It says that my server IP is submitted to spamhaus as part of a botnet ( Andromeda ) . It seems the device of one the VPN users is infected and causing this .
I have never faced this issue before . what should I do ? Is there anyway to find the VPN user that is causing this and remove him ? Is there any firewall rules that can stop this abuse ? They might suspend my server . Any help is appreciated .
A machine using 65.109.. is infected with malware associated with the avalanche/andromeda family.
65.109.. initiated contact with a andromeda command and control server, using contents unique to andromeda C&C command protocols.
Technical details of the andromeda detection
65.109.. initiated a tcp connection from 65.109.. using source port 49710, to the sinkhole IP address 184.105.192.2 on destination port 80.
The most recent detection was on: August 26 2023, 18:03:06 UTC.
It’s been some days since that connection was made, so trying to troubleshoot things might be fruitless. But: you may add a firewall filter rule which trios on dst-address=184.105.192.2 and dst-port=80 … and only logs. Then monitor log to see who dunnit. Or you can actually set action=drop and log it …