AWS AI Day 参加レポート
インフラ”Your Amazon EC2 Abuse Report” の顛末
Your Amazon EC2 Abuse Report
We’ve received report(s) that one or more of your instances may be infected with malware.
Malware can be used by people to manipulate your instances into carrying out attacks against Internet computers with or without your permission.
Facilitation of internet attacks are specifically forbidden in the AWS Acceptable Use Policy (http://aws.amazon.com/aup).
If you believe this report to be inaccurate, please reply to this email with an explanation of why the traffic is legitimate.
If you require more context around this report please reply to this report as well.Instance Id: <My EC2>
We’ve attached the information provided by the reporter at the bottom of this email.
Please review the information as well as the link included below to determine whether your instances are infected with malware.
To permanently remediate the problem, AWS recommends that you move your data to a new instance and terminate the implicated instance.
Taking future precautionary steps by hardening your instance is also recommended.
A list of tips for securing your EC2 instances are available for your review at: http://aws.amazon.com/articles/1233Once you have investigated this matter, please reply to this email to report your findings and actions.
This information will be relayed to the original reporter of this issue.Regards,
Amazon EC2 Abuse Team===== Details ======
1.AWS Acceptable Use Policy: http://aws.amazon.com/agreement/.
2.Additional abuse report information provided by original abuse reporter(s):
* Destination IPs:
* Destination Ports:
* Destination URLs:
* Abuse Time: Fri Mar 03 03:33:33 UTC 2013
* Log Extract:
Your host has been contacting the following domains that are known to be C&C servers.
This suggests your host is running a botnet client. The following is a list of instances, timestamps of the contact, and domains, subdivided by ec2 region:Region ap-northeast-1:
i-<My EC2>, 2013-03-03T03:33:33Z, hogehoge.com
i-<My EC2>, 2013-03-03T03:33:33Z, hogehoge.com
i-<My EC2>, 2013-03-03T03:33:33Z, hogehoge.com
Your host has been contacting the following domains that are known to be C&C servers.
(AWS recommends that you move your data to a new instance and terminate the implicated instance.)
These alerts show that your instance was doing DNS lookups for a known C&C server,hogehoge.com.
Thanks for the response and for disabling bounced mail notifications. These notifications are sent as an advisory to customers to let them know that their instances are reaching out to known botnet-related domains. If the instances don’t go on to get implicated in further abuse cases, then there’s no action required for these specific Botnet-related abuse cases.
・AWS Abuse Reportに含まれる情報は非常に限られているので、どのような問題を検知したので警告してきたのか、を確認してから動かないと余分な工数が必要になる。
・AWS Abuse Reportに関しては、有償サポートを結んだとしても優先的に回答が得られるわけではない(有償サポートを結んでも効果が期待できない)。