Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EC2 servers wiped clean. How to investigate ?

0

I'm experiencing an unexpected issue with my EC2 instances that I've been running for an extended period. Upon checking my web pages today, I discovered that one of my servers appears to have had its code completely wiped out, despite functioning normally just a few days ago.

I'm concerned this could potentially be a security incident. Could you please advise on the best ways to investigate this situation further? Specifically, I'm looking for guidance on:

  1. Determining the root cause of the code deletion
  2. Checking for any unauthorized access or activities
  3. Verifying if this was an isolated incident or if other instances were affected
  4. Recommended steps to secure my environment and prevent future occurrences

Any insights or suggestions would be greatly appreciated. Thank you in advance for your assistance.

Topics
ComputeDeveloper ToolsSecurity, Identity, & Compliance
Tags
AWS CloudShellLinuxAmazon EC2Security, Identity, & Compliance
Language
English
asked a year ago190 views
2 Answers
2

The first thing to look at is whether the instance is actually the long-standing instance that you think it is, and that an instance didn't somehow get terminated and a new one provisioned from scratch. What is the launch date & time of the instance?

Also check that all the attached EBS volumes that you expect to be attached are actually still attached. If your website code was on an external volume that has become detached then the symptoms would be similar to what you describe.

You can use CloudTrail to see which users have logged in to AWS Console recently, as well as what actions they did in the Console while they were logged in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

Are there any logins that look suspicious? If the account root login is not protected by MFA then definitely add this https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-mfa-for-root.html

On the instance itself, look through the access logs (what these are depends on the OS). Consider changing any passwords that may be shared, and rotating any keypairs that may be used to gain access. If the server is accessible over the internet then especially consider any accounts that are vulnerable to brute-force attacks. And again, if accessible from the internet then tighten up the IP address range that key administration ports (e.g. 22 for SSH, 3389 for RDP) are accessible from. Or consider using Systems Manager.

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • Leo K EXPERT
    a year ago

    Note that the launch time shown in the console is the time when the server was last powered on, which may or may not match the time it was created. You can see the effective time when the server was created by opening the "Storage" tab of the instance in the console and clicking the EBS volume ID that is the root (operating system) volume. The creation time of the volume is when the operating system disk was created. This also reveals if someone else has rolled it back to an earlier backup, as an example.

1

Hi,

The best way to start investigating is to use CloudTrail. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html

CloudTrail will record who does what when through the EC2 API. So, that you detect the EC2 / EBS API calls and their authors.

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content