I have taken tcpdump and can clearly see calls going back and forth between ec2 instance and some Chinese and German and Russian servers.those are all json rpc with stratum tcp protocol.Seems like they were looking for some computing resource for generating hash for crypto currency.
The person who hacked my account installed some jobs under cron and was executing some programs under var/tmp folder with tomcat user permission. They were executing some shell script by making http call.Vow seems like my server was accessed from every part of world.
I don’t know if the entry point was tomcat but I am suspecting it to be entry point. It was running as tomcat user.Other entry is the yum packages which I trying for lets encrypt ssl. Other than these there was nothing on the box.
I have a basic instance for which I pay roughly 25 USD a month.i don’t know how they gained access but I feel they might haves got root access either via some yum packages or via tomcat. I did try let’s encrypt stuff in last 4 days and that the only I recollect.
Damm it I get more bots traffic than user traffic now a days. I have taken infrastructure offline. Maybe I will patch up everything correctly and then start fresh. Will raise ticket Amazon today evening.