AWS Abuse Report - Never got one of these before
We have been using an LS instance (preconfigured Ubuntu 20.04lts VM) running PLESK and a wordpress site for our church. Has been up for about a month. Today, I got an email from AWS about an abuse. The report shows that the IP6 was doing automated crawling:
******* * Log Extract: <<< ****We are seeing automated scraping of Google Web Search from a large number of your IPs/VMs. **********
There's nothing in the data of the report except this: +----------------------------------------+--------------------------+----------+---------------------+ | Source | Time_UTC | Destination | DestPort | +----------------------------------------+--------------------------+----------+---------------------+ 2600:1f18:6502:5000:a087:4d0e:325:9709 2021-12-13 22:17:01 2607:f8b0:4004:808::2004 443
The prebuilt VM (an ubuntu 20.04 LTS preconfigured with Wordpress/plesk) had IP6 enabled by default.
So I need some help as this is not my area of expertise.
When I run NETSTAT -AN, I see no established connections over that IP6 address. Since we don't use IP6, I have disabled it. But there was no established IP6 connections to any endpoint, let alone the one noted specifically above).
Still, I'm concerned my system is compromised. I don't really know what to do. I had the Network config and the WAF limiting access, bu somehow the system looks to have been compromised.
How do I root out whether there's a breach, an already in place virus or malware or rootkit? How do I scan my system for threats?
Some additional guidance if you need it:
- You don't mention if you replied back to the Abuse report email. If not, do make sure to reply and let them know the actions you have taken so far and any additional actions you plan to take. This is to ensure the Abuse team do not take further action against your account because they had not heard back from you.
- Some websites with forum/social features will do automatic link expansion when someone posts a URL in a chat. This requires the server to make outbound connections to download a preview of the page. This can cause unexpected patterns of outbound web traffic from your server. If you have such features on your site consider disabling them.
- You do not mention how you keep your WordPress application up to date or what plugins it has. In my experience the most critical part of keeping this application secure is rigorously keeping it updated and being very careful which plugins you install. You can get guidance on this from https://wordpress.com/support/security/ as well as many other third-party guides for running WordPress.
- To eliminate any malicious changes to the underlying host you can to backup the WordPress data, redeploy a new LS instance, disable IPv6 from the beginning, ensure all components are fully patched, apply the appropriate network security layers, then restore your backup, update DNS to point to the new server and see if the problem recurs. You can delete the original instance, although you can keep it offline and investigate further but this will add to your costs.
- If this still does not resolve the issue the next steps I'd recommend would be deploying additional tools to get low-level visibility into your network traffic, such as VPC FlowLogs, AWS Network Firewall and enabling both the Amazon GuardDuty service and the Amazon Detective service the enables you to see complex network flows from your instances. However these all have service charges so if your application is very cost sensitive you may want to use them only for a short period until the problem is resolved. (Several of these services do have free trials for a limited period of time) If it fits into your budget it is highly recommended to keep Amazon GuardDuty running all the time to monitor for network and AWS account level security issues.
I have been out with an infected molar removal. Not fun. Just getting back into the swing here.
Yes, I reported back to Abuse, looking for their guidance and help (and patience) as I root cause this and remediate.
We have all social media features of WP disabled. No public ccommenting/posting, no plugins for this. It's all just basic pages really.
I use PLESK Obsidian with Wordpress Tool kit to keep the site up to date. I typically do updates daily (not automatic b/c I need to test). I have the AWS network configuration locked down to IP4 now. (IP6 has since been disabled.) Have a new Network Rule in AWS's network config to only allow SSH access fromy my corporate IP. I am running Immunity 360 to help look for threat via plesk on my single WP instance. (we only have the one).
I just installed CLAMAV and it's not finding anything.
I run Wordfence with 2FA on our admin accounts.
At this point, I have no idea what the process source is. But obviously, there is some process running that is making the connections. NETSTAT-AN doesnt' show anyhing active outbound to 443. I may have to install wireshark and try to figure out how to do some outbound capture on 443 for next steps. But really, I need to find the process that is making the connections and root it out.
I may end up taking the approach to build a new instance. But TBH, that is only going to leave me unknowing of how this system got compromised so that I can harden it even further. I need to do that.
there are few potential things to do:
- Scan instance with Amazon Inspector, though it might be not free
- Scan instance with some antivirus software (like ClamAV). Here is example (refer to the first part only, I believe you don't need to automate it for regular actions)
- If your instance doesn't need to make outgoing connections to internet (like your app doesn't need to load anything from internet) - you can configure outbound rules in security group to prevent such connections
Regarding the WAF - note, that it protects the app itself from incoming threats, but it doesn't help if app is compromised and does some bad things by itself.
My Lightsail Wordpress site is running extremely slow for no apparent reasonasked 4 months ago
High-Traffic, Load-Balanced Wordpress Site - Optimal DevOps setup for deployment?asked 3 months ago
Daily Unresponsive Server $5 Ubuntu, 1GB Ram, 1vCPU, 40GB SSDasked 9 months ago
Lightsail Load Balancer with Plesk Ubuntu Wordpress Instancesasked a month ago
AWS Abuse Report - Never got one of these beforeasked 7 months ago
Using Lightsail with Cloudfrontasked 2 years ago
AWS Site-to-Site VPN ping working, TCP notasked 17 days ago
Instance says running but site not upAccepted Answerasked 3 years ago
Public IP been changed after I reboot my EC2asked 5 years ago
Accessing Lightsail instance running plesk web server VIA a custom domainasked 2 years ago