Amazon Web Services notified me
We've received a report that your instance(s):
Instance Id: XXXX IP Address: XXXX
has been making illegal intrusion attempts against remote hosts on the
Internet; check the information provided below by the abuse reporter.
I am running a Bitnami server on a single EC2 instance, which appears to have been compromised, and I'm trying to figure out the least disruptive way to fix the problem. Is the simplest solution to shut down the server, migrate my scripts and database to a new Bitnami instance, and change the administrator password?
I'm not sure if this is relevant, but Bitnami sent me an email late last year indicating that my server was running an older version of PHP vulnerable to this security problem and to remove this version by executing this command
sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin
I did this, but received the AWS notification within a week after I received this notification from Bitnami.
Kill it with fire.
Seriously, if the instance has been compromised in some way, you'll never be sure you haven't inadvertently transferred something with a nasty hidden payload even if you create a new instance and attempt to salvage anything from the old.
So kill it, then create and configure a new server from scratch. Bear in mind that the AWS ToS allows Amazon to kill the instance themselves and/or even terminate your account if they think you're not taking the problem seriously, so better to get it done yourself and tell them what you've done.
Related
I'm new to EC2 and most website hosting stuff in general. Throwing myself in the deep end, I guess.
I have a free micro instance of EC2 running and I git pulled a little program I have. After some setup stuff that program runs perfectly.
I also have a website hosted by namecheap. It isn't much but whatever, it's there.
I want to have a button on my website that will run the program on my EC2 instance. It looks like I need some kind of AWS Lambda function, or their gateway api, or something, but as I said, new to this stuff. Confused. Where should I start? I saw something about hosting through AWS as well, but it looks like that would mean a lot more management needs to be done by me that namecheap does for me.
Any thoughts are appreciated. Thanks!
As I see it, you have 2 viable options:
First, running a simple server on the instance and make REST calls to it. Second, connect with SSH or AWS SSM to the instance and run the command directly.
Depending on the situation, you need to decide which option is better for you.
For the first option, I would recommend you try running a simple server (like flask, or whatever) and send POST call to it using the button on your site.
When handling the call in the server, run the application locally.
For the second option, it can be trickier but essentially you would want to SSH to EC2 instances via AWS Lambda.
Nevertheless, you will need to configure the security group for that instance and open some ports to be able to connect remotely.
SSH(22)
HTTPS/HTTP(80/443)
Probably there are more ways to do it. so feel free to investigate more.
I'm launching a Windows 10 EC2 instance and trying to retrieve it's instance-id from the CMD with the command:
curl http://169.254.169.254/latest/meta-data/instance-id
This worked until yesterday, but now it fails every time, raising a Timeout error.
curl: (7) Failed to connect to 169.254.169.254 port 80: Timed out
I've looked up aws's documentation about retrieving EC2 metadata and didn't found anything regarding an expiration time for the retrieving attempt. Also, I've tried to create an AMI from my instance and launch a new instance based on this AMI to try some sort of "refresh" of a possible expiration time, and it didn't worked.
I've searched within the IAM Roles for something related to retrieving metadata permission, but nothing seems to fit my issue.
I've also tried the answers from here but nothing was specific enough to my problem.
What could have happened? This worked for about two months straight and suddenly it stopped working.
Workaround for fixing
Another post, regarding a similar problem, got an answer that fixed my problem.
I simply ran C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 and the script applied the default specifications of a newborn EC2 windows instance. I still don't know why this problem happened, but this solution works for someone that doesn't have anything to loose on configuration specifications.
From the workaround that you shared, it seems the reason why you were not able to get the Instance ID was somehow the routes for your Instance got misconfigured. To retrieve Instance ID from the metadata, the route 169.254.169.254 must point to the right gateway of the Instance. This problem generally occurs with Windows Server 2016 or above when you try to launch an Instance from a custom AMI, in a subnet which is different from the parent Instance from which the AMI was created.
When you ran the command, it scheduled the InitializeInstance.ps1 script, and during the next boot it re-configured the routes.
In, future if you see any such issue, make sure the IP 169.254.169.254 is pointing to the correct gateway, which you can check using the command ipconfig /all and route print commands, in case you find that the routes are mis-configured, you can use the route delete and route add commands with proper parameters to make the routes correct or simply schedule the InitializeInstance.ps1 script, which will correct the routes when the Instance boots up the next time.
Please refer: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html
I'm in the process of exploring AWS SSM to apply Patches on multiple AWS accounts. I was able to implement this successfully using respective AWS documents. During my implementation process, I used AWS-RunPatchBaseline document to update my linux instances.
This completely works fine. Post patch installation the instance reboots. The use case which i'm trying to achieve is:
Instance should not reboot after installing patches.
I tried to alter the document to disable reboot process, which did not help me. Also, checked with Amazon Support, they still in the process getting a fix for my request.
Does one have answer for this, either through using a custom document or by modifying the existing document?
Thanks,
Vick
As per amazon we cannot stop or suspend the reboot post patching which is not advisable. However, Amazon is working on a feature request to suspend instance reboot. Wish it happens soon.
A little backstory, I have an AWS instance made with Bitnami that I set up on my Windows Machine back home. I am currently out of the country and have no way to access that machine at the moment. One month later, I visit the website getting a 500 error and (only my Macbook on me). I've tried to SSH into it from my Macbook and no luck. I get the error:
Username is not in the sudoers file. This incident will be reported.
I've also tried another way to SSH into my aws but then I just get
Permission denied (publickey).
I do have the public/private keys I made with me so I am not sure if I had to set up some additional permissions to SSH from a different computer. On top of that, I got an email stating that someone attempted to access remote hosts on the internet without authorization. If I visit my Public IP address of my instance, it goes straight to a spam page.
At this point, I am not sure if I am just missing something in my steps or have missed a step. If someone can help me, I would really appreciate it.
Is there some way to get my instance back up and running? If not, is there some way I can back up the wordpress files on that instance that's down and use it to create another one on my Macbook currently? Please let me know.
If you have the private key that your AWS instance has been installed with, place the key in ~/.ssh .
Then, run the following command to set the permissions of the key to read and write only to your user (it's a mandatory step):
chmod 600 ~/.ssh/keyname
Then, run the following command to connect to your instance:
ssh -i ~/.ssh/keyname user#instance_ip
And it should connect successfully.
If you're not sure which user to connect to and you have access to AWS EC2 Console, then look for that server, right-click it and choose "Connect" and it will usually show the correct user to use when connecting to it by SSH.
I have a hosted chef account working with AWS EC2 instances.
The instances can connect to hosted chef by way of chef-client and run the inital
run_list that is presetly a role called servers. Everything runs and installs
correctly on initial provision.
I should also mention I have autoscaling on ec2 instances that increses the amount of instances
provisioned on an 'as needed' basis and this works fine.
I found one talk that sort of makes sense but seems a bit more involved.
https://www.youtube.com/watch?v=yHub6E4DNvg
My questions are around how to maintain the servers after initial provisioning. First, if I have an update to my role to include more cookbooks or configuration, and how would I push this out to say X amount servers in a simple way.
Second, how would chef server know if a node has failed and notify the admin?
Any guidance?
That's quite vast question ...
For the easy one: failing node => the solution is to use report handlers see the doc here
For the keep in desired state, the idea is to have chef run periodically on the nodes, so it keep enforcing the conf defined in cookbooks, any change will be updated accordingly. (that's the way chef has been concepted).
If you want more control on which server run when you can:
use the push-jobs addon (commercial addon, not free)
use some orchestration tool (I personnaly use rundeck for adhoc runs in addition to periodic runs).
There's a lot of way to do this and which one to use is a question of preference and environment.
I think you could also use knife to run a chef-client based on a certain criteria:
knife ssh 'role:somerole' 'chef-client' -x username -P password
Here is chef's documentation: https://docs.chef.io/knife_ssh.html