Tuesday, June 18, 2013

Interesting EC2 AWS security incident

Today I got a forwarded message from the EC2 Abule Dept:

"Dear Amazon EC2 Customer,

We've received a report that your instance(s):

Instance Id: i-exxxxx
IP Address: 174.xxxxxx

has been port scanning remote hosts on the Internet; check the information provided below by the abuse reporter.

This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email."... etc etc

I have to admit that for a second it did feel like some sort of an "oops" moment. However, thinking a bit more about it I said "Naaaah" but went on to check what is going on with that VM.

Logged in as root, quickly checked history, nothing. lsof -i... oh I see it:

xmit64 3276 root 1407u IPv4 10785708 0t0 UDP ip-10-xx-xx-xx.ec2.internal:60980 210.72.145.44:ntp
xmit64 3276 root 1408u IPv4 10785709 0t0 UDP ip-10-xx-xx-xx.ec2.internal:42197-210.72.145.44:ntp
xmit64 3276 root 1409u IPv4 10785766 0t0 UDP ip-10-xx-xx-xx.ec2.internal:55691->210.72.145.44:ntp
xmit64 3276 root 1410u IPv4 10785767 0t0 UDP ip-10-xx-xx-xx.ec2.internal:44663->210.72.145.44:ntp
xmit64 3276 root 1411u IPv4 10785776 0t0 UDP ip-10-xx-xx-xx.ec2.internal:36846->210.72.145.44:ntp

and many many many more of these.

Happy lucky xmit64 is sitting in /bin and streaming away to an IP in China

kill -9. I am tempted to disassemble this little binary friend but what is the point really? What is kind of upsetting is that it is eery quite in logs. Not that it is difficult to clean up after getting to the machine an doing something but it just doesn't look like it, too clean and too quiet. It is all crickets and spider web. Only two people used that machine rarely, so there is not much to look through.

So how did xmit64 get to /bin? If the file wasn't (s)FTP-ed there, what is an alternative way for it to get in the fiel system, hmmm makes you think really.
Not to fail to mention that the only thing running on that instance was Tomcat, no php, not much shaky stuff. 

I emailed to EC2 Dept all I could dig out. I am kind of curious to hear what they say. I do hope they follow up at some point.

06/24/2013 Update: No response from Amazon. Killed the instance with a :sigh:

No comments:

Post a Comment