Got this email from Amzon on Friday night...
Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.
It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured.
I've checked my server and it looks normal except very high network IO during the period that Amazon said I was doing DDOS attack. does anyone have similar experience? beside setting a long password, any other way to harden your TK linux in Amazon? is it a known vulnerability?
this is the log I got from Amazon:
2011-12-09 22:06:11.077031 IP (tos 0x0, ttl 64, id 19848, offset 0, flags [DF], proto UDP (17), length 78) 10.xxx.xxx.xxx.36157 > 184.xxx.xxx.163.53: 29556 updateM [b2&3=0x6400] [0q] (50)
2011-12-09 22:06:11.077044 IP (tos 0x0, ttl 64, id 19849, offset 0, flags [DF], proto UDP (17), length 78) 10.xxx.xxx.xxx.36157 > 184.xxx.xxx.163.53: 29556 updateM [b2&3=0x6400] [0q] (50)