43808,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.76.30.26,[email protected],45.76.30.0/23,teslacrypt,11/13/2019 15:12,teslacrypt,40878,216.218.135.114,80,hotchunman.com,tcp
US,45.32.186.221,[email protected],45.32.186.0/23,andromeda,11/13/2019 18:29,andromeda,36388,184.105.192.2,443,befatd8jx.ru,tcp
US,45.32.157.93,[email protected],45.32.156.0/22,andromeda,11/13/2019 21:05,andromeda,60424,184.105.192.2,443,befatd8jx.ru,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,andromeda,11/13/2019 22:15,andromeda,58792,184.105.192.2,80,durylruth.net,tcp
US,45.32.145.28,[email protected],45.32.144.0/23,andromeda,11/13/2019 20:37,andromeda,36552,184.105.192.2,443,egpjjdxis.ru,tcp
US,149.248.6.174,[email protected],149.248.6.0/23,nymaim,11/13/2019 22:56,nymaim,38006,216.218.185.162,80,uggnzy.info,tcp
US,149.28.176.142,[email protected],149.28.176.0/23,andromeda,11/13/2019 17:10,andromeda,55180,184.105.192.2,80,downloadkxr.hi2wlllz3mtltuqn.ru,tcp
US,104.156.230.231,[email protected],104.156.230.0/23,tinba,11/13/2019 17:16,tinba,56612,216.218.185.162,80,rwdkdqqvgggg.com,tcp
US,45.77.137.146,[email protected],45.77.136.0/23,andromeda,11/13/2019 7:59,andromeda,45304,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.32.87.106,[email protected],45.32.84.0/22,matsnu,11/13/2019 17:57,matsnu,53170,216.218.185.162,80,materialsolve.com,tcp
US,45.77.115.76,[email protected],45.77.114.0/23,matsnu,11/13/2019 2:07,matsnu,56565,216.218.185.162,80,www.plantmaterial.com,tcp
US,45.32.117.242,[email protected],45.32.116.0/23,andromeda,11/13/2019 17:10,andromeda,45556,184.105.192.2,80,differentia.ru,tcp
US,45.32.128.51,[email protected],45.32.128.0/23,zeus,11/13/2019 4:09,zeus,35488,216.218.135.114,80,tooyjjdjmdansnnsjwji.net,tcp
US,149.248.0.8,[email protected],149.248.0.0/23,nymaim,11/13/2019 22:59,nymaim,56292,184.105.192.2,80,tyyni.in,tcp
US,144.202.105.194,[email protected],144.202.104.0/23,nymaim,11/13/2019 20:07,nymaim,53651,216.218.185.162,80,www.hnmrw.net,tcp
US,136.244.80.94,[email protected],136.244.80.0/23,andromeda,11/13/2019 6:59,andromeda,39094,184.105.192.2,443,egpjjdxis.ru,tcp
US,45.76.222.72,[email protected],45.76.222.0/23,andromeda,11/13/2019 9:58,andromeda,49278,184.105.192.2,443,egpjjdxis.ru,tcp
US,104.207.132.222,[email protected],104.207.132.0/22,andromeda,11/13/2019 17:20,andromeda,34640,184.105.192.2,80,cachingcdn24hour.biz,tcp
US,45.32.168.121,[email protected],45.32.168.0/23,andromeda,11/13/2019 15:20,andromeda,58652,184.105.192.2,80,wwbs.info,tcp
US,104.37.0.38,[email protected],104.37.0.0/21,andromeda,11/13/2019 23:01,andromeda,55960,184.105.192.2,80,atomictrivia.ru,tcp
US,140.82.8.198,[email protected],140.82.8.0/23,andromeda,11/13/2019 23:55,andromeda,63474,184.105.192.2,80,xjpakmdcfuqe.com,tcp
US,149.28.150.106,[email protected],149.28.150.0/23,andromeda,11/13/2019 1:06,andromeda,56366,184.105.192.2,80,atomictrivia.ru,tcp
US,45.32.87.106,[email protected],45.32.84.0/22,nymaim,11/13/2019 22:22,nymaim,46032,216.218.185.162,80,armghduugj.net,tcp
US,149.28.28.218,[email protected],149.28.28.0/23,nymaim,11/13/2019 23:47,nymaim,46184,216.218.185.162,80,www.vanph.com,tcp
US,104.207.151.3,[email protected],104.207.150.0/23,andromeda,11/13/2019 13:27,andromeda,42349,184.105.192.2,443,dynamicns2.info,tcp
US,45.32.237.119,[email protected],45.32.236.0/23,andromeda,11/13/2019 7:04,andromeda,40722,184.105.192.2,443,befatd8jx.ru,tcp
US,45.63.77.239,[email protected],45.63.76.0/22,andromeda,11/13/2019 14:48,andromeda,55947,184.105.192.2,443,poppin32.info,tcp

-- Report ends --

Thank you for your cooperation!

-- Complaint Response Team --

«1

Comments

  • jarjar Patron Provider, Top Host, Veteran
    edited November 2019

    If you host websites, hunt for malicious PHP scripts. I'd wager 9 out of 10 times that's all it is. If I want to blanket cover a whole bunch I'd say look for strange files in Wordpress installations. This is really good at finding those types of scripts:

    https://www.configserver.com/cp/cxs.html

    Truth is these complaints don't have enough info to go off of, and if you truly determine that you cannot find a single thing wrong, Vultr may not be upset about you freely admitting so.

    Thanked by 1uptime
  • I'd confirm infection and then remove or delete and recreate. What is your OS? Googling for Andromeda malware removal implied Windows Trojan.

    https://malwaretips.com/blogs/remove-backdoor-andromeda-virus/

  • The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else. The machine is probably not infected. What I believe is that all the host/website listed in abuse report are sinkhole or honeypot websites.

  • deepika said: web scrapping

    Presumably you mean web scraping, in which case you deserve to get banned! IMO.

    Thanked by 1niceboy
  • Stop your abusive activities.

    Thanked by 1ViridWeb
  • @deepika said:
    The machine is running on Ubuntu 18.04 and dante (https://www.inet.no/dante/) and nothing else. The machine is probably not infected. What I believe is that all the host/website listed in abuse report are sinkhole or honeypot websites.

    I would suggest that the question goes beyond what is running on the server and also encompasses what is running on the SOCKS client endpoint. If your client endpoint is abusive then you are responsible for that too. You can't just say "my server is only running Ubuntu and a SOCKS server" and get out of it that easily.

  • @AlwaysSkint said:

    deepika said: web scrapping

    Presumably you mean web scraping, in which case you deserve to get banned! IMO.

    @hzr said:
    Stop your abusive activities.

    actually its not for content scraping, its for meta data scraping to gather and present different metrics to user like html markup errors, compressions enabled or not, seo optimization suggestions etc...

  • @deepika said:

    @AlwaysSkint said:

    deepika said: web scrapping

    Presumably you mean web scraping, in which case you deserve to get banned! IMO.

    @hzr said:
    Stop your abusive activities.

    actually its not for content scraping, its for meta data scraping to gather and present different metrics to user like html markup errors, compressions enabled or not, seo optimization suggestions etc...

    wow so much better

    you've so far: 1) told us that you scrape shit; then 2) tell us that you don't scrape but still somehow scan the whole web for 'html markup errors, gzip or whatever, SEO trash'

    Thanked by 1AlwaysSkint
  • MikeAMikeA Member, Patron Provider

    Either way, running Dante proxy? Even if OP has a legitimate use, a dozen bots probably got past lax authentication.

  • @doghouch said:
    wow so much better

    you've so far: 1) told us that you scrape shit; then 2) tell us that you don't scrape but still somehow scan the whole web for 'html markup errors, gzip or whatever, SEO trash'

    isn't all those search engines doing the same? like google, bing, duckduckgo?
    of course I follow some standards, like robots.txt etc...

