I live in Taiwan and get this message from my ISP a few times a year.
親愛的用戶您好,因本公司接獲國家通訊傳播委員會資安通報平台通知,您的電腦曾於2021/8/12 10:21遭受惡意程式感染,逕而對外進行攻擊,為避免影響您的使用權益,請依資安通報平台建議措施執行,謝謝!!
【建議措施】:1. 檢視系統上有無不明帳號。2. 可以用終端機中nslookup指令確認附件IP的DNS服務是否開啟DNS Open Resolver。範例: 欲確認168.x.x.x是否開啟DNS Open Resolver,可用指令 nslookup www.google.com.tw 168.x.x.x,如果查詢有回答網路位址,表示有開啟。3. 系統上DNS服務若非必要,建議關閉,或是調整服務設定,限制遞迴查詢功能僅提供本地網域使用者
Google translate:
Hello, dear users, because our company has received a notification from the Information Security Notification Platform of the National Communications Commission that your computer was infected by malicious programs at 10:21 on 8/12/2021, and attacked directly to avoid affecting your Use rights, please follow the measures recommended by the information security notification platform, thank you!!
[Recommended measures]: 1. Check whether there is an unknown account on the system. 2. You can use the nslookup command in the terminal to confirm whether the DNS Open Resolver is enabled for the DNS service of the attached IP. Example: To confirm whether DNS Open Resolver is enabled on 168.x.x.x, you can use the command nslookup www.google.com.tw 168.x.x.x. If the query has an answer to the network address, it means it is enabled. 3. If the DNS service on the system is not necessary, it is recommended to turn off or adjust the service settings to restrict the recursive query function to only local domain users
So, I check the logs, at the time they mention, to see what they are talking about.
I have some curious things in the log…
Aug 12 10:20:51 arkadi nslcd[1127]: [39d7fc] <passwd="*"> request denied by validnames option
and later…
Aug 12 10:24:22 arkadi nslcd[1127]: [583f67] <passwd="*"> request denied by validnames option
Aug 12 10:28:09 arkadi slapd[1103]: <= mdb_substring_candidates: (mail) not indexed
Aug 12 10:28:09 arkadi slapd[1103]: <= mdb_substring_candidates: (mail) not indexed
Aug 12 10:28:29 arkadi nslcd[1127]: [102051] <passwd="*"> request denied by validnames option
Is this log entry something to be worried about? it seems to happen quite regularly on my system…every 5 minutes.