Unauthorized File Uploads on Ubuntu EC2 Instance - Request for Assistance in Identifying the Source

0

I am reaching out to request assistance in identifying the source of unauthorized file uploads on my Ubuntu EC2 instance. Despite deleting the files on August 5, 2024, they reappeared on August 8, 2024. I am concerned about the security of my instance and would like to determine who or what is responsible for these uploads. The files in question are: dev.php wpx.php eval-stdin.php (located in the vendor/phpunit/phpunit/src/Util/PHP/ directory) XyzMailer.php (located in the server root directory /var/www/new/) I would like to request guidance on how to investigate this issue and identify the source of these unauthorized file uploads. Specifically, I would like to know: How can I review the instance's security logs to determine who or what uploaded these files? Are there any AWS services or tools that can help me identify the source of these uploads? What steps can I take to prevent similar incidents in the future? I would appreciate any assistance or guidance the AWS support team can provide in resolving this issue.

已提问 3 个月前186 查看次数
3 回答
0

Start with reviewing your Security Group(s) and ensure that you are not allowing file transfer protocols such as FTP or SFTP in from the internet (0.0.0.0/0). Same goes for SSH -- only allow SSH from your (or trusted) IP addresses.

You can open a Support Case (link to AWS Support Center in the top right under Resources) for assistance.

Under the Shared Responsibility Model, support for the OS (Ubuntu) on your instance falls to you. Support can help with reviewing Security Groups and enabling services such as GuardDuty to monitor connections from known malicious IPs.

profile pictureAWS
专家
已回答 3 个月前
0

So first up the lockdown/security check up stuff

As mentioned by this comment checking your Security Group settings is a good start. So if this EC2 instance is running a public webserver make sure that only the ports required for the application to work are open (Commonly 80 + 443 but could differ based on your needs).

If you manage the instance via traditional SSH over port 22 then yes making sure that port is locked down to whitelisted IP addresses.
A good article from AWS https://repost.aws/knowledge-center/ec2-ssh-best-practices

Make sure your web application is up to date and that you follow best practices for securing it.

Now the investigating who/what

It really does sound like you have a vulnerability open on the application side. So again as mentioned in this comment the shared responsibility model does apply.

But some generic advice -

How to view logs in Ubuntu and the types of logs available https://ubuntu.com/tutorials/viewing-and-monitoring-log-files#1-overview

已回答 3 个月前
0

Firstly, if you think that an unauthorised user is accessing your EC2 then change the password associated with that username, and rotate any keypairs associated with it.

It would be a fair assumption that whichever user owns the files which have re-appeared will be the user who accessed your host and uploaded them.

Looking at other possibilities - did you restore the EC2 from backup on 8th August, from a backup/snapshot taken on or before 5th August?

Do you have an scheduled job (in e.g. cron) that will run every few days to refresh these files?

Are you running something like Puppet or Ansible that will detect any configuration drift and remediate back to a baseline (so the absence of the files that you deleted will be noticed and "fixed")?

profile picture
专家
已回答 3 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则