スキップしてコンテンツを表示
AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post
re:Postに関して

Unauthorized File Uploads on Ubuntu EC2 Instance - Request for Assistance in Identifying the Source

0

I am reaching out to request assistance in identifying the source of unauthorized file uploads on my Ubuntu EC2 instance. Despite deleting the files on August 5, 2024, they reappeared on August 8, 2024. I am concerned about the security of my instance and would like to determine who or what is responsible for these uploads. The files in question are: dev.php wpx.php eval-stdin.php (located in the vendor/phpunit/phpunit/src/Util/PHP/ directory) XyzMailer.php (located in the server root directory /var/www/new/) I would like to request guidance on how to investigate this issue and identify the source of these unauthorized file uploads. Specifically, I would like to know: How can I review the instance's security logs to determine who or what uploaded these files? Are there any AWS services or tools that can help me identify the source of these uploads? What steps can I take to prevent similar incidents in the future? I would appreciate any assistance or guidance the AWS support team can provide in resolving this issue.

トピック
計算する
タグ
LinuxAmazon EC2Linux プロビジョニング
言語
English
質問済み 1年前272ビュー
3回答
0

Start with reviewing your Security Group(s) and ensure that you are not allowing file transfer protocols such as FTP or SFTP in from the internet (0.0.0.0/0). Same goes for SSH -- only allow SSH from your (or trusted) IP addresses.

You can open a Support Case (link to AWS Support Center in the top right under Resources) for assistance.

Under the Shared Responsibility Model, support for the OS (Ubuntu) on your instance falls to you. Support can help with reviewing Security Groups and enabling services such as GuardDuty to monitor connections from known malicious IPs.

AWS
エキスパート
回答済み 1年前
0

So first up the lockdown/security check up stuff

As mentioned by this comment checking your Security Group settings is a good start. So if this EC2 instance is running a public webserver make sure that only the ports required for the application to work are open (Commonly 80 + 443 but could differ based on your needs).

If you manage the instance via traditional SSH over port 22 then yes making sure that port is locked down to whitelisted IP addresses.
A good article from AWS https://repost.aws/knowledge-center/ec2-ssh-best-practices

Make sure your web application is up to date and that you follow best practices for securing it.

Now the investigating who/what

It really does sound like you have a vulnerability open on the application side. So again as mentioned in this comment the shared responsibility model does apply.

But some generic advice -

How to view logs in Ubuntu and the types of logs available https://ubuntu.com/tutorials/viewing-and-monitoring-log-files#1-overview

回答済み 1年前
0

Firstly, if you think that an unauthorised user is accessing your EC2 then change the password associated with that username, and rotate any keypairs associated with it.

It would be a fair assumption that whichever user owns the files which have re-appeared will be the user who accessed your host and uploaded them.

Looking at other possibilities - did you restore the EC2 from backup on 8th August, from a backup/snapshot taken on or before 5th August?

Do you have an scheduled job (in e.g. cron) that will run every few days to refresh these files?

Are you running something like Puppet or Ansible that will detect any configuration drift and remediate back to a baseline (so the absence of the files that you deleted will be noticed and "fixed")?

エキスパート
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

関連するコンテンツ