How to interpret abuse report
We've had multiple Linodes running for years, and have received our first abuse report. The odd thing is that it's for a Linode that was only spun up two days prior, only has the root account, and is unlikely to have been compromised.
The abuse report contained multiple lines, only one of which related to our Linode's IP address :
0 4 GROUP-no-trust-IN 30/Dec/2023:16:19:35 +0100 IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=tap201i0 SRC=OURLINODESIP DST=45.158.77.39 LEN=52 TOS=0x08 PREC=0x20 TTL=101 ID=21700 DF PROTO=TCP SPT=32772 DPT=19132 SEQ=2245775011 ACK=0 WINDOW=29200 ACK
At a loss as to how to interpret this. Is there any information contained in this particular report that would help me narrow down where to look on our Linode for dodginess?
1 Reply
CassandraD
Linode Staff
Feel free to follow up in the ticket with any questions you have. While we can't tell you exactly how to find a possible compromise, we're happy to try to help you understand any reports you receive and offer what guidance we can.
In this case, this is basically just firewall logs showing traffic that happened from your Linode to an IP that didn't expect that traffic and likely reported it. This ServerFault post breaks down what some of the acronyms and abbreviations mean if you want more specific information about that.
Because the server was so new to you, I think it's possible that this was from a previous IP owner and the timestamps are just a bit off, but it's also possible that a new server could be compromised before it's been secured. Just to be safe, we ask that you take steps to check. In this case, I think the steps in this Community Site post are your best bet:
I can't find anything in this report that suggests any specific place you should look, but I can say those tools should be helpful for just making sure your server is safe. Ultimately, the most important thing is that you communicate with us in response to these tickets and do your best to keep your server secure.