- Newest
- Most votes
- Most comments
Start with reviewing your Security Group(s) and ensure that you are not allowing file transfer protocols such as FTP or SFTP in from the internet (0.0.0.0/0). Same goes for SSH -- only allow SSH from your (or trusted) IP addresses.
You can open a Support Case (link to AWS Support Center in the top right under Resources) for assistance.
Under the Shared Responsibility Model, support for the OS (Ubuntu) on your instance falls to you. Support can help with reviewing Security Groups and enabling services such as GuardDuty to monitor connections from known malicious IPs.
So first up the lockdown/security check up stuff
As mentioned by this comment checking your Security Group settings is a good start. So if this EC2 instance is running a public webserver make sure that only the ports required for the application to work are open (Commonly 80 + 443 but could differ based on your needs).
If you manage the instance via traditional SSH over port 22 then yes making sure that port is locked down to whitelisted IP addresses.
A good article from AWS
https://repost.aws/knowledge-center/ec2-ssh-best-practices
Make sure your web application is up to date and that you follow best practices for securing it.
Now the investigating who/what
It really does sound like you have a vulnerability open on the application side. So again as mentioned in this comment the shared responsibility model does apply.
But some generic advice -
How to view logs in Ubuntu and the types of logs available https://ubuntu.com/tutorials/viewing-and-monitoring-log-files#1-overview
Firstly, if you think that an unauthorised user is accessing your EC2 then change the password associated with that username, and rotate any keypairs associated with it.
It would be a fair assumption that whichever user owns the files which have re-appeared will be the user who accessed your host and uploaded them.
Looking at other possibilities - did you restore the EC2 from backup on 8th August, from a backup/snapshot taken on or before 5th August?
Do you have an scheduled job (in e.g. cron
) that will run every few days to refresh these files?
Are you running something like Puppet or Ansible that will detect any configuration drift and remediate back to a baseline (so the absence of the files that you deleted will be noticed and "fixed")?
Relevant content
- asked 7 days ago
- How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago