2回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Some additional guidance if you need it:
- You don't mention if you replied back to the Abuse report email. If not, do make sure to reply and let them know the actions you have taken so far and any additional actions you plan to take. This is to ensure the Abuse team do not take further action against your account because they had not heard back from you.
- Some websites with forum/social features will do automatic link expansion when someone posts a URL in a chat. This requires the server to make outbound connections to download a preview of the page. This can cause unexpected patterns of outbound web traffic from your server. If you have such features on your site consider disabling them.
- You do not mention how you keep your WordPress application up to date or what plugins it has. In my experience the most critical part of keeping this application secure is rigorously keeping it updated and being very careful which plugins you install. You can get guidance on this from https://wordpress.com/support/security/ as well as many other third-party guides for running WordPress.
- To eliminate any malicious changes to the underlying host you can to backup the WordPress data, redeploy a new LS instance, disable IPv6 from the beginning, ensure all components are fully patched, apply the appropriate network security layers, then restore your backup, update DNS to point to the new server and see if the problem recurs. You can delete the original instance, although you can keep it offline and investigate further but this will add to your costs.
- If this still does not resolve the issue the next steps I'd recommend would be deploying additional tools to get low-level visibility into your network traffic, such as VPC FlowLogs, AWS Network Firewall and enabling both the Amazon GuardDuty service and the Amazon Detective service the enables you to see complex network flows from your instances. However these all have service charges so if your application is very cost sensitive you may want to use them only for a short period until the problem is resolved. (Several of these services do have free trials for a limited period of time) If it fits into your budget it is highly recommended to keep Amazon GuardDuty running all the time to monitor for network and AWS account level security issues.
回答済み 2年前
0
Hello,
there are few potential things to do:
- Scan instance with Amazon Inspector, though it might be not free
- Scan instance with some antivirus software (like ClamAV). Here is example (refer to the first part only, I believe you don't need to automate it for regular actions)
- If your instance doesn't need to make outgoing connections to internet (like your app doesn't need to load anything from internet) - you can configure outbound rules in security group to prevent such connections
Regarding the WAF - note, that it protects the app itself from incoming threats, but it doesn't help if app is compromised and does some bad things by itself.
回答済み 2年前
関連するコンテンツ
- AWS公式更新しました 3年前
- AWS公式更新しました 1年前
Hi Friend:
I have been out with an infected molar removal. Not fun. Just getting back into the swing here.
Yes, I reported back to Abuse, looking for their guidance and help (and patience) as I root cause this and remediate.
We have all social media features of WP disabled. No public ccommenting/posting, no plugins for this. It's all just basic pages really.
I use PLESK Obsidian with Wordpress Tool kit to keep the site up to date. I typically do updates daily (not automatic b/c I need to test). I have the AWS network configuration locked down to IP4 now. (IP6 has since been disabled.) Have a new Network Rule in AWS's network config to only allow SSH access fromy my corporate IP. I am running Immunity 360 to help look for threat via plesk on my single WP instance. (we only have the one).
I just installed CLAMAV and it's not finding anything.
I run Wordfence with 2FA on our admin accounts.
At this point, I have no idea what the process source is. But obviously, there is some process running that is making the connections. NETSTAT-AN doesnt' show anyhing active outbound to 443. I may have to install wireshark and try to figure out how to do some outbound capture on 443 for next steps. But really, I need to find the process that is making the connections and root it out.
I may end up taking the approach to build a new instance. But TBH, that is only going to leave me unknowing of how this system got compromised so that I can harden it even further. I need to do that.