Today I received a message that a server that I have created using Laravel Forge may be compromised and is used in a Botnet. I was under the impression that servers created using Laravel Forge was secured by default? Has anyone else experienced anything like this?

The email I got:

Dear Mr [my name here],

We have received information regarding spam and/or abuse from [email protected].

This is an information email only and does not require any further action on your part. It is your choice whether or not to investigate the complaint. We do not expect any response.

Information: (Spanish version follows)

Dear Team,

INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds. We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

The file is formatted as follows:

[Timestamp] [IP] [Domain] [Country] [AS]

Timestamp format is dd/mm/yyyy hh:mm:ss UTC

As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at .

You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

Thank you. Best Regards,

1- https://en.wikipedia.org/wiki/Fast_flux

-- INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/

Claves PGP: https://www.incibe-cert.es/sobre-incibe-cert/claves-publicas-pgp

INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.