I was victim from AWS public AMI hidden backdoor :-)

Today i received an email from AWS telling me that one of the EC2 instance i’m running is doing DDoS against an other server (against port 80 through UDP)

Screenshot from 2015-04-20 23:58:00

Here are my suggestions to start investigating on this kind of issue:

  1. SSH authorized_keys backdoor let by the originated AMI owner: please go to /root/.ssh/authorized_keys You should see ONLY 1 KEY : the one you allowed through AWS (API or web Console) .
  2. Monitor traffic through tcpdump in verbose mod (for example in my case tcpdump -vv udp or port 80)
  3. List all running processes on your instance pf -ef and identify every one. Kill/Uninstall everyone unclear/strange/unnecessary
  4. Look inside your crontab too: this could be a good way to temporary run and stop some backdoor process (by night for instance)
  5. Analyze your logs

Once you identify the origin of your zombie software/script, if this is something intentionally placed inside the AMI since the beginning and not just put there by hacking your server: you can identify the AMI owner account and report this to AWS support.

Here is a way to find an AMI owner account

Screenshot from 2015-04-21 00:10:53

My last advices on AWS EC2:

  1. Always Use AWS Official AMIs whenever you can
  2. If for some reason you have to use a Community AMI
    1. please deploy it in a Restricted SecurityGroup (for example ONLY Inbound SSH from your specific LAN/IP when deploying)
    2. clean your root/.ssh/authorized_keys to keep only your official one
    3. monitor process/crontab/installed software to clean your instance
    4. allow Outbound traffic and another necessary inbound traffic ONLY for the needed Source (not from 0.0.0.0/0 if you don’t absolutely need to)
    5. Monitor your Outbound traffic specially against services HTTP or DNS

Please share your ways and experiences.

Cheers🙂

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s