Today i received an email from AWS telling me that one of the EC2 instance i’m running is doing DDoS against an other server (against port 80 through UDP)
Here are my suggestions to start investigating on this kind of issue:
- SSH authorized_keys backdoor let by the originated AMI owner: please go to /root/.ssh/authorized_keys You should see ONLY 1 KEY : the one you allowed through AWS (API or web Console) .
- Monitor traffic through tcpdump in verbose mod (for example in my case tcpdump -vv udp or port 80)
- List all running processes on your instance pf -ef and identify every one. Kill/Uninstall everyone unclear/strange/unnecessary
- Look inside your crontab too: this could be a good way to temporary run and stop some backdoor process (by night for instance)
- Analyze your logs
Once you identify the origin of your zombie software/script, if this is something intentionally placed inside the AMI since the beginning and not just put there by hacking your server: you can identify the AMI owner account and report this to AWS support.
Here is a way to find an AMI owner account
My last advices on AWS EC2:
- Always Use AWS Official AMIs whenever you can
- If for some reason you have to use a Community AMI
- please deploy it in a Restricted SecurityGroup (for example ONLY Inbound SSH from your specific LAN/IP when deploying)
- clean your root/.ssh/authorized_keys to keep only your official one
- monitor process/crontab/installed software to clean your instance
- allow Outbound traffic and another necessary inbound traffic ONLY for the needed Source (not from 0.0.0.0/0 if you don’t absolutely need to)
- Monitor your Outbound traffic specially against services HTTP or DNS
Please share your ways and experiences.