  • 1gservers1gservers Member, Patron Provider

    Someone better tell Google their spiders scraping the Internet are malicious!

  • deankdeank Member, Troll
    edited November 2019

    tl;tr

    LET bullies: U scrap! U sux!
    OP: I do NOT scrap!
    OP: I do scrap but I don't!

  • I'd suggest turning off your bots for a moment, and determining if you still have traffic going through it. It is very possible you are acting as open proxy for others.

  • @AlyssaD said:
    I'd suggest turning off your bots for a moment, and determining if you still have traffic going through it. It is very possible you are acting as open proxy for others.

    The proxy is not open, it is restricted with both username authentication and a firewall that only allow selected IP. At the moment others do not have access to the proxy.

  • Not sure what you are using to scrape but clearly your bot activities have triggered suspicions. I am also not sure if the bot you are using is written by yourself or gotten from somewhere on the web where you don't know what is going on under the hood.

  • @deank said:
    tl;tr

    LET bullies: U scrap! U sux!
    OP: I do NOT scrap!
    OP: I do scrap but I don't!

    scrape

    Thanked by 2AlwaysSkint lazyt
  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    1gservers said: Someone better tell Google their spiders scraping the Internet are malicious!

    Actually, they can be! Ignoring robots.txt is de rigueur for them, along with ignoring requests to not crawl parameters.

    /shop/hanging-colobus-monkey-stuffed-animal-from-wild-republic-p-3733.html?manufacturers_id=14

    .. and worse. WTF

  • Just buy proxy instead of setting up proxy on vultr. There are many proxy providers who dont care.

  • dodheimsgard said: Just buy proxy instead of setting up proxy on vultr. There are many proxy providers who dont care.

    This. This is a common use case for proxies, unfortunately.

  • @poisson said:

    @deank said:
    tl;tr

    LET bullies: U scrap! U sux!
    OP: I do NOT scrap!
    OP: I do scrap but I don't!

    scrape

    We are in 2009 and we use Orkut, you millennials !!! On Orkut we scrap.

    Thanked by 1vimalware
  • Your machine is compromised, or your private proxy security is not well enough.

    There is alot of hackershit out there hunts for free proxy, scanning every single new installation of proxy softwares. If you careless, you'll get fucked hard. Exactly like you just did with Vultr machine.

    My suggestion, stop your activity. Respond to Homeland Sec (afaik they provide form for this), copy your respond to Vultr and say you will not using Vultr machine again to install proxy. Move to another provider who didn't care about abuse report, or just buy proxy somewhere and do your scrape thing.

    (I've been there, but with another provider.)

  • Switch to an offshore host and continue.

  • cazrzcazrz Member
    edited November 2019

    You should own your network before doing such. Scrapping is not just respecting robots but respecting networks too. Before you grab the content, it is better to verify who you are scrapping. Who is the network, who is the website. Do they allow it?

  • Buy over vultr.

  • hostenshostens Member, Host Rep

    @cybertech said:
    Buy over vultr.

    This

  • JordJord Moderator, Host Rep

    Delete your vm

    Thanked by 1AlwaysSkint
  • You may be using the wrong tool for the job. I've had good luck with the following scrapers:

    Thanked by 2jvnadr fazar
  • angstrom said: You may be using the wrong tool for the job. I've had good luck with the following scrapers:

    Price?

  • @jvnadr said:

    angstrom said: You may be using the wrong tool for the job. I've had good luck with the following scrapers:

    Price?

    About tree fiddy.

  • angstromangstrom Moderator
    edited November 2019

    @jvnadr said:

    angstrom said: You may be using the wrong tool for the job. I've had good luck with the following scrapers:

    Price?

    3 x $7 :smile:

    (Hey, they're quality scrapers compatible with every firewall -- I guarantee that Vultr will never complain again!)

Sign In or Register to comment.