Unauthorized File Uploads on Ubuntu EC2 Instance - Request for Assistance in Identifying the Source

0

I am reaching out to request assistance in identifying the source of unauthorized file uploads on my Ubuntu EC2 instance. Despite deleting the files on August 5, 2024, they reappeared on August 8, 2024. I am concerned about the security of my instance and would like to determine who or what is responsible for these uploads. The files in question are: dev.php wpx.php eval-stdin.php (located in the vendor/phpunit/phpunit/src/Util/PHP/ directory) XyzMailer.php (located in the server root directory /var/www/new/) I would like to request guidance on how to investigate this issue and identify the source of these unauthorized file uploads. Specifically, I would like to know: How can I review the instance's security logs to determine who or what uploaded these files? Are there any AWS services or tools that can help me identify the source of these uploads? What steps can I take to prevent similar incidents in the future? I would appreciate any assistance or guidance the AWS support team can provide in resolving this issue.

Vipul
asked 2 months ago172 views
3 Answers
0

Start with reviewing your Security Group(s) and ensure that you are not allowing file transfer protocols such as FTP or SFTP in from the internet (0.0.0.0/0). Same goes for SSH -- only allow SSH from your (or trusted) IP addresses.

You can open a Support Case (link to AWS Support Center in the top right under Resources) for assistance.

Under the Shared Responsibility Model, support for the OS (Ubuntu) on your instance falls to you. Support can help with reviewing Security Groups and enabling services such as GuardDuty to monitor connections from known malicious IPs.

profile pictureAWS
EXPERT
iBehr
answered 2 months ago
0

So first up the lockdown/security check up stuff

As mentioned by this comment checking your Security Group settings is a good start. So if this EC2 instance is running a public webserver make sure that only the ports required for the application to work are open (Commonly 80 + 443 but could differ based on your needs).

If you manage the instance via traditional SSH over port 22 then yes making sure that port is locked down to whitelisted IP addresses.
A good article from AWS https://repost.aws/knowledge-center/ec2-ssh-best-practices

Make sure your web application is up to date and that you follow best practices for securing it.

Now the investigating who/what

It really does sound like you have a vulnerability open on the application side. So again as mentioned in this comment the shared responsibility model does apply.

But some generic advice -

How to view logs in Ubuntu and the types of logs available https://ubuntu.com/tutorials/viewing-and-monitoring-log-files#1-overview

Chris
answered 2 months ago
0

Firstly, if you think that an unauthorised user is accessing your EC2 then change the password associated with that username, and rotate any keypairs associated with it.

It would be a fair assumption that whichever user owns the files which have re-appeared will be the user who accessed your host and uploaded them.

Looking at other possibilities - did you restore the EC2 from backup on 8th August, from a backup/snapshot taken on or before 5th August?

Do you have an scheduled job (in e.g. cron) that will run every few days to refresh these files?

Are you running something like Puppet or Ansible that will detect any configuration drift and remediate back to a baseline (so the absence of the files that you deleted will be noticed and "fixed")?

profile picture
EXPERT
Steve_M
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions