Help me to solve this Problem

We’ve received a report(s) that your AWS resource(s)

AWS ID: ************ Region: us-west-2 Lightsail Instance Name: Eredda
Private IP : Public IP =My Public IP : My static IP

has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (AWS Acceptable Use Policy). We’ve included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you are unaware of the source of the reported activity it is likely that your Lightsail instance has been compromised by an external actor.

The best recourse in this case is to create a new Lightsail instance from a snapshot taken well before this abuse notice was first received, for instructions on creating a new instance from a snapshot see: Creating an instance from a manual snapshot in Amazon Lightsail | Lightsail Documentation

If you do not have a such snapshot, please consider creating a new Lightsail instance from scratch.

To prevent further abuse from your new Lightsail resource(s), AWS Trust & Safety has the following recommendations:

• Review Lightsail documentations on Security best practices: Search Results – Overviews | Lightsail Documentation
• Ensure that you use strong and complex passwords for administrative access.
• Ensure that you are taking your Lightsail snapshots on a regular basis. Also consider utilizing Automatic Snapshots feature to automate this process: Enabling or disabling automatic snapshots for instances or disks in Amazon Lightsail | Lightsail Documentation
• Ensure latest OS patches and security updates have been applied. If your Lightsail is running a content management platform such as Wordpress, also ensure their applications and plugins are kept up to date as much as possible. Any unnecessary applications and plugins should be removed.
• Consider moving administrative access ports, such as TCP 22 or 3389, to non-default port and enhancing site security with Lightsail firewall features : Enhancing site security with new Lightsail firewall features | AWS Compute Blog
• Ensure you are monitoring Average CPU Utilization, Incoming Network Traffic, and Outgoing Network Traffic regularly and look for any abnormalities, such as unusual spikes.

Please remember that you are responsible for ensuring that your resources and all applications are properly secured.

AWS Trust & Safety

Case Number: 17166407404-1

—Beginning of forwarded report(s)—

  • Log Extract:
    Time of catch: 2023-07-25 10:44:12 GMT

Incident content:

Url: []
Remote connection: [My static IP :33114](http://My static IP:33114/)]
Headers: [array (
‘Host’ => ‘’,
‘User-Agent’ => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36’,
‘Accept’ => ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9’,
‘Accept-Language’ => ‘en-US,en;q=0.9’,
‘Connection’ => ‘close’,
Get data: [Array
[author] => 45

  • Comments:
    BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.

What kind of help are you expecting from the Hestia forum? The notice from AWS seems pretty straightforward. They have observed TOS violations from your server and have recommended that you employ standard procedures for addressing a compromised host.


I agree with the above suggestion. It appears that AWS has reason to believe that your server has been compromised aka hacked. While other people wiser than me might find an easier and better way to solve this problem, my experience is that hackers have many ways to hide inside your VPS. I only have a small number of sites on my server. Therefore, I would create a completely new account and rebuild the sites from backups or by copy pasting content with entirely new passwords.

1 Like

Second that, but additionally you have to be sure that your backups are not compromised.

1 Like

first step is to scan your websites with maldet How to scan for malwares and viruses with maldet in Linux - Others - Alpha GNU

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.